Malware Analysis Report

2024-11-16 13:37

Sample ID 240529-spknnsac5y
Target Output.exe
SHA256 e64455f4b8e898c1ebaf666344c0608bb344ca101126f543484ce2fc93cdc181
Tags
xworm execution persistence pyinstaller rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e64455f4b8e898c1ebaf666344c0608bb344ca101126f543484ce2fc93cdc181

Threat Level: Known bad

The file Output.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence pyinstaller rat spyware stealer trojan upx

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 15:18

Reported

2024-05-29 15:20

Platform

win10-20240404-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoundPad.exe C:\Users\Admin\SoundPad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gorillatag client.lnk C:\Users\Admin\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gorillatag client.lnk C:\Users\Admin\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\XClient.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\Gorillatag client.exe N/A
N/A N/A C:\Users\Admin\Gorillatag client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gorillatag client = "C:\\Users\\Admin\\Gorillatag client.exe" C:\Users\Admin\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Users\Admin\SoundPad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\XClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\SoundPad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\SoundPad.exe
PID 4092 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\SoundPad.exe
PID 4092 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\XClient.exe
PID 4092 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\XClient.exe
PID 2892 wrote to memory of 4988 N/A C:\Users\Admin\SoundPad.exe C:\Users\Admin\SoundPad.exe
PID 2892 wrote to memory of 4988 N/A C:\Users\Admin\SoundPad.exe C:\Users\Admin\SoundPad.exe
PID 4988 wrote to memory of 3144 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 3144 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 3660 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 3660 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3144 wrote to memory of 356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3660 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1896 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1896 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 4652 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 4652 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 4232 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 4232 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 5004 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 5004 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2888 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2888 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 820 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\schtasks.exe
PID 3000 wrote to memory of 820 N/A C:\Users\Admin\XClient.exe C:\Windows\System32\schtasks.exe
PID 4988 wrote to memory of 4084 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 4084 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4084 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4084 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4988 wrote to memory of 2432 N/A C:\Users\Admin\SoundPad.exe C:\Windows\System32\Wbem\wmic.exe
PID 4988 wrote to memory of 2432 N/A C:\Users\Admin\SoundPad.exe C:\Windows\System32\Wbem\wmic.exe
PID 4988 wrote to memory of 2116 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 2116 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2116 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4988 wrote to memory of 352 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 352 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 352 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4988 wrote to memory of 2244 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 2244 N/A C:\Users\Admin\SoundPad.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2244 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

C:\Users\Admin\SoundPad.exe

"C:\Users\Admin\SoundPad.exe"

C:\Users\Admin\XClient.exe

"C:\Users\Admin\XClient.exe"

C:\Users\Admin\SoundPad.exe

"C:\Users\Admin\SoundPad.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Gorillatag client.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Gorillatag client.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Gorillatag client" /tr "C:\Users\Admin\Gorillatag client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

C:\Users\Admin\Gorillatag client.exe

"C:\Users\Admin\Gorillatag client.exe"

C:\Users\Admin\Gorillatag client.exe

"C:\Users\Admin\Gorillatag client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 147.185.221.19:38173 19.ip.gl.ply.gg tcp

Files

memory/4092-0-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-1-0x00000000002C0000-0x00000000012C2000-memory.dmp

C:\Users\Admin\SoundPad.exe

MD5 3b184b0bf9cae37d5a3f0025c43791f9
SHA1 4d384b79ec9bbef8cbc3ad85ee49914dca03888c
SHA256 b13f82bc8c09dd45d7cc4026ff2b9bb16ec302eef90bdb22e66bd8c9287b695f
SHA512 5d5e7030f49dff50933c1438f38c7dbdfd1e95b0e8155b4f16b2f6a205c6feff440c92588f0440ed543577dc2f25eabacd39730937a83615e01b5e798a19d51c

C:\Users\Admin\XClient.exe

MD5 b8a5902712f0159c808d05982f3f099f
SHA1 b5bc99d9f751a6d8618453761f6f1db7eb4ead59
SHA256 0325350841de44656ec17462500221ce09a1fd617cb56d1770a1ca6490b03713
SHA512 2b832adeadd64f094e7b83a29309636d4f2e8e2f8bdc9c798591d0f03874e7b02a0d26e940f8ceb709517be4d9ae771f12a7bab89b9c86f14d0229a7128a3d4d

memory/3000-59-0x0000000000230000-0x0000000000246000-memory.dmp

memory/3000-98-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28922\python312.dll

