02156540b013d64be818a91df2aacca85b28861c5ff79a8f4b212a0c3f82592a

Analysis

max time kernel
150s
max time network
79s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT DETAILS.exe
Size

758KB
MD5

4fe00a2df62b1a34a6c6a674da23a11d
SHA1

e5fad10f3553622396cf0e37af55c511f9481634
SHA256

02156540b013d64be818a91df2aacca85b28861c5ff79a8f4b212a0c3f82592a
SHA512

0cd61e58ad92c642dde06f8b3d0ea97db61fbfa7ccc7179bc2481bd0c40e86fb1a3b12fa20c1f60fe956af81dbc963feb471c69977c17c276a75b9ce5ecf1d2a
SSDEEP

12288:iRUCiqqldOYoEShKbHV5Fp8yu3UwtY+HjL52SLros6:HCiqqldOYoHkbHrF3u3PtY+Hes6

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe
2952	PAYMENT DETAILS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Udprgedes\Disclaimers\Afgiftspligtige.ini	PAYMENT DETAILS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	powershell.exe
2148	powershell.exe
2876	powershell.exe
564	powershell.exe
532	powershell.exe
816	powershell.exe
2172	powershell.exe
3056	powershell.exe
2616	powershell.exe
2532	powershell.exe
560	powershell.exe
2296	powershell.exe
1064	powershell.exe
1932	powershell.exe
2112	powershell.exe
2876	powershell.exe
2800	powershell.exe
1540	powershell.exe
2896	powershell.exe
2080	powershell.exe
2276	powershell.exe
2660	powershell.exe
2444	powershell.exe
884	powershell.exe
2096	powershell.exe
1968	powershell.exe
1244	powershell.exe
3004	powershell.exe
2524	powershell.exe
2196	powershell.exe
2804	powershell.exe
1900	powershell.exe
2176	powershell.exe
1512	powershell.exe
2688	powershell.exe
2944	powershell.exe
1904	powershell.exe
2104	powershell.exe
2436	powershell.exe
2028	powershell.exe
2276	powershell.exe
2660	powershell.exe
2444	powershell.exe
884	powershell.exe
1252	powershell.exe
2864	powershell.exe
2344	powershell.exe
2596	powershell.exe
2972	powershell.exe
852	powershell.exe
1744	powershell.exe
1684	powershell.exe
1752	powershell.exe
2344	powershell.exe
2652	powershell.exe
2972	powershell.exe
980	powershell.exe
2396	powershell.exe
1988	powershell.exe
1116	powershell.exe
3000	powershell.exe
2988	powershell.exe
1804	powershell.exe
2068	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2028	2952	PAYMENT DETAILS.exe	28
PID 2952 wrote to memory of 2028	2952	PAYMENT DETAILS.exe	28
PID 2952 wrote to memory of 2028	2952	PAYMENT DETAILS.exe	28
PID 2952 wrote to memory of 2028	2952	PAYMENT DETAILS.exe	28
PID 2952 wrote to memory of 2148	2952	PAYMENT DETAILS.exe	30
PID 2952 wrote to memory of 2148	2952	PAYMENT DETAILS.exe	30
PID 2952 wrote to memory of 2148	2952	PAYMENT DETAILS.exe	30
PID 2952 wrote to memory of 2148	2952	PAYMENT DETAILS.exe	30
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	32
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	32
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	32
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	32
PID 2952 wrote to memory of 564	2952	PAYMENT DETAILS.exe	34
PID 2952 wrote to memory of 564	2952	PAYMENT DETAILS.exe	34
PID 2952 wrote to memory of 564	2952	PAYMENT DETAILS.exe	34
PID 2952 wrote to memory of 564	2952	PAYMENT DETAILS.exe	34
PID 2952 wrote to memory of 532	2952	PAYMENT DETAILS.exe	36
PID 2952 wrote to memory of 532	2952	PAYMENT DETAILS.exe	36
PID 2952 wrote to memory of 532	2952	PAYMENT DETAILS.exe	36
PID 2952 wrote to memory of 532	2952	PAYMENT DETAILS.exe	36
PID 2952 wrote to memory of 816	2952	PAYMENT DETAILS.exe	38
PID 2952 wrote to memory of 816	2952	PAYMENT DETAILS.exe	38
PID 2952 wrote to memory of 816	2952	PAYMENT DETAILS.exe	38
PID 2952 wrote to memory of 816	2952	PAYMENT DETAILS.exe	38
PID 2952 wrote to memory of 2172	2952	PAYMENT DETAILS.exe	40
PID 2952 wrote to memory of 2172	2952	PAYMENT DETAILS.exe	40
PID 2952 wrote to memory of 2172	2952	PAYMENT DETAILS.exe	40
PID 2952 wrote to memory of 2172	2952	PAYMENT DETAILS.exe	40
PID 2952 wrote to memory of 3056	2952	PAYMENT DETAILS.exe	42
PID 2952 wrote to memory of 3056	2952	PAYMENT DETAILS.exe	42
PID 2952 wrote to memory of 3056	2952	PAYMENT DETAILS.exe	42
PID 2952 wrote to memory of 3056	2952	PAYMENT DETAILS.exe	42
PID 2952 wrote to memory of 2616	2952	PAYMENT DETAILS.exe	44
PID 2952 wrote to memory of 2616	2952	PAYMENT DETAILS.exe	44
PID 2952 wrote to memory of 2616	2952	PAYMENT DETAILS.exe	44
PID 2952 wrote to memory of 2616	2952	PAYMENT DETAILS.exe	44
PID 2952 wrote to memory of 2532	2952	PAYMENT DETAILS.exe	46
PID 2952 wrote to memory of 2532	2952	PAYMENT DETAILS.exe	46
PID 2952 wrote to memory of 2532	2952	PAYMENT DETAILS.exe	46
PID 2952 wrote to memory of 2532	2952	PAYMENT DETAILS.exe	46
PID 2952 wrote to memory of 560	2952	PAYMENT DETAILS.exe	48
PID 2952 wrote to memory of 560	2952	PAYMENT DETAILS.exe	48
PID 2952 wrote to memory of 560	2952	PAYMENT DETAILS.exe	48
PID 2952 wrote to memory of 560	2952	PAYMENT DETAILS.exe	48
PID 2952 wrote to memory of 2296	2952	PAYMENT DETAILS.exe	50
PID 2952 wrote to memory of 2296	2952	PAYMENT DETAILS.exe	50
PID 2952 wrote to memory of 2296	2952	PAYMENT DETAILS.exe	50
PID 2952 wrote to memory of 2296	2952	PAYMENT DETAILS.exe	50
PID 2952 wrote to memory of 1064	2952	PAYMENT DETAILS.exe	52
PID 2952 wrote to memory of 1064	2952	PAYMENT DETAILS.exe	52
PID 2952 wrote to memory of 1064	2952	PAYMENT DETAILS.exe	52
PID 2952 wrote to memory of 1064	2952	PAYMENT DETAILS.exe	52
PID 2952 wrote to memory of 1932	2952	PAYMENT DETAILS.exe	54
PID 2952 wrote to memory of 1932	2952	PAYMENT DETAILS.exe	54
PID 2952 wrote to memory of 1932	2952	PAYMENT DETAILS.exe	54
PID 2952 wrote to memory of 1932	2952	PAYMENT DETAILS.exe	54
PID 2952 wrote to memory of 2112	2952	PAYMENT DETAILS.exe	56
PID 2952 wrote to memory of 2112	2952	PAYMENT DETAILS.exe	56
PID 2952 wrote to memory of 2112	2952	PAYMENT DETAILS.exe	56
PID 2952 wrote to memory of 2112	2952	PAYMENT DETAILS.exe	56
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	58
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	58
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	58
PID 2952 wrote to memory of 2876	2952	PAYMENT DETAILS.exe	58

