0bcacfe5a5a36dca29e8d1abbde1c3858e1386cc72656228b46c32374f30966d

Analysis

max time kernel
91s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 18:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

wave.exe
Size

27.0MB
MD5

8938e437b63b2e2b3e91825958567f2b
SHA1

9b521cf6f1b53b7b95927cffc313ac09cf4606b6
SHA256

0bcacfe5a5a36dca29e8d1abbde1c3858e1386cc72656228b46c32374f30966d
SHA512

87c93555f3467bcf25cf2a386595ac95c3e49ac22cb490b6bf732d2b228a11238283bdd71036294e88e92c55f0ef4d7797d463dd6777dd1a547ace00bcc3982b
SSDEEP

786432:0otq8vlkbrRQ9oFWUmESWqELGmiT4wJNXeRGF:0oY8v42WFW4qCi8+NuRGF

Score

9^/10

credential_access discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ACProtect 1.3x - 1.4x DLL software 27 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002387d-717.dat	acprotect
behavioral2/files/0x0007000000023498-723.dat	acprotect
behavioral2/files/0x00070000000234b9-728.dat	acprotect
behavioral2/files/0x0007000000023496-731.dat	acprotect
behavioral2/files/0x000700000002349b-734.dat	acprotect
behavioral2/files/0x00070000000234a1-754.dat	acprotect
behavioral2/files/0x00070000000234a0-753.dat	acprotect
behavioral2/files/0x000700000002349f-752.dat	acprotect
behavioral2/files/0x000700000002349e-751.dat	acprotect
behavioral2/files/0x000700000002349d-750.dat	acprotect
behavioral2/files/0x000700000002349c-749.dat	acprotect
behavioral2/files/0x000700000002349a-748.dat	acprotect
behavioral2/files/0x0007000000023499-747.dat	acprotect
behavioral2/files/0x0007000000023497-746.dat	acprotect
behavioral2/files/0x0007000000023495-745.dat	acprotect
behavioral2/files/0x000700000002388c-744.dat	acprotect
behavioral2/files/0x000700000002388b-743.dat	acprotect
behavioral2/files/0x0007000000023881-742.dat	acprotect
behavioral2/files/0x000700000002387b-741.dat	acprotect
behavioral2/files/0x00070000000234ba-739.dat	acprotect
behavioral2/files/0x00070000000234b8-738.dat	acprotect
behavioral2/files/0x0007000000023880-763.dat	acprotect
behavioral2/files/0x000700000002387f-766.dat	acprotect
behavioral2/files/0x000700000002388f-770.dat	acprotect
behavioral2/files/0x0007000000023898-788.dat	acprotect
behavioral2/files/0x00070000000234a9-796.dat	acprotect
behavioral2/files/0x00070000000234d9-803.dat	acprotect