MD5 2889fb28cd8f2f32997be99eb81fd7eb
SHA1 adfeb3a08d20e22dde67b60869c93291ca688093
SHA256 435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637
SHA512 aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

\Users\Admin\AppData\Local\Temp\_MEI28922\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4988-113-0x00007FFA53C60000-0x00007FFA54339000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28922\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_ctypes.pyd

MD5 76288ffffdce92111c79636f71b9bc9d
SHA1 15c10dcd31dab89522bf5b790e912dc7e6b3183b
SHA256 192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1
SHA512 29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

C:\Users\Admin\AppData\Local\Temp\_MEI28922\python3.DLL

MD5 6271a2fe61978ca93e60588b6b63deb2
SHA1 be26455750789083865fe91e2b7a1ba1b457efb8
SHA256 a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA512 8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

C:\Users\Admin\AppData\Local\Temp\_MEI28922\libffi-8.dll

MD5 bb1feaa818eba7757ada3d06f5c57557
SHA1 f2de5f06dc6884166de165d34ef2b029bb0acf8b
SHA256 a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29
SHA512 95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

memory/4988-121-0x00007FFA69D10000-0x00007FFA69D35000-memory.dmp

memory/4988-123-0x00007FFA6C030000-0x00007FFA6C03F000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI28922\_bz2.pyd

MD5 f991618bfd497e87441d2628c39ea413
SHA1 98819134d64f44f83a18985c2ec1e9ee8b949290
SHA256 333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e
SHA512 3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

\Users\Admin\AppData\Local\Temp\_MEI28922\_lzma.pyd

MD5 f07f0cfe4bc118aebcde63740635a565
SHA1 44ee88102830434bb9245934d6d4456c77c7b649
SHA256 cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0
SHA512 fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_uuid.pyd

MD5 7a00ff38d376abaaa1394a4080a6305b
SHA1 d43a9e3aa3114e7fc85c851c9791e839b3a0ee13
SHA256 720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016
SHA512 ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_ssl.pyd

MD5 8696f07039706f2e444f83bb05a65659
SHA1 6c6fff6770a757e7c4b22e6e22982317727bf65b
SHA256 5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371
SHA512 93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_wmi.pyd

MD5 f3767430bbc7664d719e864759b806e4
SHA1 f27d26e99141f15776177756de303e83422f7d07
SHA256 787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8
SHA512 b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

\Users\Admin\AppData\Local\Temp\_MEI28922\_socket.pyd

MD5 7e92d1817e81cbafdbe29f8bec91a271
SHA1 08868b9895196f194b2e054c04edccf1a4b69524
SHA256 19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c
SHA512 0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

\Users\Admin\AppData\Local\Temp\_MEI28922\select.pyd

MD5 c16b7b88792826c2238d3cf28ce773dd
SHA1 198b5d424a66c85e2c07e531242c52619d932afa
SHA256 b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747
SHA512 7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

\Users\Admin\AppData\Local\Temp\_MEI28922\_queue.pyd

MD5 8347192a8c190895ec8806a3291e70d9
SHA1 0a634f4bd15b7ce719d91f0c1332e621f90d3f83
SHA256 b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19
SHA512 de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

memory/4988-156-0x00007FFA677C0000-0x00007FFA677CD000-memory.dmp

memory/4988-155-0x00007FFA69C10000-0x00007FFA69C1D000-memory.dmp

memory/4988-154-0x00007FFA677D0000-0x00007FFA677E9000-memory.dmp

memory/4988-153-0x00007FFA6C020000-0x00007FFA6C02D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_sqlite3.pyd

MD5 29a6551e9b7735a4cb4a61c86f4eb66c
SHA1 f552a610d64a181b675c70c3b730aa746e1612d0
SHA256 78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517
SHA512 54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_overlapped.pyd

MD5 ed9cff0d68ba23aad53c3a5791668e8d
SHA1 a38c9886d0de7224e36516467803c66a2e71c7d9
SHA256 e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f
SHA512 6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_multiprocessing.pyd

MD5 0c942dacb385235a97e373bdbe8a1a5e
SHA1 cf864c004d710525f2cf1bec9c19ddf28984ca72
SHA256 d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b
SHA512 ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_hashlib.pyd

