383039e73c92a8a99307d6c28896ce8e678cfeaacd52f6ab2dcd87ba0d05d5c3

Analysis

max time kernel
25s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows-Build-for-Microsoft-Windows-Developers.exe
Size

100.3MB
MD5

3b8447945246a2eb5613000774acf43c
SHA1

af40fabcd5e1e6240e71d46ce5d5c88e2ba87d82
SHA256

383039e73c92a8a99307d6c28896ce8e678cfeaacd52f6ab2dcd87ba0d05d5c3
SHA512

c6b4395d98c633db1dcabb9c923d48fb556cd526a224cf727330e5823a23c7ebf878d97a2c2888939c2540efcfb34295ac170fb44e7e141fa2def685c578d411
SSDEEP

6144:eTouKrWBEu3/Z2lpGDHU3ykJSL7i/yO7zX:eToPWBv/cpGrU3yDL7myu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	Windows-Build-for-Microsoft-Windows-Developers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	SilentCMD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4284	tasklist.exe
1216	tasklist.exe
2932	tasklist.exe
3080	tasklist.exe
1236	tasklist.exe
3892	tasklist.exe
492	tasklist.exe
560	tasklist.exe
864	tasklist.exe
1176	tasklist.exe
3752	tasklist.exe
3684	tasklist.exe
4756	tasklist.exe
1844	tasklist.exe
2776	tasklist.exe
3128	tasklist.exe
3120	tasklist.exe
2448	tasklist.exe
3964	tasklist.exe
1128	tasklist.exe
2012	tasklist.exe
5024	tasklist.exe
2660	tasklist.exe
1492	tasklist.exe
2176	tasklist.exe
1792	tasklist.exe
3956	tasklist.exe
672	tasklist.exe
4872	tasklist.exe
2492	tasklist.exe
3908	tasklist.exe
1788	tasklist.exe
1376	tasklist.exe
5028	tasklist.exe
2240	tasklist.exe
2888	tasklist.exe
2168	tasklist.exe
3752	tasklist.exe
4144	tasklist.exe
2516	tasklist.exe
4368	tasklist.exe
2108	tasklist.exe
1784	tasklist.exe
3636	tasklist.exe
4736	tasklist.exe
4100	tasklist.exe
4740	tasklist.exe
388	tasklist.exe
2220	tasklist.exe
1928	tasklist.exe
4728	tasklist.exe
4232	tasklist.exe
736	tasklist.exe
5068	tasklist.exe
4652	tasklist.exe
676	tasklist.exe
752	tasklist.exe
1320	tasklist.exe
2108	tasklist.exe
4492	tasklist.exe
1032	tasklist.exe
3740	tasklist.exe
1500	tasklist.exe
2920	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5068	taskkill.exe
2436	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4724	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	4100	tasklist.exe
Token: SeDebugPrivilege	672	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	3752	tasklist.exe
Token: SeDebugPrivilege	4652	tasklist.exe
Token: SeDebugPrivilege	2920	tasklist.exe
Token: SeDebugPrivilege	1128	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	4284	tasklist.exe
Token: SeDebugPrivilege	3892	tasklist.exe
Token: SeDebugPrivilege	492	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	2516	tasklist.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	4492	tasklist.exe
Token: SeDebugPrivilege	4740	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeDebugPrivilege	3684	tasklist.exe
Token: SeDebugPrivilege	4216	tasklist.exe
Token: SeDebugPrivilege	388	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	4728	tasklist.exe
Token: SeDebugPrivilege	4232	tasklist.exe
Token: SeDebugPrivilege	1928	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	736	tasklist.exe
Token: SeDebugPrivilege	3740	tasklist.exe
Token: SeDebugPrivilege	3128	tasklist.exe
Token: SeDebugPrivilege	1500	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	2176	tasklist.exe
Token: SeDebugPrivilege	5068	tasklist.exe
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	4872	tasklist.exe
Token: SeDebugPrivilege	4756	tasklist.exe
Token: SeDebugPrivilege	3196	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	3752	tasklist.exe
Token: SeDebugPrivilege	1844	tasklist.exe
Token: SeDebugPrivilege	676	tasklist.exe
Token: SeDebugPrivilege	752	tasklist.exe
Token: SeDebugPrivilege	2240	tasklist.exe
Token: SeDebugPrivilege	3120	tasklist.exe
Token: SeDebugPrivilege	2012	tasklist.exe
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	5024	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	4144	tasklist.exe
Token: SeDebugPrivilege	2448	tasklist.exe
Token: SeDebugPrivilege	1784	tasklist.exe
Token: SeDebugPrivilege	3964	tasklist.exe
Token: SeDebugPrivilege	4736	tasklist.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeDebugPrivilege	3908	tasklist.exe
Token: SeDebugPrivilege	1788	tasklist.exe
Token: SeDebugPrivilege	1176	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3576	5076	Windows-Build-for-Microsoft-Windows-Developers.exe	80
PID 5076 wrote to memory of 3576	5076	Windows-Build-for-Microsoft-Windows-Developers.exe	80
PID 5076 wrote to memory of 3576	5076	Windows-Build-for-Microsoft-Windows-Developers.exe	80
PID 3576 wrote to memory of 5068	3576	cmd.exe	83
PID 3576 wrote to memory of 5068	3576	cmd.exe	83
PID 3576 wrote to memory of 5068	3576	cmd.exe	83
PID 3576 wrote to memory of 4944	3576	cmd.exe	85
PID 3576 wrote to memory of 4944	3576	cmd.exe	85
PID 3576 wrote to memory of 4944	3576	cmd.exe	85
PID 3576 wrote to memory of 1804	3576	cmd.exe	87
PID 3576 wrote to memory of 1804	3576	cmd.exe	87
PID 3576 wrote to memory of 1804	3576	cmd.exe	87
PID 3576 wrote to memory of 4724	3576	cmd.exe	89
PID 3576 wrote to memory of 4724	3576	cmd.exe	89
PID 3576 wrote to memory of 4724	3576	cmd.exe	89
PID 4944 wrote to memory of 2396	4944	cmd.exe	90
PID 4944 wrote to memory of 2396	4944	cmd.exe	90
PID 2396 wrote to memory of 3416	2396	SilentCMD.exe	91
PID 2396 wrote to memory of 3416	2396	SilentCMD.exe	91
PID 1804 wrote to memory of 3200	1804	cmd.exe	93
PID 1804 wrote to memory of 3200	1804	cmd.exe	93
PID 1804 wrote to memory of 3200	1804	cmd.exe	93
PID 3416 wrote to memory of 2712	3416	cmd.exe	94
PID 3416 wrote to memory of 2712	3416	cmd.exe	94
PID 2712 wrote to memory of 4100	2712	cmd.exe	95
PID 2712 wrote to memory of 4100	2712	cmd.exe	95
PID 3416 wrote to memory of 4200	3416	cmd.exe	96