Loads dropped DLL 54 IoCs

pid	Process
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002387d-717.dat	upx
behavioral2/memory/2724-721-0x0000000075110000-0x000000007561B000-memory.dmp	upx
behavioral2/files/0x0007000000023498-723.dat	upx
behavioral2/files/0x00070000000234b9-728.dat	upx
behavioral2/memory/2724-729-0x00000000750C0000-0x00000000750DF000-memory.dmp	upx
behavioral2/memory/2724-732-0x00000000750B0000-0x00000000750BD000-memory.dmp	upx
behavioral2/files/0x0007000000023496-731.dat	upx
behavioral2/files/0x000700000002349b-734.dat	upx
behavioral2/memory/2724-737-0x0000000075060000-0x0000000075087000-memory.dmp	upx
behavioral2/files/0x00070000000234a1-754.dat	upx
behavioral2/files/0x00070000000234a0-753.dat	upx
behavioral2/files/0x000700000002349f-752.dat	upx
behavioral2/files/0x000700000002349e-751.dat	upx
behavioral2/files/0x000700000002349d-750.dat	upx
behavioral2/files/0x000700000002349c-749.dat	upx
behavioral2/files/0x000700000002349a-748.dat	upx
behavioral2/files/0x0007000000023499-747.dat	upx
behavioral2/files/0x0007000000023497-746.dat	upx
behavioral2/files/0x0007000000023495-745.dat	upx
behavioral2/files/0x000700000002388c-744.dat	upx
behavioral2/files/0x000700000002388b-743.dat	upx
behavioral2/files/0x0007000000023881-742.dat	upx
behavioral2/files/0x000700000002387b-741.dat	upx
behavioral2/memory/2724-736-0x0000000075090000-0x00000000750A8000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-739.dat	upx
behavioral2/files/0x00070000000234b8-738.dat	upx
behavioral2/memory/2724-757-0x0000000075030000-0x000000007505F000-memory.dmp	upx
behavioral2/memory/2724-759-0x0000000075010000-0x0000000075026000-memory.dmp	upx
behavioral2/memory/2724-761-0x0000000074FC0000-0x0000000074FCC000-memory.dmp	upx
behavioral2/files/0x0007000000023880-763.dat	upx
behavioral2/memory/2724-764-0x0000000074FB0000-0x0000000074FBC000-memory.dmp	upx
behavioral2/files/0x000700000002387f-766.dat	upx
behavioral2/files/0x000700000002388f-770.dat	upx
behavioral2/memory/2724-772-0x0000000074EE0000-0x0000000074F80000-memory.dmp	upx
behavioral2/memory/2724-773-0x0000000074A10000-0x0000000074A34000-memory.dmp	upx
behavioral2/memory/2724-771-0x0000000074F80000-0x0000000074FA7000-memory.dmp	upx
behavioral2/memory/2724-769-0x0000000075110000-0x000000007561B000-memory.dmp	upx
behavioral2/memory/2724-776-0x00000000750C0000-0x00000000750DF000-memory.dmp	upx
behavioral2/memory/2724-778-0x0000000074900000-0x0000000074994000-memory.dmp	upx
behavioral2/memory/2724-777-0x00000000749A0000-0x00000000749C8000-memory.dmp	upx
behavioral2/memory/2724-781-0x00000000746A0000-0x00000000748FA000-memory.dmp	upx
behavioral2/memory/2724-784-0x0000000074680000-0x0000000074692000-memory.dmp	upx
behavioral2/memory/2724-787-0x0000000074670000-0x000000007467F000-memory.dmp	upx
behavioral2/memory/2724-786-0x0000000075060000-0x0000000075087000-memory.dmp	upx
behavioral2/files/0x0007000000023898-788.dat	upx
behavioral2/memory/2724-790-0x0000000074590000-0x0000000074602000-memory.dmp	upx
behavioral2/memory/2724-793-0x0000000074580000-0x0000000074590000-memory.dmp	upx
behavioral2/memory/2724-792-0x0000000075010000-0x0000000075026000-memory.dmp	upx
behavioral2/files/0x00070000000234a9-796.dat	upx
behavioral2/memory/2724-798-0x0000000074540000-0x0000000074562000-memory.dmp	upx
behavioral2/memory/2724-800-0x0000000074420000-0x0000000074539000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-803.dat	upx
behavioral2/memory/2724-805-0x00000000743F0000-0x0000000074406000-memory.dmp	upx
behavioral2/memory/2724-807-0x0000000074A10000-0x0000000074A34000-memory.dmp	upx
behavioral2/memory/2724-813-0x00000000746A0000-0x00000000748FA000-memory.dmp	upx
behavioral2/memory/2724-812-0x00000000741E0000-0x0000000074317000-memory.dmp	upx
behavioral2/memory/2724-811-0x0000000074900000-0x0000000074994000-memory.dmp	upx
behavioral2/memory/2724-810-0x00000000749A0000-0x00000000749C8000-memory.dmp	upx
behavioral2/memory/2724-809-0x0000000074320000-0x000000007433B000-memory.dmp	upx
behavioral2/memory/2724-815-0x00000000741A0000-0x00000000741D1000-memory.dmp	upx
behavioral2/memory/2724-818-0x0000000074130000-0x000000007413A000-memory.dmp	upx
behavioral2/memory/2724-817-0x0000000074150000-0x000000007415A000-memory.dmp	upx
behavioral2/memory/2724-816-0x0000000074680000-0x0000000074692000-memory.dmp	upx
behavioral2/memory/2724-820-0x0000000074110000-0x000000007411D000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
17	discord.com
18	discord.com
24	discord.com
25	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1572	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
384	WMIC.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe
2724	wave.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	wave.exe
Token: SeIncreaseQuotaPrivilege	3500	WMIC.exe
Token: SeSecurityPrivilege	3500	WMIC.exe
Token: SeTakeOwnershipPrivilege	3500	WMIC.exe
Token: SeLoadDriverPrivilege	3500	WMIC.exe
Token: SeSystemProfilePrivilege	3500	WMIC.exe
Token: SeSystemtimePrivilege	3500	WMIC.exe
Token: SeProfSingleProcessPrivilege	3500	WMIC.exe
Token: SeIncBasePriorityPrivilege	3500	WMIC.exe