MD5 caaea46ee25211cbdc762feb95dc1e4d
SHA1 1f900cc99c02f4300d65628c1b22ddf8f39a94d4
SHA256 3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b
SHA512 68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_decimal.pyd

MD5 c2f5d61323fb7d08f90231300658c299
SHA1 a6b15204980e28fc660b5a23194348e6aded83fc
SHA256 a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb
SHA512 df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_cffi_backend.cp312-win_amd64.pyd

MD5 886da52cb1d06bd17acbd5c29355a3f5
SHA1 45dee87aefb1300ec51f612c3b2a204874be6f28
SHA256 770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc
SHA512 d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

C:\Users\Admin\AppData\Local\Temp\_MEI28922\_asyncio.pyd

MD5 b72e9a2f4d4389175e96cd4086b27aac
SHA1 2acfa17bb063ee9cf36fadbac802e95551d70d85
SHA256 f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42
SHA512 b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

C:\Users\Admin\AppData\Local\Temp\_MEI28922\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI28922\unicodedata.pyd

MD5 4253cde4d54e752ae54ff45217361471
SHA1 06aa069c348b10158d2412f473c243b24d6fc7bc
SHA256 67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6
SHA512 3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

C:\Users\Admin\AppData\Local\Temp\_MEI28922\sqlite3.dll

MD5 8776a7f72e38d2ee7693c61009835b0c
SHA1 677a127c04ef890e372d70adc2ab388134753d41
SHA256 c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954
SHA512 815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

C:\Users\Admin\AppData\Local\Temp\_MEI28922\pyexpat.pyd

MD5 edcb8f65306461e42065ac6fc3bae5e7
SHA1 4faa04375c3d2c2203be831995403e977f1141eb
SHA256 1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7
SHA512 221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

C:\Users\Admin\AppData\Local\Temp\_MEI28922\libssl-3.dll

MD5 9b8d3341e1866178f8cecf3d5a416ac8
SHA1 8f2725b78795237568905f1a9cd763a001826e86
SHA256 85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559
SHA512 815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

C:\Users\Admin\AppData\Local\Temp\_MEI28922\libcrypto-3.dll

MD5 e68a459f00b05b0bd7eafe3da4744aa9
SHA1 41565d2cc2daedd148eeae0c57acd385a6a74254
SHA256 3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648
SHA512 6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

memory/4988-129-0x00007FFA69CE0000-0x00007FFA69D0D000-memory.dmp

memory/4988-128-0x00007FFA6AC80000-0x00007FFA6AC99000-memory.dmp

memory/4988-163-0x00007FFA66FF0000-0x00007FFA670BD000-memory.dmp

memory/4988-162-0x00007FFA53730000-0x00007FFA53C59000-memory.dmp

memory/4988-161-0x00007FFA67190000-0x00007FFA671C3000-memory.dmp

memory/3000-160-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4988-165-0x00007FFA67170000-0x00007FFA67186000-memory.dmp

memory/4988-171-0x00007FFA69D10000-0x00007FFA69D35000-memory.dmp

memory/4988-170-0x00007FFA667E0000-0x00007FFA66815000-memory.dmp

memory/4988-175-0x00007FFA653C0000-0x00007FFA65536000-memory.dmp

memory/4988-174-0x00007FFA667B0000-0x00007FFA667D4000-memory.dmp

memory/4988-169-0x00007FFA67150000-0x00007FFA67162000-memory.dmp

memory/4988-168-0x00007FFA53C60000-0x00007FFA54339000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI28922\psutil\_psutil_windows.pyd

MD5 d2ab09582b4c649abf814cdce5d34701
SHA1 b7a3ebd6ff94710cf527baf0bb920b42d4055649
SHA256 571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983
SHA512 022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

memory/4988-178-0x00007FFA66FD0000-0x00007FFA66FE8000-memory.dmp

memory/4988-180-0x00007FFA66740000-0x00007FFA66754000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI28922\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 4e5cd67d83f5226410ef9f5bc6fddab9
SHA1 dd75f79986808ff22f1049680f848a547ba7ab84
SHA256 80645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4
SHA512 e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0

memory/4988-185-0x00007FFA67140000-0x00007FFA6714B000-memory.dmp

memory/4988-184-0x00007FFA6C020000-0x00007FFA6C02D000-memory.dmp

memory/4988-189-0x00007FFA65BF0000-0x00007FFA65D0B000-memory.dmp

memory/4988-188-0x00007FFA66710000-0x00007FFA66737000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI28922\charset_normalizer\md.cp312-win_amd64.pyd