PID 3416 wrote to memory of 4200	3416	cmd.exe	96
PID 4200 wrote to memory of 672	4200	cmd.exe	97
PID 4200 wrote to memory of 672	4200	cmd.exe	97
PID 3416 wrote to memory of 3172	3416	cmd.exe	98
PID 3416 wrote to memory of 3172	3416	cmd.exe	98
PID 3172 wrote to memory of 2108	3172	cmd.exe	99
PID 3172 wrote to memory of 2108	3172	cmd.exe	99
PID 3416 wrote to memory of 2336	3416	cmd.exe	100
PID 3416 wrote to memory of 2336	3416	cmd.exe	100
PID 2336 wrote to memory of 3752	2336	cmd.exe	101
PID 2336 wrote to memory of 3752	2336	cmd.exe	101
PID 3416 wrote to memory of 3580	3416	cmd.exe	102
PID 3416 wrote to memory of 3580	3416	cmd.exe	102
PID 3580 wrote to memory of 4652	3580	cmd.exe	103
PID 3580 wrote to memory of 4652	3580	cmd.exe	103
PID 3416 wrote to memory of 4572	3416	cmd.exe	104
PID 3416 wrote to memory of 4572	3416	cmd.exe	104
PID 4572 wrote to memory of 2920	4572	cmd.exe	105
PID 4572 wrote to memory of 2920	4572	cmd.exe	105
PID 3416 wrote to memory of 1752	3416	cmd.exe	106
PID 3416 wrote to memory of 1752	3416	cmd.exe	106
PID 1752 wrote to memory of 1128	1752	cmd.exe	107
PID 1752 wrote to memory of 1128	1752	cmd.exe	107
PID 3416 wrote to memory of 2916	3416	cmd.exe	108
PID 3416 wrote to memory of 2916	3416	cmd.exe	108
PID 2916 wrote to memory of 1948	2916	cmd.exe	109
PID 2916 wrote to memory of 1948	2916	cmd.exe	109
PID 3416 wrote to memory of 4396	3416	cmd.exe	110
PID 3416 wrote to memory of 4396	3416	cmd.exe	110
PID 4396 wrote to memory of 4284	4396	cmd.exe	111
PID 4396 wrote to memory of 4284	4396	cmd.exe	111
PID 3416 wrote to memory of 4848	3416	cmd.exe	112
PID 3416 wrote to memory of 4848	3416	cmd.exe	112
PID 4848 wrote to memory of 3892	4848	cmd.exe	113
PID 4848 wrote to memory of 3892	4848	cmd.exe	113
PID 3416 wrote to memory of 2528	3416	cmd.exe	114
PID 3416 wrote to memory of 2528	3416	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Windows-Build-for-Microsoft-Windows-Developers.exe
"C:\Users\Admin\AppData\Local\Temp\Windows-Build-for-Microsoft-Windows-Developers.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\launcher.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM wscript.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K startwscript.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe
      SilentCMD wscript.bat
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""wscript.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2528
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4276
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4948
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:708
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4404
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1372
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2820
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3788
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3044
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:452
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4380
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2936
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3268
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2436
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1236
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3948
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2564
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4824
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4156
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1384
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:32
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1672
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3928
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3600
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2772
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2040
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:896
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3028
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1396
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2072
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3760
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4252
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4180
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3736
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1644
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3808
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:708
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4404
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1372
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2820
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3788
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3044
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:452
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:3328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4380
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:2888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:4984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2936
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3268
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:3944
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K dialog.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\redscreendialog.vbs"
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 20
    3⤵
    - Runs ping.exe
    PID:4724
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM svchost.exe /F
    3⤵
    - Kills process with taskkill
    PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe

Filesize
14KB

MD5
341bf386e067095bb17b875a451c96f2

SHA1
d2cd382f512d096049fcc850ef17e26d12c5e51b

SHA256
2d2ee85092147f08db4ab93b2952e42a971c6c7491985419ac375feda8674c60

SHA512
72b983f16ec4688434790ae662570f1ac0cafc9f6b2264f177ea5fed79b9bd568c996ee3ea8d774851ea3abfb578a8b2533b1d3286c261fce3ed96e2a241c64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe

Filesize
14KB

MD5
341bf386e067095bb17b875a451c96f2

SHA1
d2cd382f512d096049fcc850ef17e26d12c5e51b

SHA256
2d2ee85092147f08db4ab93b2952e42a971c6c7491985419ac375feda8674c60

SHA512
72b983f16ec4688434790ae662570f1ac0cafc9f6b2264f177ea5fed79b9bd568c996ee3ea8d774851ea3abfb578a8b2533b1d3286c261fce3ed96e2a241c64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe.config

Filesize
1KB

MD5
21d29cb345f3cce1fed75f560cf3e88d

SHA1
62672ad278a74617c9e94770cc2cd751b6129f8f

SHA256
dda25a37e941569c6b1cad3f073e2e6694a77397acc44c020b90f42223a6192d

SHA512
4a63de5c86f2582f2511f76ed0b2e7854e68f7da5bc7cf7c367fe060f2b9196e0ae5fb26f43cb748d13f70a062aad58681a22d5b546b8a1bfa119fce25e8c564

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\bluescreen.bat

Filesize
27B

MD5
185c6a1a6a67aa56376895e9af1c844c

SHA1
554f3bd4b28be7417a7110ae53fb9b2020ec5849

SHA256
088b26648dea20201ae89c10eb3f6ceb854a6059a43af918bfb654cbe8b07f3f

SHA512
465f688c6bc666c954b5dc3c45c8bd3f8340f23c1f21ec75e07cbc6c0e12009c57ad293eb0cecc54d1904fd9f7407a2efec8021d2bcfd935668400d7426de51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\dialog.bat

Filesize
36B

MD5
86a7e4cd6aae2fac61a762594e3866ff

SHA1
66c2e08e3a95da98f875d4cca8fd7b53ed9cbcdb

SHA256
1fa5665c513a15b3f2e95e051e68be430923cbd13e0d82e91f2d110945031d6c

SHA512
2d2acc68982dbe099c6ec7231b6d75475c72e70345152c617636b6240dca2a7587ba36a731b9b769bb901e756fda3168210b88bbcff082f10a2cdc8a7883587a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\launcher.bat

Filesize
124B

MD5
66e69e7cce25138db2e0172992f97bf0

SHA1
d9575eb2ab7d71858851f5abbe61d30f07b5962d

SHA256
3534f4c44e447889ecc4d9f1c0b5979656ce15dd83dab30ee8c3eb329a3b5959

SHA512
3c0c90bb7f7c296a6eefaf4fd9ca36f9b422d48374fa647034e5af8af9101e2699239f7c15c903d5b7849bf4da321b8d3a4ae53f4cb90ee51c3de15677330e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\redscreendialog.vbs

Filesize
351B

MD5
9f5a59c103bfe22675f7c01c5632073e

SHA1
beeddab4e5ce2899ffe4afbf8e83cec5bd81d745

SHA256
25bcd776b3deb311d552f9fb68df501bcd29fde516fbaeb294a449a66b914847

SHA512
556f5bb1ab8defc38433079e4488285e5631f798eb287e122418bd5b626e4565a906a80a9638a07d420f95f2cc6633a2560e3adbde4068bf57069f8c0b493aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\startwscript.bat

Filesize
32B

MD5
cd726bffa3cbe837642053c6ebce95e4

SHA1
efaa3b2df8b364cd7906df4da3aeed4526404938

SHA256
6f2e6de7768930939aa095a765317f4299207546736a25ada9980de8b96ee615

SHA512
2263a8fe6b41f87ae4a906222b2c02707ce2c94261d9546634f4d40de8535963bc5623a7713e37e87dc97220a9f5f5b295df6e3f86502cf7a7cb66dfa127c987

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\wscript.bat

Filesize
264B

MD5
37ac819f7802526a269a002c902e7e6a

SHA1
8d6665b468a8ac939b209b9ac77e8a702291546a

SHA256
e9161dffa009d79c6ade356bc2d41e1968cecc90f9fcd993b492d7787ef02163

SHA512
19cee76c31cbe0a7ccd0532172ed7f03fd30dc4a7a59f0bf3e37b168e48ef7a16eabc9183f0a6482ff11af0c6fe87aca4b3df79929dbf686087c5720b7839d21

Download Submit
memory/2396-165-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/2396-169-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download