Token: SeCreatePagefilePrivilege	3500	WMIC.exe
Token: SeBackupPrivilege	3500	WMIC.exe
Token: SeRestorePrivilege	3500	WMIC.exe
Token: SeShutdownPrivilege	3500	WMIC.exe
Token: SeDebugPrivilege	3500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3500	WMIC.exe
Token: SeRemoteShutdownPrivilege	3500	WMIC.exe
Token: SeUndockPrivilege	3500	WMIC.exe
Token: SeManageVolumePrivilege	3500	WMIC.exe
Token: 33	3500	WMIC.exe
Token: 34	3500	WMIC.exe
Token: 35	3500	WMIC.exe
Token: 36	3500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3500	WMIC.exe
Token: SeSecurityPrivilege	3500	WMIC.exe
Token: SeTakeOwnershipPrivilege	3500	WMIC.exe
Token: SeLoadDriverPrivilege	3500	WMIC.exe
Token: SeSystemProfilePrivilege	3500	WMIC.exe
Token: SeSystemtimePrivilege	3500	WMIC.exe
Token: SeProfSingleProcessPrivilege	3500	WMIC.exe
Token: SeIncBasePriorityPrivilege	3500	WMIC.exe
Token: SeCreatePagefilePrivilege	3500	WMIC.exe
Token: SeBackupPrivilege	3500	WMIC.exe
Token: SeRestorePrivilege	3500	WMIC.exe
Token: SeShutdownPrivilege	3500	WMIC.exe
Token: SeDebugPrivilege	3500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3500	WMIC.exe
Token: SeRemoteShutdownPrivilege	3500	WMIC.exe
Token: SeUndockPrivilege	3500	WMIC.exe
Token: SeManageVolumePrivilege	3500	WMIC.exe
Token: 33	3500	WMIC.exe
Token: 34	3500	WMIC.exe
Token: 35	3500	WMIC.exe
Token: 36	3500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3076	wmic.exe
Token: SeSecurityPrivilege	3076	wmic.exe
Token: SeTakeOwnershipPrivilege	3076	wmic.exe
Token: SeLoadDriverPrivilege	3076	wmic.exe
Token: SeSystemProfilePrivilege	3076	wmic.exe
Token: SeSystemtimePrivilege	3076	wmic.exe
Token: SeProfSingleProcessPrivilege	3076	wmic.exe
Token: SeIncBasePriorityPrivilege	3076	wmic.exe
Token: SeCreatePagefilePrivilege	3076	wmic.exe
Token: SeBackupPrivilege	3076	wmic.exe
Token: SeRestorePrivilege	3076	wmic.exe
Token: SeShutdownPrivilege	3076	wmic.exe
Token: SeDebugPrivilege	3076	wmic.exe
Token: SeSystemEnvironmentPrivilege	3076	wmic.exe
Token: SeRemoteShutdownPrivilege	3076	wmic.exe
Token: SeUndockPrivilege	3076	wmic.exe
Token: SeManageVolumePrivilege	3076	wmic.exe
Token: 33	3076	wmic.exe
Token: 34	3076	wmic.exe
Token: 35	3076	wmic.exe
Token: 36	3076	wmic.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2724	1732	wave.exe	88
PID 1732 wrote to memory of 2724	1732	wave.exe	88
PID 1732 wrote to memory of 2724	1732	wave.exe	88
PID 2724 wrote to memory of 2788	2724	wave.exe	89
PID 2724 wrote to memory of 2788	2724	wave.exe	89
PID 2724 wrote to memory of 2788	2724	wave.exe	89
PID 2724 wrote to memory of 1572	2724	wave.exe	91
PID 2724 wrote to memory of 1572	2724	wave.exe	91
PID 2724 wrote to memory of 1572	2724	wave.exe	91
PID 2724 wrote to memory of 4004	2724	wave.exe	93
PID 2724 wrote to memory of 4004	2724	wave.exe	93
PID 2724 wrote to memory of 4004	2724	wave.exe	93
PID 4004 wrote to memory of 3500	4004	cmd.exe	95
PID 4004 wrote to memory of 3500	4004	cmd.exe	95
PID 4004 wrote to memory of 3500	4004	cmd.exe	95
PID 2724 wrote to memory of 3076	2724	wave.exe	97
PID 2724 wrote to memory of 3076	2724	wave.exe	97
PID 2724 wrote to memory of 3076	2724	wave.exe	97
PID 2724 wrote to memory of 804	2724	wave.exe	99
PID 2724 wrote to memory of 804	2724	wave.exe	99
PID 2724 wrote to memory of 804	2724	wave.exe	99
PID 804 wrote to memory of 384	804	cmd.exe	101
PID 804 wrote to memory of 384	804	cmd.exe	101
PID 804 wrote to memory of 384	804	cmd.exe	101
PID 2724 wrote to memory of 3480	2724	wave.exe	102
PID 2724 wrote to memory of 3480	2724	wave.exe	102
PID 2724 wrote to memory of 3480	2724	wave.exe	102
PID 3480 wrote to memory of 632	3480	cmd.exe	104
PID 3480 wrote to memory of 632	3480	cmd.exe	104
PID 3480 wrote to memory of 632	3480	cmd.exe	104
PID 2724 wrote to memory of 1056	2724	wave.exe	105
PID 2724 wrote to memory of 1056	2724	wave.exe	105
PID 2724 wrote to memory of 1056	2724	wave.exe	105
PID 1056 wrote to memory of 1288	1056	cmd.exe	107
PID 1056 wrote to memory of 1288	1056	cmd.exe	107
PID 1056 wrote to memory of 1288	1056	cmd.exe	107
PID 2724 wrote to memory of 696	2724	wave.exe	108
PID 2724 wrote to memory of 696	2724	wave.exe	108
PID 2724 wrote to memory of 696	2724	wave.exe	108
PID 696 wrote to memory of 4488	696	cmd.exe	110
PID 696 wrote to memory of 4488	696	cmd.exe	110
PID 696 wrote to memory of 4488	696	cmd.exe	110
PID 2724 wrote to memory of 3840	2724	wave.exe	112
PID 2724 wrote to memory of 3840	2724	wave.exe	112
PID 2724 wrote to memory of 3840	2724	wave.exe	112
PID 3840 wrote to memory of 100	3840	cmd.exe	114
PID 3840 wrote to memory of 100	3840	cmd.exe	114
PID 3840 wrote to memory of 100	3840	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\wave.exe
"C:\Users\Admin\AppData\Local\Temp\wave.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\wave.exe
  "C:\Users\Admin\AppData\Local\Temp\wave.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3500
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      System Location Discovery: System Language Discovery
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17322\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_asyncio.pyd