MD5 21898e2e770cb9b71dc5973dd0d0ede0
SHA1 99de75d743f6e658a1bec52419230690b3e84677
SHA256 edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138
SHA512 dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d

C:\Users\Admin\AppData\Local\Temp\_MEI28922\Cryptodome\Cipher\_raw_ecb.pyd

MD5 1a48e6e2a3243a0e38996e61f9f61a68
SHA1 488a1aa38cd3c068bdf24b96234a12232007616c
SHA256 c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061
SHA512 d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

\Users\Admin\AppData\Local\Temp\_MEI28922\Cryptodome\Cipher\_raw_cbc.pyd

MD5 e0dd54d1a4a8b3f4a2b7fb67bc2e6297
SHA1 b184c2ed3dd46d527df992ffe0c57ef8eb364eea
SHA256 b6b7cce003744af2342afef0f2536cdbbccd3a271f15f72aefc740332312281e
SHA512 960f3e6e3a6168ba65d690cb9c94541de8f5a8afb456b5db8d7c0392d0d935cf47245eb88160606be12d54c32f1dc1e1ebf7c6049a310654847e0d473d1726a6

memory/4988-193-0x00007FFA67190000-0x00007FFA671C3000-memory.dmp

memory/4988-199-0x00007FFA666C0000-0x00007FFA666CC000-memory.dmp

memory/4988-202-0x00007FFA666B0000-0x00007FFA666BB000-memory.dmp

memory/4988-201-0x00007FFA666F0000-0x00007FFA666FB000-memory.dmp

memory/4988-200-0x00007FFA66FF0000-0x00007FFA670BD000-memory.dmp

memory/4988-198-0x00007FFA666D0000-0x00007FFA666DB000-memory.dmp

memory/4988-197-0x00007FFA666E0000-0x00007FFA666EC000-memory.dmp

memory/4988-196-0x00007FFA66700000-0x00007FFA6670B000-memory.dmp

memory/4988-195-0x00007FFA53730000-0x00007FFA53C59000-memory.dmp

memory/4988-213-0x00007FFA64EA0000-0x00007FFA64EAC000-memory.dmp

memory/4988-212-0x00007FFA62A70000-0x00007FFA62A82000-memory.dmp

memory/4988-211-0x00007FFA64EB0000-0x00007FFA64EBD000-memory.dmp

memory/4988-210-0x00007FFA64EF0000-0x00007FFA64EFC000-memory.dmp

memory/4988-214-0x00007FFA534A0000-0x00007FFA53723000-memory.dmp

memory/4988-218-0x00007FFA62A00000-0x00007FFA62A2E000-memory.dmp

memory/4988-217-0x00007FFA62A40000-0x00007FFA62A69000-memory.dmp

memory/4988-216-0x00007FFA653C0000-0x00007FFA65536000-memory.dmp

memory/4988-215-0x00007FFA667B0000-0x00007FFA667D4000-memory.dmp

memory/4988-209-0x00007FFA65280000-0x00007FFA6528C000-memory.dmp

memory/4988-208-0x00007FFA65290000-0x00007FFA6529B000-memory.dmp

memory/4988-207-0x00007FFA652A0000-0x00007FFA652AB000-memory.dmp

memory/4988-206-0x00007FFA652B0000-0x00007FFA652BC000-memory.dmp

memory/4988-205-0x00007FFA653A0000-0x00007FFA653AE000-memory.dmp

memory/4988-204-0x00007FFA653B0000-0x00007FFA653BC000-memory.dmp

memory/4988-203-0x00007FFA666A0000-0x00007FFA666AC000-memory.dmp

memory/4704-231-0x000001B57E2D0000-0x000001B57E2F2000-memory.dmp

memory/4704-234-0x000001B57E900000-0x000001B57E976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmmjep3w.5mk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-602-0x00007FFA66740000-0x00007FFA66754000-memory.dmp

memory/3000-623-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4988-624-0x00007FFA66710000-0x00007FFA66737000-memory.dmp