C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x05 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x1C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x00 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x02 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7D -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x74 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x74 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0D -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x2B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x2F -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3A -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x2B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x08 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x22 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x2B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0F -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x66 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x23 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7A -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x62 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x36 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x76 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x62 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x62 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x62 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7A -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x62 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x36 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x76 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x62 -bxor 78
  2⤵
  PID:2056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  PID:2880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  PID:2092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  PID:2560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7E -bxor 78
  2⤵
  PID:2940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x67 -bxor 78
  2⤵
  PID:1516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  PID:2248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x60 -bxor 78
  2⤵
  PID:268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3C -bxor 78
  2⤵
  PID:3064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7B -bxor 78
  2⤵
  PID:3056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3F -bxor 78
  2⤵
  PID:2640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x43 -bxor 78
  2⤵
  PID:564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x44 -bxor 78
  2⤵
  PID:2004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x05 -bxor 78
  2⤵
  PID:2396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0B -bxor 78
  2⤵
  PID:1572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x1C -bxor 78
  2⤵
  PID:1636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x00 -bxor 78
  2⤵
  PID:1380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0B -bxor 78
  2⤵
  PID:2492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x02 -bxor 78
  2⤵
  PID:2556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7D -bxor 78
  2⤵
  PID:2164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x7C -bxor 78
  2⤵
  PID:2308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x74 -bxor 78
  2⤵
  PID:2372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x74 -bxor 78
  2⤵
  PID:1096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x18 -bxor 78
  2⤵
  PID:2996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  PID:2972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3C -bxor 78
  2⤵
  PID:908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3A -bxor 78
  2⤵
  PID:2424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x3B -bxor 78
  2⤵
  PID:816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x2F -bxor 78
  2⤵
  PID:2076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x22 -bxor 78
  2⤵
  PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x0F -bxor 78
  2⤵
  PID:2660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x22 -bxor 78
  2⤵
  PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x22 -bxor 78
  2⤵
  PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x21 -bxor 78
  2⤵
  PID:1900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x2D -bxor 78
  2⤵
  PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x66 -bxor 78
  2⤵
  PID:2676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x27 -bxor 78
  2⤵
  PID:2652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell 0x6E -bxor 78
  2⤵
  PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N0HGJJC45ECF4B2DLUF1.temp

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db5a0df4bef393b5db36fda025f56c68

SHA1
03981e67ba459135143df18d3d50e32ad3b76f01

SHA256
3fa5d38cbb35ec5b3cd1fa586a1408b7e4e8a1674550389fe3ad4492aa3e49b6

SHA512
f0fdc2a589ce8f9d9f0162c072c435df0affe0c844be07f586f7520fed64f99c050953008ec5b9208ce1220eb074b66ccf81edea64ebcb199237aa45622cba1a

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2723.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit
memory/564-96-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/816-783-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/816-782-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/884-280-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/884-281-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/1064-179-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1064-178-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1116-547-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1116-548-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1512-433-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/1512-355-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/1516-621-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1516-620-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1540-319-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/1540-225-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/1744-822-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1900-830-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1904-378-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/1988-538-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/1988-539-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2028-67-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/2028-401-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2028-66-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/2096-290-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2096-289-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2148-77-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2164-724-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2164-725-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2276-254-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2344-452-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/2436-393-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2492-706-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2492-707-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2556-715-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2556-716-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2596-460-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2660-807-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2668-799-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2668-798-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2896-235-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2988-563-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download