Filesize
32KB

MD5
505bfa4efc02a7231f0ab30f18f2febd

SHA1
006262ffc89351cfc8c6d2dd5336b8dec7b5e1f6

SHA256
23f1f12f6860fc23fc1cbcd99ba8fc8db80e433059065cc8f0dd2210c81d95f1

SHA512
e83c7440bc238bab82c42f1c1f3dea72987384647b5b0d37829bd65557a7b8a4ff68036169c73f917bd46e28b1353177448a728de42fc4c4c3f09aa4f0bb6a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_bz2.pyd

Filesize
43KB

MD5
2ec16aa0c8cfa279f42d9738ba75a8f5

SHA1
43d9d52ff23744e8185eb1a42740a1e1c8c68c62

SHA256
98ce9c4a01e6d4033ab1f43453868d8007beda16256ba4db060f2b6b501182d0

SHA512
2a9bed5466b8a7d31f065cc1b5bd7103345f4c285eb6ab15f3ce3957bb40937c1a138c344f0c185ff6f25596d0643452532281291d97996c7690677717608a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_cffi_backend.cp311-win32.pyd

Filesize
61KB

MD5
b1a0fc0cd03f30763656c6d3a2e8ff2b

SHA1
a380a0d24ae920fe24ce92d45d99851bb0e4f93a

SHA256
8ef5813767d0230a1712bc1ce6ff6c8d78039d2866858046ba151659b19f60ce

SHA512
62f6498d3b72e2f5123a2b0479fd3c442e315ab2a25b9ce86c9d2b6b9bd3301d0ed80dee336215074d55cd9354a4d82f5fe33e1a1044d8e7c31353a123c722df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_ctypes.pyd

Filesize
51KB

MD5
c40f1cf6b1cf0ab84c6a5e52ed4f08d9

SHA1
0b5f50dc6318dc7bfb422664fe2f34d034237c62

SHA256
1a6b013b8bd67cac49a0b30e2acef5226005fadf54f915933a0268b6134042c2

SHA512
70cc28be523e32296017a0c7566bec160c36e33fa825424915bcc02854d35e20ba1660f2291e546bada45ddbfd917c51f950e68fef4d8800ca45593e2c00a9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_decimal.pyd

Filesize
77KB

MD5
5ed647d09ae40f4c890a507c6a71b38c

SHA1
7de0db0934cd44c02da0825c741950ab2fabaa7c

SHA256
66950f37483da4dd46e518a45b46df113d5023171c2f54c1bbb53ab42831d67e

SHA512
347c5c4e2ac88e599dddee2041e64df704716da7486ab737965f75a0a36c7f7b87c8e89ecb4484167722108805336a482a93abf687756e431ba6371ffde2142e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_hashlib.pyd

Filesize
28KB

MD5
cbb5261a118363f202218aaee06346e8

SHA1
eff554f745ea9597dc06b7ff1a135e8eba18f777

SHA256
408719d0be3c671a0c7fc3a3552e3955c42178fd02d9b331ea4ffdaed949dc6c

SHA512
4410bfcda050f5d952fa133741c2c04a1ed689c2cbdc97463e0a1f8193d74385816691953f19ac9a1ab6d1027c528aa3ac0eaf31fc0721fa8ea028db97b946e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_lzma.pyd

Filesize
78KB

MD5
46d67da96f138f4c262b5649e9455667

SHA1
f54027def8acc20efaefce194073a6176d4d165b

SHA256
f93a0281dbb55365d88da9056a0325366707915e871e97ec9b04f0fd7380388c

SHA512
7139e9721d00e5fedee1b54e934def01143f0bec83512024097a24953c96b14aed212dabcf3dce7bf057f974adfafc6d833587b61e39ec3f23a799ce1e27e8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_multiprocessing.pyd

Filesize
23KB

MD5
ce59477f60e6b50c186e4c4d8da1cfb2

SHA1
62c994e08d01da75d4ae30924883ed50f2f41311

SHA256
73895f78479d2cbfddab46d5834f8dba5b5f47db06c76b30ae80c491ac549b14

SHA512
f1fbcfda19e4724d22c69b1f6e561f1bf1a5e43a6e42a53d55fc99dea6960d63d708816acda23bf140fa7d8842a2401bf52051b69f55b1861dfaabdbbb00de3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_overlapped.pyd

Filesize
27KB

MD5
321bdae62c3116a7f27d6b334c1c7503

SHA1
c1cf798aa47fc05a58ace5a7588d11982db6ff96

SHA256
359720ad495f7a642f3bf8d0bd78162e43129945d93528a646343e76e25f3376

SHA512
a5c10ba6eccc7493581571c7a58805b2ddf4f09c5ad206c4f306ec2d8e3be9f5d0922e8aacdfb355e009e4be3ce7fd0e8f8361a023bee7e49a707e6d549165ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_queue.pyd

Filesize
23KB

MD5
c5c96485a28fa9d14fc0e13452aac7d3

SHA1
a76c3ef8d114e4f054aa610438cbff24f64b3af2

SHA256
9a12713b5b599fb54a4d4d5e26e308211ea4e83a80694785fbe49f0f0f38c200

SHA512
598ee000e406de0a117d90e243349ca8a67bff1c100a337f2e3d2555a8f558c9cc7f019f4553c477f835faee12012b23f366dc99c57476725938ec78463a287d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_socket.pyd

Filesize
37KB

MD5
6bc85837f1e6a09d681148acecbf9680

SHA1
8b99431cd6fbd4808e21637d93b9c033ba9d418e

SHA256
7516fb2e823d35d4d1e39860bf72571b6304784e50c30de70b83ae8069576b98

SHA512
232be1b9aed9d5ef677c47ef955096d5d3c6d4d3b675ed441e0d68de9c224693abd658f6005a6ffe833f67ff171b5cc6c66d1b50a0e3bd6335fbcfb4562fb855

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_sqlite3.pyd

Filesize
43KB

MD5
1574993abb6562a078e109a7ca33ce1f

SHA1
2a5e0ce426658a15898a4d0f7f707eed62db0cb0

SHA256
c63eb9a95a8486abf44eabd2f52f449d3e02331aaa8f5f207c56075928694b4f

SHA512
b3cb0ee408668521ddbb244d016a2d1158c3c53b4c5a6f87b0b65ec3ffea9b6d4ef8b3a928c72f88512b382b43d4dccaa6767faef950fe2ba2d9c47400e9b52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_ssl.pyd

Filesize
56KB

MD5
87b080de98ac9af0f29b42455f6bd55b

SHA1
d8e14f19284db6e5a38a563b2ad19e964ea6389c

SHA256
b880bb35724ec733d834918b1a02488d5f6034b6df9e1c3961f8e82b8eadd6f8

SHA512
e16cac459b16b0ee52eed5d44c5cbfc60c917d462cde4fe6b65e4aba495d2704b839a4c0a62446220d79993c531efb404872c2555d5fc5f3e52a2211cdb5d42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\_uuid.pyd