memory/4988-625-0x00007FFA65BF0000-0x00007FFA65D0B000-memory.dmp

memory/4988-627-0x00007FFA60A20000-0x00007FFA60A2F000-memory.dmp

memory/4988-647-0x00007FFA653C0000-0x00007FFA65536000-memory.dmp

memory/4988-673-0x00007FFA67150000-0x00007FFA67162000-memory.dmp

memory/4988-674-0x00007FFA667B0000-0x00007FFA667D4000-memory.dmp

memory/4988-672-0x00007FFA67170000-0x00007FFA67186000-memory.dmp

memory/4988-671-0x00007FFA666F0000-0x00007FFA666FB000-memory.dmp

memory/4988-670-0x00007FFA67190000-0x00007FFA671C3000-memory.dmp

memory/4988-669-0x00007FFA62A00000-0x00007FFA62A2E000-memory.dmp

memory/4988-668-0x00007FFA69C10000-0x00007FFA69C1D000-memory.dmp

memory/4988-667-0x00007FFA677D0000-0x00007FFA677E9000-memory.dmp

memory/4988-666-0x00007FFA6C020000-0x00007FFA6C02D000-memory.dmp

memory/4988-665-0x00007FFA677C0000-0x00007FFA677CD000-memory.dmp

memory/4988-664-0x00007FFA6AC80000-0x00007FFA6AC99000-memory.dmp

memory/4988-663-0x00007FFA6C030000-0x00007FFA6C03F000-memory.dmp

memory/4988-662-0x00007FFA69D10000-0x00007FFA69D35000-memory.dmp

memory/4988-661-0x00007FFA667E0000-0x00007FFA66815000-memory.dmp

memory/4988-660-0x00007FFA69CE0000-0x00007FFA69D0D000-memory.dmp

memory/4988-659-0x00007FFA666A0000-0x00007FFA666AC000-memory.dmp

memory/4988-658-0x00007FFA666B0000-0x00007FFA666BB000-memory.dmp

memory/4988-657-0x00007FFA666C0000-0x00007FFA666CC000-memory.dmp

memory/4988-656-0x00007FFA666D0000-0x00007FFA666DB000-memory.dmp

memory/4988-655-0x00007FFA666E0000-0x00007FFA666EC000-memory.dmp

memory/4988-653-0x00007FFA66700000-0x00007FFA6670B000-memory.dmp

memory/4988-652-0x00007FFA65BF0000-0x00007FFA65D0B000-memory.dmp

memory/4988-651-0x00007FFA66710000-0x00007FFA66737000-memory.dmp

memory/4988-650-0x00007FFA67140000-0x00007FFA6714B000-memory.dmp

memory/4988-649-0x00007FFA66740000-0x00007FFA66754000-memory.dmp

memory/4988-648-0x00007FFA66FD0000-0x00007FFA66FE8000-memory.dmp

memory/4988-642-0x00007FFA53730000-0x00007FFA53C59000-memory.dmp

memory/4988-631-0x00007FFA53C60000-0x00007FFA54339000-memory.dmp

memory/4988-641-0x00007FFA66FF0000-0x00007FFA670BD000-memory.dmp

memory/4988-684-0x00007FFA64EA0000-0x00007FFA64EAC000-memory.dmp

memory/4988-687-0x00007FFA60A20000-0x00007FFA60A2F000-memory.dmp

memory/4988-686-0x00007FFA62A40000-0x00007FFA62A69000-memory.dmp

memory/4988-685-0x00007FFA534A0000-0x00007FFA53723000-memory.dmp

memory/4988-683-0x00007FFA62A70000-0x00007FFA62A82000-memory.dmp

memory/4988-682-0x00007FFA64EB0000-0x00007FFA64EBD000-memory.dmp

memory/4988-681-0x00007FFA64EF0000-0x00007FFA64EFC000-memory.dmp

memory/4988-680-0x00007FFA65280000-0x00007FFA6528C000-memory.dmp

memory/4988-679-0x00007FFA65290000-0x00007FFA6529B000-memory.dmp

memory/4988-678-0x00007FFA652A0000-0x00007FFA652AB000-memory.dmp

memory/4988-677-0x00007FFA652B0000-0x00007FFA652BC000-memory.dmp

memory/4988-676-0x00007FFA653A0000-0x00007FFA653AE000-memory.dmp

memory/4988-675-0x00007FFA653B0000-0x00007FFA653BC000-memory.dmp

memory/3000-725-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp