Analysis Overview
SHA256
7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
Threat Level: Known bad
The file ttd_scam_tool_api.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Contains code to disable Windows Defender
Stealerium
Detect Xworm Payload
Executes dropped EXE
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 01:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 01:43
Reported
2024-01-25 02:03
Platform
win7-20231215-en
Max time kernel
426s
Max time network
447s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2072 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2072 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2072 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2072 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2072 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe
"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap29248:86:7zEvent13485
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\blank.txt
C:\Users\Admin\Desktop\Umbral.builder.exe
"C:\Users\Admin\Desktop\Umbral.builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.16:40164 | tcp | |
| US | 147.185.221.16:40164 | tcp | |
| US | 147.185.221.16:40164 | tcp |
Files
memory/2072-0-0x0000000000A50000-0x0000000000A64000-memory.dmp
memory/2072-1-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp
memory/1960-7-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp
memory/1960-6-0x000000001B7B0000-0x000000001BA92000-memory.dmp
memory/1960-9-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/1960-8-0x0000000002250000-0x0000000002258000-memory.dmp
memory/1960-10-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp
memory/1960-11-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/1960-12-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/1960-13-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp
memory/3064-19-0x000000001B690000-0x000000001B972000-memory.dmp
memory/3064-20-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3KADOMZQCQZU4GJ3A7B.temp
| MD5 | 836305a37453aaec21ef04c593da2a0b |
| SHA1 | efeda13e302a6226cefabdb24a26ace7490f20bd |
| SHA256 | 481382a7c2c1771c2438ef2e4d62445bb87d33ebb1a57d6aeeeb23d8a44c9e89 |
| SHA512 | ac26807b8f8199461ff7b1fe855e7ddf53478c6f4cf5dac533fa6efa8f667d1d64d52e8707901c53d2d58c1f5f4667ca37fdf0d3f78dda2d29300bb69c8aa5f3 |
memory/3064-21-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp
memory/3064-22-0x0000000002BA0000-0x0000000002C20000-memory.dmp
memory/3064-24-0x0000000002BA0000-0x0000000002C20000-memory.dmp
memory/3064-23-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp
memory/3064-25-0x0000000002BA0000-0x0000000002C20000-memory.dmp
memory/3064-26-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp
memory/2072-27-0x0000000000660000-0x00000000006E0000-memory.dmp
memory/2072-28-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp
memory/2072-29-0x0000000000660000-0x00000000006E0000-memory.dmp
memory/2072-30-0x000000001BA40000-0x000000001BAF0000-memory.dmp
C:\Users\Admin\Desktop\Umbral.Stealer.zip
| MD5 | f355889db3ff6bae624f80f41a52e619 |
| SHA1 | 47f7916272a81d313e70808270c3c351207b890f |
| SHA256 | 8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0 |
| SHA512 | bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb |
C:\Users\Admin\Desktop\blank.txt
| MD5 | 4f10bf483c9fe7cb6834229399b10573 |
| SHA1 | 21665c74392b32fda4931d621c84530046f0d624 |
| SHA256 | e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105 |