Filesize
21KB

MD5
954767d0bc7124d947b29991dee2ad2e

SHA1
b50ec8a88ed8c6df6cde99c561f1ec04e1bf72a5

SHA256
661f277751684b612708b21afad5ac70a00094774185f1f5d32981d72e6a922e

SHA512
2f6990676f731c112479e453feac6069388fb0068ee57ef756f2fc8e5dd7b5951d14cddadf14773684d045eba99f99f39b0bdbd25d021fb5a9d0abca36707c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\charset_normalizer\md.cp311-win32.pyd

Filesize
8KB

MD5
5242622c9818ff5572c08d3f9f96ea07

SHA1
f4c53ef8930a2975335182ad9b6c6a2ab3851362

SHA256
85f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc

SHA512
c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\charset_normalizer\md__mypyc.cp311-win32.pyd

Filesize
31KB

MD5
5cc80e3524e7f2d527c3975ae6a33023

SHA1
a52f046a8e22ed3423ce593af054a818ed17ebd7

SHA256
34e63fec44c046a04919318da4a5fc03d60129b98700bf05031ce79138e16173

SHA512
03516aada3c5765bc93f1a3cd6aeda5d2e4fed2754e5dcf9e85ee6c550d59df8f31d857c823099952bd5bf01eb87ed442904ba6e610ba6133f856bc9be1c294f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\libcrypto-1_1.dll

Filesize
753KB

MD5
6421999ea13d5f297f22ef8eef29fe31

SHA1
c9f15b019aa713139fe26bbf9785caa0907fadcf

SHA256
0949a87e831c31bc3026955464a284c146e60f72259162010359d907f428ec08

SHA512
c04aecc06ef49d8a01f8981d8f73e93dde8e3657d02a3b27e30dd774cf02d906d644550ab544e953bd3c76da09f1f4e5b161168980324f4969f6335c02c50e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\libffi-8.dll

Filesize
23KB

MD5
94556ab9b5f0d6d477b398c20cef07c7

SHA1
7cbfa2113e72634469a4269d94bd061a1b5a10c1

SHA256
404b335635242902f7f40faef4e8b06c87ab9c1ab72a678f9cc7ee9123434e8d

SHA512
951ce66561d5e94087db0753b80437f1b80e64761ea2d446072e269b61efa565d45eb69749d7421155d068ddc249ddfbea32d50d78fb5a290518452c18be56f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\libssl-1_1.dll

Filesize
171KB

MD5
9896fff63f66bc1460c5e54f76d33cd8

SHA1
79e06ca99af768cc34ff628d10ed3e19dd8ea293

SHA256
91897a78a7fcb08e02830aefb091ff2a652258cc7dbcc233da3bec69ab9f5d20

SHA512
ebfb6a7644deed6e88e7cee837bc425f841bd8f098a47e6730a2decdd7a254c45638b405caac76e7b8121a6ebdbf70d0fdcfa35b4b002162da06ecea990c4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\luna.aes

Filesize
80KB

MD5
8fe2983a71d4ab40c890eaca70e13172

SHA1
f65d1902ae135d7c18d73ddde5ae1db1e52265a3

SHA256
ebc082e1176df4e4977eaa5d1fdf843451d47e113d188c4a236d38c7655f7a67

SHA512
d1fccfc08d642ca4cbeb26b17b6cacc87a0cd8d709e367a36b359442a02a46145acd72593c0ede1e112e665dc8c972f34d9486d15890968698fef9d6f876d698

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\psutil\_psutil_windows.pyd

Filesize
26KB

MD5
6b47ad2f1d2d596ff3e5049ce573aba4

SHA1
2f9185b8f4053f079c9c2e8c7f7b1c94b1d535b1

SHA256
95cd5959d8d223b450a9b11dc785902153b886b45b87f919c03de05023905344

SHA512
076b8efd29f0b37feaf584c3c15a342edeade709787c28e72aad7ba9dd9b7465b67f5e6d783ebbb824a55a6be2f0071da84852367ac3412004c8f6cda737a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\pyexpat.pyd

Filesize
70KB

MD5
1313ea9ab904586436e33610d8c9f44f

SHA1
f6940cfc61e5031aa38721a6dc72520c69732b28

SHA256
4bdc17cc218b1061ebb944b0ae14b829a3e721cb251d3fb1e5ce43ed5e912f95

SHA512
02590012ea405158c38c9995f5d46bc6e08c0831380f0830578f04295195a3db127f79b504575b613358e19a59071f1a211ba10d6d592a390e917f550d670766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\python3.DLL

Filesize
63KB

MD5
3a7aa7235f582933b181ae4e991fdba0

SHA1
eee530f6e8fbd0f7b9003c17ce87b0d3eb83de74

SHA256
711285652a92e4e1889289b757f405eac7c77bb114f4c325a67a1f89442d3889

SHA512
257c7bf955ef5ba005676dda7eefed22ed25085246ce9daa563c45732c45028f2cdf50c63fefa0391fd65878087c693fcacedfa926a788c8f6e40ed608712d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\python311.dll

Filesize
1.4MB

MD5
3d60b8eacb3ed11961f14e387c1f671c

SHA1
75cf19edd3a3ec83888bac580f030e73cc476c86

SHA256
ca98918c3d9f4b3044921c55492cec0d3985198ba6dedb522fef6ead3107d339

SHA512
f78cc93159fb4995e78a028bfd084d9c81d6d60ce06f945712245b29cb615abdf29da66f97f81964c75e72b0c7af5b67a1d5a75540448a9bc6e22ef4c7824ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\pywin32_system32\pythoncom311.dll

Filesize
132KB

MD5
e703a33afae7dc61cf6f9a39fd126aca

SHA1
5b8bb661d5d6621240d12b262c7c9776824dad76

SHA256
1fce44ae5726fbc01b334314fdb073383bf6d618eac099d9bc48360f93746034

SHA512
e60a93cecae5b0bbbd988b6449d170526b6fb8d28bd21babb5a052fc039adc669b39934a23f32033ae050caa583a7fcb08985f94ec500da0fe2af9b33b925938

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\pywin32_system32\pywintypes311.dll

Filesize
53KB

MD5
365f88a897d8e1204270bce69fb5fd07

SHA1
3a2d31b7048e949231e6eae2f4fe6c6c42036e46

SHA256
7c00cc78c48b5062e8ebc6af8b33cc8ddcfc697ecc2cbb52cc78ef9faf507dda

SHA512
fa60173f770025e655c23cfc935dcca15325f6e47b625ba5ec48fea31747b0a0179e3701fd1fa09182466dd4df27083d62f7560d9867b89ce822a8bcde0491a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\select.pyd

Filesize
23KB

MD5
9f60cb1aa23f317ba64447fe245580c3

SHA1
1a0f4752dddd6f3cf787f6b1f801b0ac127a9131

SHA256
a4494d2abf8575382442ddbaf8b23694ba3664973a6a07de616481d03e2eb945

SHA512
290f83437efb691c7ec1ffc67f2a04e91f1e9989a38090f7a473fdeef0bb088405ea6a3f58139cbff5bb34d401cc64566403975b9c471353f3de1a38b38c6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\sqlite3.dll

Filesize
496KB

MD5
d1289da839810ef0a32a7c389a80a5ec

SHA1
206e5fd752c66d79137ced386e5ec2c37706d0f0

SHA256
5d293d62fdb6a1d5cbb4a7962b5f8cc6758eb4b80bb043352c2903b5197d1c7c

SHA512
f6e7dfd09f8ffaaa3e920ed3af78ba85644b770677ed84041f532992cefa6dba73fc716c648141bbb9e544fb44062ebff4cd1334a93d10917a3ec013cb90c2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\unicodedata.pyd

Filesize
291KB

MD5
3e2386a5546151ce8a73cd5801d3133d

SHA1
b8428fb05c2fc41c5eb594c6b26f6091787fa90e

SHA256
621be8a146e3c260fe5a6dd8f282f047804a0d10c2389026fddb4c80d122a6f9

SHA512
d62bca86837488bd4fa5bd05fcc60bb1889d8d5a8ef48a2d4e08a44a484bcdf44fd5b2f7fe25b77a7c781fa0df0c631203b0a490a4642b2cf9088c7169d51cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\win32\win32api.pyd

Filesize
37KB

MD5
9b1b6850d25e6b26ffc8a066cdd4eaa0

SHA1
5c60906e7c0aba45b7fde7060305773c6a0f2d0f

SHA256
c3427ebc66696ef26ec680296ef58a1da08d32d398884935ce2ed6c8cdc5c61b

SHA512
0d2a0815e5fea244d0886e3347b2ae20bd3da99b1264a69415b1d3c1db6d5e2473a6d702028823d2a34a9514c3a842236edb4b973fc310268fbbb18f3752dfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\zstandard\backend_c.cp311-win32.pyd

Filesize
141KB

MD5
3d4f4afe0a31031f88ffae9a13fcc3fe

SHA1
9ff9f7c981c291d44a8301bf8143954482e3f1ef

SHA256
4e52dce101596c5a36fd2fdeb09f6c66c02813405f41578e9e17c31b5f7c27c2

SHA512
9ababe7cbe5d54930cc6f157f6fffb4a869a6235f6dbdf78a55f85572ad5ab1e1a43ff4491ed1ae4b06c3c605d9413d635f9d7595baf17ee336ff8cd3e78902f

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Common Files\ConfirmMove.docx

Filesize
19KB

MD5
c9b840747cfd0b27b54e52bc9c21c7e1

SHA1
7150583387a79f87ed330880c7fa48a0110ef746

SHA256
81e4d24bc4cdf9fe4c601d2a689573b5890d325289ff9f8476e67fc0b7800746

SHA512
e116c6a2eeb860efc45e653b62ce1949336e1f4cf2c58c561abb98b69989dde3cbac9f6cec9173a681859bfa0f167e235cfd9b58a757d7c0e58a7b645c03de18

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Common Files\ExpandOpen.csv

Filesize
577KB

MD5
222a2631621247dc2029928e133f36af

SHA1
84bab3eeacceb64507cc893a5aee679b3b97132b

SHA256
bcdc7c3fc7db83a98987b7d5f36cb294d78f3e85d06acd817a7ab14507e729b9

SHA512
30c4478d3469fa112cc2c264f7fe197cfe62b3549ec7dd88a6c1268da748dcbef1c308b2d6a7510359d812ceab6973576595fc56e54acffd00dd54ce592c86f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Common Files\ExportReset.txt

Filesize
609KB

MD5
a5e1fc84d6a06379744e6cb2787ff221

SHA1
f0496db9fc1503fe448aa29277c53f8af2bdc7b0

SHA256
49a4fafd8466c301ebc260774c9bd4b4b090e97d6b9f1dc66f97206d64281031

SHA512
5fa1285630fc09031edf6e5647f52c5b90a7fb627617ce52cbd8cc4c2f6096d15d4903d406259c2e1f110cd7698c19fe6471cb9c5df933d53f7833f3b3d2c3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Common Files\MeasureRedo.ods