| SHA512 | 60d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048 |
memory/2788-134-0x0000000000010000-0x0000000000032000-memory.dmp
memory/2788-136-0x0000000000540000-0x0000000000560000-memory.dmp
memory/2788-150-0x00000000005A0000-0x00000000005BE000-memory.dmp
memory/2788-152-0x000000001B400000-0x000000001B54A000-memory.dmp
memory/2788-154-0x000000001A700000-0x000000001A730000-memory.dmp
memory/2788-153-0x000000001B9F0000-0x000000001BB06000-memory.dmp
C:\Users\Admin\Desktop\Bunifu.Licensing.dll
| MD5 | 42aa8513af781468cfec62f71a16d678 |
| SHA1 | a94efb7b524cc053a1662464580dc66f144805ad |
| SHA256 | 19e293b1ced37a7e42d03c892cc8e5c4cd580a7e00301c674451905a4e57991c |
| SHA512 | 0d143f51a8f8ea4793b8e6548e95f35ddb7665635559b6766c27ffc92997ba896b423f1c52c97d4f2ba6028b425583a4f45f0494d92d945b73e06b88330acc41 |
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuCheckBox.dll
| MD5 | ef11f59a9381df17d7ab94434f79f260 |
| SHA1 | ec11e46a636fe3927fd5fa7c30be65b958853ef0 |
| SHA256 | 390252aeb6fd76a954a03853c3d883e0360dc8b3f2cf8cfed5ba94e4e5a24da4 |
| SHA512 | 612b1b0f9204c605ff5e9b91816e674cdaea71fa69f81a5a7f475bf1cc8d5e12687deb1b0118b07b3d7e4764adede0576f8fc799f8155a65a70e5dafff50f73d |
memory/2788-148-0x0000000000590000-0x00000000005A0000-memory.dmp
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuShadowPanel.dll
| MD5 | ebaf1a6efa8c7a04d174be7e0df602a7 |
| SHA1 | ce08c80e52b6cf3f62ba82408d8f32ae6bcef0d8 |
| SHA256 | 1858b16074d7f9b73f462e3adcc77309800594fa96f2e0904c810eda4eaf5e86 |
| SHA512 | 4ffd5dcb59a4a03273c4e88047c7d398f098302b9485d07cf5549ca0d72467102aafa69298e248250df154a8b09f7560e634cca9cb1af2838baf3965aa645b31 |
memory/2788-146-0x0000000001F00000-0x0000000001F5A000-memory.dmp
memory/2788-155-0x000000001B090000-0x000000001B110000-memory.dmp
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.1.5.3.dll
| MD5 | 41c216d27c71a227774e680e95e99f31 |
| SHA1 | 0a2a93d4ecbf4bbec2faf110066c6b4472b0dbf5 |
| SHA256 | 012d717b4ac00c3686a772757f49c1908e223624e3974314cdb9fc9291073305 |
| SHA512 | e355ba11e41b668e4459f709e87c3e212c8986ea894791d9155791ea9d7315372fb51531eb69204ed2ee38e242de7629e4a2f090c05bf9deeea9ea965ffaf651 |
memory/2788-144-0x0000000000580000-0x000000000058E000-memory.dmp
memory/2788-156-0x000000001B090000-0x000000001B110000-memory.dmp
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuColorTransition.dll
| MD5 | 539d803013c0b1592d0e17a740d72687 |
| SHA1 | b0ce15e0f096d027b1d1482afa9d93bafd160f7a |
| SHA256 | 500adece1fba76dfb2fa628de9886a2661ed1a4e58a7717a5fee607206bb1d81 |
| SHA512 | 77d8ab7a949db41a79371cf2ebd5d67bd4a38dd040de0073c878f50b2a6409fae2dc5db7cbf375fbc1bc571838b0a6d4848bdecc1420d91633b878585c94b9dd |
memory/2788-142-0x000000001A580000-0x000000001A5EE000-memory.dmp
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuLabel.dll
| MD5 | aab3c7e66fef3d991a5de0d33f3db9a4 |
| SHA1 | 5f70bd9b6a975f7f743511cf13d4f8a40cd11687 |
| SHA256 | a9704c8aa965a9a13eba9ec0933046bc3f9c276e2ded942225bdae7607ca7cf8 |
| SHA512 | e3e27de898ad816993130c6ad9fd116211c082836012d54bfb5be2800d1df9784e5f3a762dfe8d0568ebd00f52cf624d32a6aa23366666c2c1e09eb09b5b4ad4 |
memory/2788-140-0x000000001B090000-0x000000001B110000-memory.dmp
memory/2788-139-0x0000000000560000-0x0000000000580000-memory.dmp
memory/2788-138-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuTextBox.dll
| MD5 | fd2042c49df3e74e096b8cee8cc9fe43 |
| SHA1 | 4ccdb0e13c24fb71f502d50e34f00c39bcacf307 |
| SHA256 | 4569393e1aad7498c6a7c8a84f79d0cd7a1d0656e912d0ddb607b61163673976 |
| SHA512 | c93ad9cb411c311b0feeefdf2089c0c13098c7d2bab56345f4e9a7fc515965a3893c613d494adbbb066801eeb3dc32237a8322f7a5f876284a06b447efdad641 |
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuButton.dll
| MD5 | 21f999e5ac72a16077511d41590822de |
| SHA1 | d8bb1a8a291f73cdf2b5658b2b65736c87db19dd |
| SHA256 | 2a62c78f1f0db2e3258135b50f7885e6734c31c74a8f2f5782f285aa268c2f71 |
| SHA512 | e04fe31870f266d772829053a6bb210a9513ff5c8c0f9a3a267ddbe1875125496caa602baf44a4e241ef84d933bd55b79af43d5871ed10c81711adecee78b8e3 |
C:\Users\Admin\Desktop\Umbral.builder.exe
| MD5 | d91fb6867df7e4303d98b5e90faae73c |
| SHA1 | 496f53ad8cd9381f1c1b577a73e978081002c1db |
| SHA256 | bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344 |
| SHA512 | 5dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9 |
memory/2788-157-0x000000001B090000-0x000000001B110000-memory.dmp
C:\Users\Admin\Desktop\Umbral.builder.exe.config
| MD5 | dccd44fb11b8e4ebdfb822e809a54b6f |
| SHA1 | 1889d5ae8c7c70c051cbde104af6e0f31f8c1b63 |
| SHA256 | 6862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158 |
| SHA512 | dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50 |
memory/2788-158-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 01:43
Reported
2024-01-25 02:28
Platform
win10v2004-20231215-en
Max time kernel
300s
Max time network
340s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealerium
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Builder.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1864 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1864 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1864 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1864 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe
"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31003:78:7zEvent10203
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Users\Admin\Desktop\Builder.exe
"C:\Users\Admin\Desktop\Builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
Files
memory/1864-0-0x00000000002C0000-0x00000000002D4000-memory.dmp
memory/1864-1-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dg2cmpt2.bnq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1616-11-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp
memory/1616-12-0x0000020558400000-0x0000020558410000-memory.dmp
memory/1616-14-0x0000020558370000-0x0000020558392000-memory.dmp
memory/1616-13-0x0000020558400000-0x0000020558410000-memory.dmp
memory/1616-15-0x0000020558400000-0x0000020558410000-memory.dmp
memory/1616-18-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
memory/1368-30-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp
memory/1368-31-0x00000130A32B0000-0x00000130A32C0000-memory.dmp
memory/1368-33-0x00000130A32B0000-0x00000130A32C0000-memory.dmp
memory/1368-32-0x00000130A32B0000-0x00000130A32C0000-memory.dmp
memory/1368-35-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp
memory/1864-36-0x000000001B050000-0x000000001B060000-memory.dmp
memory/1864-37-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp
memory/1864-38-0x000000001B050000-0x000000001B060000-memory.dmp
memory/1864-39-0x000000001D1F0000-0x000000001D2A0000-memory.dmp
memory/1864-40-0x000000001D9D0000-0x000000001DEF8000-memory.dmp
C:\Users\Admin\Desktop\Stealerium.zip
| MD5 | c956487c81dc16555e9232408efbe44d |
| SHA1 | 9272088c2dc913b3c6e779a091755b07e7fa3050 |
| SHA256 | 49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722 |
| SHA512 | 1d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c |
C:\Users\Admin\Desktop\New Text Document.txt
| MD5 | 4f10bf483c9fe7cb6834229399b10573 |
| SHA1 | 21665c74392b32fda4931d621c84530046f0d624 |
| SHA256 | e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105 |
| SHA512 | 60d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048 |
C:\Users\Admin\Desktop\Builder.exe
| MD5 | 6c898b9e5467f6d3442a579b7856bdaf |
| SHA1 | 9522f2f219deaf4bb52262c2a5d23393037ec35f |
| SHA256 | 8bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f |
| SHA512 | df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41 |
C:\Users\Admin\Desktop\Builder.runtimeconfig.json
| MD5 | 24e4653829de1022d01cd7ddd26e2f22 |
| SHA1 | 9160a009cb381e044ba4c63e4435da6bfeb9dc6d |
| SHA256 | ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91 |
| SHA512 | efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820 |
C:\Users\Admin\Desktop\Builder.deps.json
| MD5 | d41bff259e1ebb625fc788fa681377ad |
| SHA1 | b5c8b7725d6f885db30e9237682abfec72aa65be |
| SHA256 | d6a04809c3737f76818082a2caf9b80ac7f0e14bc73b2fabdea2df46d9e25a52 |
| SHA512 | 8aaed8b1b2e40c5a631753789fcf34dadf95a4aab29f852a98ecb3dc30dc5c1df11d69081fb17282c78e0310e65567ab7339bc58efba6fc7b6f729f31fc040e3 |
memory/5000-77-0x00007FFE33640000-0x00007FFE33B3E000-memory.dmp
C:\Users\Admin\Desktop\Builder.dll
| MD5 | 41dd506cd0525197e69d9c8592aed2a7 |
| SHA1 | 5d04b134c8f1800fbcd664898d34dee8d10d8fa8 |
| SHA256 | dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c |
| SHA512 | 16ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b |
C:\Users\Admin\Desktop\Spectre.Console.ImageSharp.dll
| MD5 | 099edbe28aaacada8a7a12a414a1d68b |
| SHA1 | 0cc1b8ed4448f4c7246dc859a6359fda20c2d927 |
| SHA256 | 52fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee |
| SHA512 | 07995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5 |
C:\Users\Admin\Desktop\Spectre.Console.dll
| MD5 | 46684228e7c345a3368e8a475ec573b7 |
| SHA1 | aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433 |
| SHA256 | b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257 |
| SHA512 | ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31 |
C:\Users\Admin\Desktop\SixLabors.ImageSharp.dll
| MD5 | 523dced95fcb0120698fc194b159a5cd |
| SHA1 | 9f6e4c7269caaf2e09b6961551102b1ec16e60a0 |
| SHA256 | 0d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219 |
| SHA512 | 325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255 |
C:\Users\Admin\Desktop\Mono.Cecil.dll
| MD5 | 6d8d43c5d7dbe36ec01ff8b951cf1e0a |
| SHA1 | d6b8214419870770e1ce398ca06a6a9f0e9e62a3 |
| SHA256 | 9c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487 |
| SHA512 | 221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57 |
C:\Users\Admin\Desktop\Stub\stub.exe
| MD5 | 6627adf7167ee571e8fd6c8b1a0e8ae3 |
| SHA1 | 03b9112660ee73c59d84e219f15bf24ae9df48db |
| SHA256 | 6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f |
| SHA512 | e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60 |
memory/5000-85-0x00007FFE33640000-0x00007FFE33B3E000-memory.dmp
C:\Users\Admin\Desktop\Stub\build.exe
| MD5 | be2f3202f1b8c74620ab1b5e83ff1ce4 |
| SHA1 | 9a0b4ac36b2fc6b21a99ee150b175a1fc4ac0ee6 |
| SHA256 | 0803e42cecd8aea57d7b6ab5ea3662bbfa2aa2d2a6dfe4c819a39174bf7952d9 |
| SHA512 | 526f6fc76037cb8a60010ab7bfb113eda3ab1044866908c5dc7547290c70eb974424078c30115703ad3752ee2ed2d844a8564d9be5484e7fa112a57fee8be853 |
memory/1864-87-0x0000000000B20000-0x0000000000B2E000-memory.dmp