Filesize
512KB

MD5
644c841076b6682381fdd94faf07e46b

SHA1
e35f26eadfab297ace2c5f6a1045f0278295b455

SHA256
577155069f593f4fc2195ea2c9b948d22434993664124038199a23be0f897d19

SHA512
cbc465aa887a26859e043db79cdeed8400b0897aba568de938d2d168ad2a5d2f1ab7d36ec88b3ac3bb8926b4c7c2340c15c43915edeb7753fe49584692526875

Download Submit
C:\Users\Admin\AppData\Local\Temp\or06f4G8OA\Common Files\RemovePush.txt

Filesize
551KB

MD5
b14ce216fc255a0f0d5c744f6ca6da6b

SHA1
7f16c3abe632cbf03e392601fefa764bc497f4d0

SHA256
ba642d744025a19a799304ffdf94d1c2eab0eb86427c5f8214c725787510e51c

SHA512
e562582963a600cb68df3255d97fbeb809e291f78a96d5bce9c0e66870e2e948bff7a1457e90acbaa2443acc8f8d52eea093aa67193352cc342fc0c6d6a91bc0

Download Submit
memory/2724-813-0x00000000746A0000-0x00000000748FA000-memory.dmp

Filesize
2.4MB

Download
memory/2724-832-0x00000000739F0000-0x0000000073BE6000-memory.dmp

Filesize
2.0MB

Download
memory/2724-778-0x0000000074900000-0x0000000074994000-memory.dmp

Filesize
592KB

Download
memory/2724-777-0x00000000749A0000-0x00000000749C8000-memory.dmp

Filesize
160KB

Download
memory/2724-781-0x00000000746A0000-0x00000000748FA000-memory.dmp

Filesize
2.4MB

Download
memory/2724-782-0x0000000004410000-0x000000000466A000-memory.dmp

Filesize
2.4MB

Download
memory/2724-784-0x0000000074680000-0x0000000074692000-memory.dmp

Filesize
72KB

Download
memory/2724-787-0x0000000074670000-0x000000007467F000-memory.dmp

Filesize
60KB

Download
memory/2724-786-0x0000000075060000-0x0000000075087000-memory.dmp

Filesize
156KB

Download
memory/2724-769-0x0000000075110000-0x000000007561B000-memory.dmp

Filesize
5.0MB

Download
memory/2724-790-0x0000000074590000-0x0000000074602000-memory.dmp

Filesize
456KB

Download
memory/2724-793-0x0000000074580000-0x0000000074590000-memory.dmp

Filesize
64KB

Download
memory/2724-792-0x0000000075010000-0x0000000075026000-memory.dmp

Filesize
88KB

Download
memory/2724-771-0x0000000074F80000-0x0000000074FA7000-memory.dmp

Filesize
156KB

Download
memory/2724-773-0x0000000074A10000-0x0000000074A34000-memory.dmp

Filesize
144KB

Download
memory/2724-798-0x0000000074540000-0x0000000074562000-memory.dmp

Filesize
136KB

Download
memory/2724-800-0x0000000074420000-0x0000000074539000-memory.dmp

Filesize
1.1MB

Download
memory/2724-772-0x0000000074EE0000-0x0000000074F80000-memory.dmp

Filesize
640KB

Download
memory/2724-764-0x0000000074FB0000-0x0000000074FBC000-memory.dmp

Filesize
48KB

Download
memory/2724-805-0x00000000743F0000-0x0000000074406000-memory.dmp

Filesize
88KB

Download
memory/2724-807-0x0000000074A10000-0x0000000074A34000-memory.dmp

Filesize
144KB

Download
memory/2724-761-0x0000000074FC0000-0x0000000074FCC000-memory.dmp

Filesize
48KB

Download
memory/2724-812-0x00000000741E0000-0x0000000074317000-memory.dmp

Filesize
1.2MB

Download
memory/2724-811-0x0000000074900000-0x0000000074994000-memory.dmp

Filesize
592KB

Download
memory/2724-810-0x00000000749A0000-0x00000000749C8000-memory.dmp

Filesize
160KB

Download
memory/2724-809-0x0000000074320000-0x000000007433B000-memory.dmp

Filesize
108KB

Download
memory/2724-815-0x00000000741A0000-0x00000000741D1000-memory.dmp

Filesize
196KB

Download
memory/2724-814-0x0000000004410000-0x000000000466A000-memory.dmp

Filesize
2.4MB

Download
memory/2724-818-0x0000000074130000-0x000000007413A000-memory.dmp

Filesize
40KB

Download
memory/2724-817-0x0000000074150000-0x000000007415A000-memory.dmp

Filesize
40KB

Download
memory/2724-816-0x0000000074680000-0x0000000074692000-memory.dmp

Filesize
72KB

Download
memory/2724-820-0x0000000074110000-0x000000007411D000-memory.dmp

Filesize
52KB

Download
memory/2724-819-0x0000000074120000-0x000000007412C000-memory.dmp

Filesize
48KB

Download
memory/2724-824-0x00000000740A0000-0x00000000740B0000-memory.dmp

Filesize
64KB

Download
memory/2724-823-0x00000000740B0000-0x00000000740BA000-memory.dmp

Filesize
40KB

Download
memory/2724-822-0x00000000740D0000-0x00000000740DA000-memory.dmp

Filesize
40KB

Download
memory/2724-821-0x0000000074590000-0x0000000074602000-memory.dmp

Filesize
456KB

Download
memory/2724-825-0x0000000074090000-0x000000007409A000-memory.dmp

Filesize
40KB

Download
memory/2724-827-0x0000000074060000-0x0000000074085000-memory.dmp

Filesize
148KB

Download
memory/2724-828-0x0000000074030000-0x0000000074047000-memory.dmp

Filesize
92KB

Download
memory/2724-826-0x0000000074540000-0x0000000074562000-memory.dmp

Filesize
136KB

Download
memory/2724-830-0x0000000073C60000-0x0000000074028000-memory.dmp

Filesize
3.8MB

Download
memory/2724-829-0x0000000074420000-0x0000000074539000-memory.dmp

Filesize
1.1MB

Download
memory/2724-776-0x00000000750C0000-0x00000000750DF000-memory.dmp

Filesize
124KB

Download
memory/2724-831-0x00000000743F0000-0x0000000074406000-memory.dmp

Filesize
88KB

Download
memory/2724-759-0x0000000075010000-0x0000000075026000-memory.dmp

Filesize
88KB

Download
memory/2724-757-0x0000000075030000-0x000000007505F000-memory.dmp

Filesize
188KB

Download
memory/2724-736-0x0000000075090000-0x00000000750A8000-memory.dmp

Filesize
96KB

Download
memory/2724-737-0x0000000075060000-0x0000000075087000-memory.dmp

Filesize
156KB

Download
memory/2724-732-0x00000000750B0000-0x00000000750BD000-memory.dmp

Filesize
52KB

Download
memory/2724-729-0x00000000750C0000-0x00000000750DF000-memory.dmp

Filesize
124KB

Download
memory/2724-721-0x0000000075110000-0x000000007561B000-memory.dmp

Filesize
5.0MB

Download
memory/2724-888-0x0000000074320000-0x000000007433B000-memory.dmp

Filesize
108KB

Download
memory/2724-890-0x00000000741E0000-0x0000000074317000-memory.dmp

Filesize
1.2MB

Download
memory/2724-897-0x00000000737E0000-0x00000000737EC000-memory.dmp

Filesize
48KB

Download
memory/2724-896-0x00000000741A0000-0x00000000741D1000-memory.dmp

Filesize
196KB

Download
memory/2724-901-0x0000000075110000-0x000000007561B000-memory.dmp

Filesize
5.0MB

Download
memory/2724-929-0x0000000075090000-0x00000000750A8000-memory.dmp

Filesize
96KB

Download
memory/2724-931-0x0000000074030000-0x0000000074047000-memory.dmp

Filesize
92KB

Download
memory/2724-930-0x0000000074060000-0x0000000074085000-memory.dmp

Filesize
148KB

Download
memory/2724-928-0x00000000750B0000-0x00000000750BD000-memory.dmp

Filesize
52KB

Download
memory/2724-927-0x00000000750C0000-0x00000000750DF000-memory.dmp

Filesize
124KB

Download
memory/2724-926-0x0000000075060000-0x0000000075087000-memory.dmp

Filesize
156KB

Download
memory/2724-925-0x00000000741A0000-0x00000000741D1000-memory.dmp

Filesize
196KB

Download
memory/2724-924-0x00000000741E0000-0x0000000074317000-memory.dmp

Filesize
1.2MB

Download
memory/2724-923-0x0000000074320000-0x000000007433B000-memory.dmp

Filesize
108KB

Download
memory/2724-922-0x00000000743F0000-0x0000000074406000-memory.dmp

Filesize
88KB

Download
memory/2724-921-0x0000000074420000-0x0000000074539000-memory.dmp

Filesize
1.1MB

Download
memory/2724-920-0x0000000074540000-0x0000000074562000-memory.dmp

Filesize
136KB

Download
memory/2724-919-0x0000000074580000-0x0000000074590000-memory.dmp

Filesize
64KB

Download
memory/2724-918-0x0000000074590000-0x0000000074602000-memory.dmp

Filesize
456KB

Download
memory/2724-917-0x0000000074670000-0x000000007467F000-memory.dmp

Filesize
60KB

Download
memory/2724-916-0x0000000074680000-0x0000000074692000-memory.dmp

Filesize
72KB

Download
memory/2724-915-0x00000000746A0000-0x00000000748FA000-memory.dmp

Filesize
2.4MB

Download
memory/2724-914-0x0000000074900000-0x0000000074994000-memory.dmp

Filesize
592KB

Download
memory/2724-913-0x00000000749A0000-0x00000000749C8000-memory.dmp

Filesize
160KB

Download
memory/2724-912-0x0000000074A10000-0x0000000074A34000-memory.dmp

Filesize
144KB

Download
memory/2724-911-0x0000000074EE0000-0x0000000074F80000-memory.dmp

Filesize
640KB

Download
memory/2724-910-0x0000000074F80000-0x0000000074FA7000-memory.dmp

Filesize
156KB

Download
memory/2724-909-0x0000000074FB0000-0x0000000074FBC000-memory.dmp

Filesize
48KB

Download
memory/2724-908-0x0000000074FC0000-0x0000000074FCC000-memory.dmp

Filesize
48KB

Download
memory/2724-907-0x0000000075010000-0x0000000075026000-memory.dmp

Filesize
88KB

Download
memory/2724-906-0x0000000075030000-0x000000007505F000-memory.dmp

Filesize
188KB

Download
memory/2724-934-0x00000000737E0000-0x00000000737EC000-memory.dmp

Filesize
48KB

Download
memory/2724-933-0x00000000739F0000-0x0000000073BE6000-memory.dmp

Filesize
2.0MB

Download
memory/2724-932-0x0000000073C60000-0x0000000074028000-memory.dmp

Filesize
3.8MB

Download